From a3923642c13e64e676897104c32e3d9188bd4642 Mon Sep 17 00:00:00 2001
From: Vladislav Yarmak <vladislav-ex-src@vm-0.com>
Date: Sat, 6 Jul 2024 16:29:23 +0300
Subject: [PATCH] make use of TLS version options

---
 main.go  |  6 ++++--
 utils.go | 11 ++++++++---
 2 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/main.go b/main.go
index 2191b56..76a29da 100644
--- a/main.go
+++ b/main.go
@@ -270,7 +270,8 @@ func run() int {
 	}
 
 	if args.cert != "" {
-		cfg, err1 := makeServerTLSConfig(args.cert, args.key, args.cafile, args.ciphers, !args.disableHTTP2)
+		cfg, err1 := makeServerTLSConfig(args.cert, args.key, args.cafile,
+			args.ciphers, uint16(args.minTLSVersion), uint16(args.maxTLSVersion), !args.disableHTTP2)
 		if err1 != nil {
 			mainLogger.Critical("TLS config construction failed: %v", err1)
 			return 3
@@ -293,7 +294,8 @@ func run() int {
 			}()
 		}
 		cfg := m.TLSConfig()
-		cfg, err = updateServerTLSConfig(cfg, args.cafile, args.ciphers, !args.disableHTTP2)
+		cfg, err = updateServerTLSConfig(cfg, args.cafile, args.ciphers,
+			uint16(args.minTLSVersion), uint16(args.maxTLSVersion), !args.disableHTTP2)
 		if err != nil {
 			mainLogger.Critical("TLS config construction failed: %v", err)
 			return 3
diff --git a/utils.go b/utils.go
index 5cbfc89..1e11180 100644
--- a/utils.go
+++ b/utils.go
@@ -151,8 +151,11 @@ func copyBody(wr io.Writer, body io.Reader) {
 	}
 }
 
-func makeServerTLSConfig(certfile, keyfile, cafile, ciphers string, h2 bool) (*tls.Config, error) {
-	var cfg tls.Config
+func makeServerTLSConfig(certfile, keyfile, cafile, ciphers string, minVer, maxVer uint16, h2 bool) (*tls.Config, error) {
+	cfg := tls.Config{
+		MinVersion: minVer,
+		MaxVersion: maxVer,
+	}
 	cert, err := tls.LoadX509KeyPair(certfile, keyfile)
 	if err != nil {
 		return nil, err
@@ -179,7 +182,7 @@ func makeServerTLSConfig(certfile, keyfile, cafile, ciphers string, h2 bool) (*t
 	return &cfg, nil
 }
 
-func updateServerTLSConfig(cfg *tls.Config, cafile, ciphers string, h2 bool) (*tls.Config, error) {
+func updateServerTLSConfig(cfg *tls.Config, cafile, ciphers string, minVer, maxVer uint16, h2 bool) (*tls.Config, error) {
 	if cafile != "" {
 		roots := x509.NewCertPool()
 		certs, err := ioutil.ReadFile(cafile)
@@ -198,6 +201,8 @@ func updateServerTLSConfig(cfg *tls.Config, cafile, ciphers string, h2 bool) (*t
 	} else {
 		cfg.NextProtos = []string{"http/1.1", "acme-tls/1"}
 	}
+	cfg.MinVersion = minVer
+	cfg.MaxVersion = maxVer
 	return cfg, nil
 }