From 6e8b24270c39a4f1118a75bd35442276ffcf2d7c Mon Sep 17 00:00:00 2001
From: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Date: Thu, 26 Aug 2021 10:19:05 +0200
Subject: [PATCH] add support for tls1.3 protocol

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
---
 controls/nginx_spec.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/controls/nginx_spec.rb b/controls/nginx_spec.rb
index 12f129f..e396874 100644
--- a/controls/nginx_spec.rb
+++ b/controls/nginx_spec.rb
@@ -231,7 +231,7 @@
   desc 'When choosing a cipher during an SSLv3 or TLSv1 handshake, normally the client\'s preference is used. If this directive is enabled, the server\'s preference will be used instead.'
   ref 'SSL Hardening config', url: 'https://mozilla.github.io/server-side-tls/ssl-config-generator/'
   describe parse_config(nginx_parsed_config, options) do
-    its('ssl_protocols') { should eq 'TLSv1.2' }
+    its('ssl_protocols') { should be_in ['TLSv1.3', 'TLSv1.2', 'TLSv1.2 TLSv1.3', 'TLSv1.3 TLSv1.2'] }
     its('ssl_session_tickets') { should eq 'off' }
     its('ssl_ciphers') { should eq '\'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256\'' }
     its('ssl_prefer_server_ciphers') { should eq 'on' }