# HG changeset patch # User Alain Mazy # Date 1716386790 -7200 # Node ID 4535194cbb8a827d9abcba365fec01ee0316e0bc # Parent 7043e646fc0db7fafd164207425586da9e13560c document TLS 1.3 in SslMinimumProtocolVersion diff -r 7043e646fc0d -r 4535194cbb8a OrthancServer/Resources/Configuration.json --- a/OrthancServer/Resources/Configuration.json Wed May 22 15:43:06 2024 +0200 +++ b/OrthancServer/Resources/Configuration.json Wed May 22 16:06:30 2024 +0200 @@ -225,23 +225,24 @@ // if "SslEnabled" is true. "SslCertificate" : "certificate.pem", - // Sets the minimum accepted SSL protocol version + // Sets the minimum accepted SSL protocol version for the HTTP server // (cf. "ssl_protocol_version" option of civetweb). By default, - // require SSL 1.2. This option is only meaningful if "SslEnabled" + // require TLS 1.2 or 1.3. This option is only meaningful if "SslEnabled" // is true. (new in Orthanc 1.8.2) // // Value => Protocols - // 0 SSL2+SSL3+TLS1.0+TLS1.1+TLS1.2 - // 1 SSL3+TLS1.0+TLS1.1+TLS1.2 - // 2 TLS1.0+TLS1.1+TLS1.2 - // 3 TLS1.1+TLS1.2 - // 4 TLS1.2 + // 0 SSL2+SSL3+TLS1.0+TLS1.1+TLS1.2+TLS1.3 + // 1 SSL3+TLS1.0+TLS1.1+TLS1.2+TLS1.3 + // 2 TLS1.0+TLS1.1+TLS1.2+TLS1.3 + // 3 TLS1.1+TLS1.2+TLS1.3 + // 4 TLS1.2+TLS1.3 + // 5 TLS1.3 "SslMinimumProtocolVersion" : 4, - // Set the accepted ciphers for SSL connections. The ciphers must be - // provided as a list of strings. If not set, this will default to - // FIPS 140-2 ciphers. This option is only meaningful if - // "SslEnabled" is true. (new in Orthanc 1.8.2) + // Set the accepted ciphers for SSL connections for the HTTP server. + // The ciphers must be provided as a list of strings. If not set, + // this will default to FIPS 140-2 ciphers. This option is only + // meaningful if "SslEnabled" is true. (new in Orthanc 1.8.2) /** "SslCiphersAccepted" : [ "AES128-GCM-SHA256" ], **/ diff -r 7043e646fc0d -r 4535194cbb8a OrthancServer/Sources/main.cpp --- a/OrthancServer/Sources/main.cpp Wed May 22 15:43:06 2024 +0200 +++ b/OrthancServer/Sources/main.cpp Wed May 22 16:06:30 2024 +0200 @@ -1106,10 +1106,10 @@ httpServer.SetSslEnabled(true); httpServer.SetSslCertificate(certificate.c_str()); - // Default to TLS 1.2 as SSL minimum + // Default to TLS 1.2+1.3 as SSL minimum // See https://github.com/civetweb/civetweb/blob/master/docs/UserManual.md "ssl_protocol_version" for mapping - static const unsigned int TLS_1_2 = 4; - unsigned int minimumVersion = lock.GetConfiguration().GetUnsignedIntegerParameter("SslMinimumProtocolVersion", TLS_1_2); + static const unsigned int TLS_1_2_AND_1_3 = 4; + unsigned int minimumVersion = lock.GetConfiguration().GetUnsignedIntegerParameter("SslMinimumProtocolVersion", TLS_1_2_AND_1_3); httpServer.SetSslMinimumVersion(minimumVersion); static const char* SSL_CIPHERS_ACCEPTED = "SslCiphersAccepted";