make use of TLS version options

This commit is contained in:
Vladislav Yarmak 2024-07-06 16:29:23 +03:00
parent 43dbaa5b3d
commit a3923642c1
2 changed files with 12 additions and 5 deletions

View File

@ -270,7 +270,8 @@ func run() int {
} }
if args.cert != "" { if args.cert != "" {
cfg, err1 := makeServerTLSConfig(args.cert, args.key, args.cafile, args.ciphers, !args.disableHTTP2) cfg, err1 := makeServerTLSConfig(args.cert, args.key, args.cafile,
args.ciphers, uint16(args.minTLSVersion), uint16(args.maxTLSVersion), !args.disableHTTP2)
if err1 != nil { if err1 != nil {
mainLogger.Critical("TLS config construction failed: %v", err1) mainLogger.Critical("TLS config construction failed: %v", err1)
return 3 return 3
@ -293,7 +294,8 @@ func run() int {
}() }()
} }
cfg := m.TLSConfig() cfg := m.TLSConfig()
cfg, err = updateServerTLSConfig(cfg, args.cafile, args.ciphers, !args.disableHTTP2) cfg, err = updateServerTLSConfig(cfg, args.cafile, args.ciphers,
uint16(args.minTLSVersion), uint16(args.maxTLSVersion), !args.disableHTTP2)
if err != nil { if err != nil {
mainLogger.Critical("TLS config construction failed: %v", err) mainLogger.Critical("TLS config construction failed: %v", err)
return 3 return 3

View File

@ -151,8 +151,11 @@ func copyBody(wr io.Writer, body io.Reader) {
} }
} }
func makeServerTLSConfig(certfile, keyfile, cafile, ciphers string, h2 bool) (*tls.Config, error) { func makeServerTLSConfig(certfile, keyfile, cafile, ciphers string, minVer, maxVer uint16, h2 bool) (*tls.Config, error) {
var cfg tls.Config cfg := tls.Config{
MinVersion: minVer,
MaxVersion: maxVer,
}
cert, err := tls.LoadX509KeyPair(certfile, keyfile) cert, err := tls.LoadX509KeyPair(certfile, keyfile)
if err != nil { if err != nil {
return nil, err return nil, err
@ -179,7 +182,7 @@ func makeServerTLSConfig(certfile, keyfile, cafile, ciphers string, h2 bool) (*t
return &cfg, nil return &cfg, nil
} }
func updateServerTLSConfig(cfg *tls.Config, cafile, ciphers string, h2 bool) (*tls.Config, error) { func updateServerTLSConfig(cfg *tls.Config, cafile, ciphers string, minVer, maxVer uint16, h2 bool) (*tls.Config, error) {
if cafile != "" { if cafile != "" {
roots := x509.NewCertPool() roots := x509.NewCertPool()
certs, err := ioutil.ReadFile(cafile) certs, err := ioutil.ReadFile(cafile)
@ -198,6 +201,8 @@ func updateServerTLSConfig(cfg *tls.Config, cafile, ciphers string, h2 bool) (*t
} else { } else {
cfg.NextProtos = []string{"http/1.1", "acme-tls/1"} cfg.NextProtos = []string{"http/1.1", "acme-tls/1"}
} }
cfg.MinVersion = minVer
cfg.MaxVersion = maxVer
return cfg, nil return cfg, nil
} }