diff --git a/core/env/flags.go b/core/env/flags.go index e7e3e4b0..1d0bfa71 100644 --- a/core/env/flags.go +++ b/core/env/flags.go @@ -21,6 +21,7 @@ type Flags struct { ForceHTTPPort2SSL string // (optional) HTTP that should be redirected to HTTPS SSLCertFile string // (optional) name of SSL certificate PEM file SSLKeyFile string // (optional) name of SSL key PEM file + TLSVersion string // (optional) minimum TLS version for SSL connections SiteMode string // (optional) if 1 then serve offline web page Location string // reserved ConfigSource string // tells us if configuration info was obtained from command line or config file @@ -43,6 +44,7 @@ type httpConfig struct { ForceSSLPort int Cert string Key string + TLSVersion string } type databaseConfig struct { diff --git a/core/env/parser.go b/core/env/parser.go index 095602df..8efddaf4 100644 --- a/core/env/parser.go +++ b/core/env/parser.go @@ -84,8 +84,13 @@ func configFile() (f Flags, ok bool) { f.ForceHTTPPort2SSL = strconv.Itoa(ct.HTTP.ForceSSLPort) f.SSLCertFile = ct.HTTP.Cert f.SSLKeyFile = ct.HTTP.Key + f.TLSVersion = ct.HTTP.TLSVersion f.Location = strings.ToLower(ct.Install.Location) + if len(f.TLSVersion) == 0 { + f.TLSVersion = "1.2" + } + ok = true return } @@ -93,7 +98,7 @@ func configFile() (f Flags, ok bool) { // commandLineEnv loads command line and OS environment variables required by the program to function. func commandLineEnv() (f Flags, ok bool) { ok = true - var dbConn, dbType, jwtKey, siteMode, port, certFile, keyFile, forcePort2SSL, location string + var dbConn, dbType, jwtKey, siteMode, port, certFile, keyFile, forcePort2SSL, TLSVersion, location string // register(&configFile, "salt", false, "the salt string used to encode JWT tokens, if not set a random value will be generated") register(&jwtKey, "salt", false, "the salt string used to encode JWT tokens, if not set a random value will be generated") @@ -101,6 +106,7 @@ func commandLineEnv() (f Flags, ok bool) { register(&keyFile, "key", false, "the key.pem file used for https") register(&port, "port", false, "http/https port number") register(&forcePort2SSL, "forcesslport", false, "redirect given http port number to TLS") + register(&TLSVersion, "tlsversion", false, "select minimum TLS: 1.0, 1.1, 1.2, 1.3") register(&siteMode, "offline", false, "set to '1' for OFFLINE mode") register(&dbType, "dbtype", true, "specify the database provider: mysql|percona|mariadb|postgresql|sqlserver") register(&dbConn, "db", true, `'database specific connection string for example "user:password@tcp(localhost:3306)/dbname"`) @@ -118,9 +124,14 @@ func commandLineEnv() (f Flags, ok bool) { f.SiteMode = siteMode f.SSLCertFile = certFile f.SSLKeyFile = keyFile + f.TLSVersion = TLSVersion f.Location = strings.ToLower(location) f.ConfigSource = "flags/environment" + if len(f.TLSVersion) == 0 { + f.TLSVersion = "1.2" + } + return f, ok } diff --git a/server/server.go b/server/server.go index c0e070b3..76be26e0 100644 --- a/server/server.go +++ b/server/server.go @@ -127,11 +127,21 @@ func Start(rt *env.Runtime, s *store.Store, ready chan struct{}) { rt.Log.Info("***") } - rt.Log.Info("Web Server: starting SSL server on " + rt.Flags.HTTPPort + " with " + rt.Flags.SSLCertFile + " " + rt.Flags.SSLKeyFile) - - cfg := &tls.Config{ - MinVersion: tls.VersionTLS12, + cfg := &tls.Config{} + if rt.Flags.TLSVersion == "1.0" { + cfg.MinVersion = tls.VersionTLS10 } + if rt.Flags.TLSVersion == "1.1" { + cfg.MinVersion = tls.VersionTLS11 + } + if rt.Flags.TLSVersion == "1.2" { + cfg.MinVersion = tls.VersionTLS12 + } + if rt.Flags.TLSVersion == "1.3" { + cfg.MinVersion = tls.VersionTLS13 + } + + rt.Log.Info("Web Server: starting SSL server on " + rt.Flags.HTTPPort + " with " + rt.Flags.SSLCertFile + " " + rt.Flags.SSLKeyFile + " TLS: " + rt.Flags.TLSVersion) server := &http.Server{Addr: ":" + rt.Flags.HTTPPort, Handler: n, TLSConfig: cfg} server.SetKeepAlivesEnabled(true)