3
0
mirror of https://github.com/ergochat/ergo.git synced 2024-11-25 13:29:27 +01:00
Allow setting the minimum TLS version
This commit is contained in:
Shivaram Lingamneni 2021-04-18 20:31:11 -04:00
parent eb2dfa78c9
commit 1a5d079670
3 changed files with 24 additions and 0 deletions

View File

@ -58,6 +58,8 @@ server:
# always send a PROXY protocol header ahead of the connection. See the # always send a PROXY protocol header ahead of the connection. See the
# manual ("Reverse proxies") for more details. # manual ("Reverse proxies") for more details.
proxy: false proxy: false
# set the minimum TLS version:
min-tls-version: 1.2
# Example of a Unix domain socket for proxying: # Example of a Unix domain socket for proxying:
# "/tmp/oragono_sock": # "/tmp/oragono_sock":

View File

@ -59,6 +59,7 @@ type listenerConfigBlock struct {
TLS TLSListenConfig TLS TLSListenConfig
// SNI configuration, with multiple certificates: // SNI configuration, with multiple certificates:
TLSCertificates []TLSListenConfig `yaml:"tls-certificates"` TLSCertificates []TLSListenConfig `yaml:"tls-certificates"`
MinTLSVersion string `yaml:"min-tls-version"`
Proxy bool Proxy bool
Tor bool Tor bool
STSOnly bool `yaml:"sts-only"` STSOnly bool `yaml:"sts-only"`
@ -881,10 +882,29 @@ func loadTlsConfig(config listenerConfigBlock) (tlsConfig *tls.Config, err error
result := tls.Config{ result := tls.Config{
Certificates: certificates, Certificates: certificates,
ClientAuth: clientAuth, ClientAuth: clientAuth,
MinVersion: tlsMinVersionFromString(config.MinTLSVersion),
} }
return &result, nil return &result, nil
} }
func tlsMinVersionFromString(version string) uint16 {
version = strings.ToLower(version)
version = strings.TrimPrefix(version, "v")
switch version {
case "1", "1.0":
return tls.VersionTLS10
case "1.1":
return tls.VersionTLS11
case "1.2":
return tls.VersionTLS12
case "1.3":
return tls.VersionTLS13
default:
// tls package will fill in a sane value, currently 1.0
return 0
}
}
func loadCertWithLeaf(certFile, keyFile string) (cert tls.Certificate, err error) { func loadCertWithLeaf(certFile, keyFile string) (cert tls.Certificate, err error) {
// LoadX509KeyPair: "On successful return, Certificate.Leaf will be nil because // LoadX509KeyPair: "On successful return, Certificate.Leaf will be nil because
// the parsed form of the certificate is not retained." tls.Config: // the parsed form of the certificate is not retained." tls.Config:

View File

@ -32,6 +32,8 @@ server:
# always send a PROXY protocol header ahead of the connection. See the # always send a PROXY protocol header ahead of the connection. See the
# manual ("Reverse proxies") for more details. # manual ("Reverse proxies") for more details.
proxy: false proxy: false
# optionally set the minimum TLS version (defaults to 1.0):
# min-tls-version: 1.2
# Example of a Unix domain socket for proxying: # Example of a Unix domain socket for proxying:
# "/tmp/oragono_sock": # "/tmp/oragono_sock":