From 1a5d079670d1305528cd0c7b8766ea51c9400a40 Mon Sep 17 00:00:00 2001
From: Shivaram Lingamneni <slingamn@cs.stanford.edu>
Date: Sun, 18 Apr 2021 20:31:11 -0400
Subject: [PATCH] fix #1611

Allow setting the minimum TLS version
---
 default.yaml     |  2 ++
 irc/config.go    | 20 ++++++++++++++++++++
 traditional.yaml |  2 ++
 3 files changed, 24 insertions(+)

diff --git a/default.yaml b/default.yaml
index 87a91a57..c97a2b84 100644
--- a/default.yaml
+++ b/default.yaml
@@ -58,6 +58,8 @@ server:
             # always send a PROXY protocol header ahead of the connection. See the
             # manual ("Reverse proxies") for more details.
             proxy: false
+            # set the minimum TLS version:
+            min-tls-version: 1.2
 
         # Example of a Unix domain socket for proxying:
         # "/tmp/oragono_sock":
diff --git a/irc/config.go b/irc/config.go
index d421a073..769aba0b 100644
--- a/irc/config.go
+++ b/irc/config.go
@@ -59,6 +59,7 @@ type listenerConfigBlock struct {
 	TLS TLSListenConfig
 	// SNI configuration, with multiple certificates:
 	TLSCertificates []TLSListenConfig `yaml:"tls-certificates"`
+	MinTLSVersion   string            `yaml:"min-tls-version"`
 	Proxy           bool
 	Tor             bool
 	STSOnly         bool `yaml:"sts-only"`
@@ -881,10 +882,29 @@ func loadTlsConfig(config listenerConfigBlock) (tlsConfig *tls.Config, err error
 	result := tls.Config{
 		Certificates: certificates,
 		ClientAuth:   clientAuth,
+		MinVersion:   tlsMinVersionFromString(config.MinTLSVersion),
 	}
 	return &result, nil
 }
 
+func tlsMinVersionFromString(version string) uint16 {
+	version = strings.ToLower(version)
+	version = strings.TrimPrefix(version, "v")
+	switch version {
+	case "1", "1.0":
+		return tls.VersionTLS10
+	case "1.1":
+		return tls.VersionTLS11
+	case "1.2":
+		return tls.VersionTLS12
+	case "1.3":
+		return tls.VersionTLS13
+	default:
+		// tls package will fill in a sane value, currently 1.0
+		return 0
+	}
+}
+
 func loadCertWithLeaf(certFile, keyFile string) (cert tls.Certificate, err error) {
 	// LoadX509KeyPair: "On successful return, Certificate.Leaf will be nil because
 	// the parsed form of the certificate is not retained." tls.Config:
diff --git a/traditional.yaml b/traditional.yaml
index 47601ac4..92d95728 100644
--- a/traditional.yaml
+++ b/traditional.yaml
@@ -32,6 +32,8 @@ server:
             # always send a PROXY protocol header ahead of the connection. See the
             # manual ("Reverse proxies") for more details.
             proxy: false
+            # optionally set the minimum TLS version (defaults to 1.0):
+            # min-tls-version: 1.2
 
         # Example of a Unix domain socket for proxying:
         # "/tmp/oragono_sock":