fix #1611

Allow setting the minimum TLS version
2025-10-31 05:47:22 +01:00 · 2021-04-18 20:31:11 -04:00 · 2021-04-18 20:31:11 -04:00 · 1a5d079670
commit 1a5d079670
parent eb2dfa78c9
3 changed files with 24 additions and 0 deletions
--- a/default.yaml
+++ b/default.yaml
@ -58,6 +58,8 @@ server:
            # always send a PROXY protocol header ahead of the connection. See the
            # manual ("Reverse proxies") for more details.
            proxy: false
+            # set the minimum TLS version:
+            min-tls-version: 1.2

        # Example of a Unix domain socket for proxying:
        # "/tmp/oragono_sock":
--- a/irc/config.go
+++ b/irc/config.go
@ -59,6 +59,7 @@ type listenerConfigBlock struct {
 	TLS TLSListenConfig
 	// SNI configuration, with multiple certificates:
 	TLSCertificates []TLSListenConfig `yaml:"tls-certificates"`
+	MinTLSVersion   string            `yaml:"min-tls-version"`
 	Proxy           bool
 	Tor             bool
 	STSOnly         bool `yaml:"sts-only"`
@ -881,10 +882,29 @@ func loadTlsConfig(config listenerConfigBlock) (tlsConfig *tls.Config, err error
 	result := tls.Config{
 		Certificates: certificates,
 		ClientAuth:   clientAuth,
+		MinVersion:   tlsMinVersionFromString(config.MinTLSVersion),
 	}
 	return &result, nil
 }

+func tlsMinVersionFromString(version string) uint16 {
+	version = strings.ToLower(version)
+	version = strings.TrimPrefix(version, "v")
+	switch version {
+	case "1", "1.0":
+		return tls.VersionTLS10
+	case "1.1":
+		return tls.VersionTLS11
+	case "1.2":
+		return tls.VersionTLS12
+	case "1.3":
+		return tls.VersionTLS13
+	default:
+		// tls package will fill in a sane value, currently 1.0
+		return 0
+	}
+}
+
 func loadCertWithLeaf(certFile, keyFile string) (cert tls.Certificate, err error) {
 	// LoadX509KeyPair: "On successful return, Certificate.Leaf will be nil because
 	// the parsed form of the certificate is not retained." tls.Config:
--- a/traditional.yaml
+++ b/traditional.yaml
@ -32,6 +32,8 @@ server:
            # always send a PROXY protocol header ahead of the connection. See the
            # manual ("Reverse proxies") for more details.
            proxy: false
+            # optionally set the minimum TLS version (defaults to 1.0):
+            # min-tls-version: 1.2

        # Example of a Unix domain socket for proxying:
        # "/tmp/oragono_sock":