Support TLS version selection

Allow config file and ENV variables to define minimum TLS version used for SSL connections.

tlsversion=1.3

core/env/flags.go

@@ -21,6 +21,7 @@ type Flags struct {
 	ForceHTTPPort2SSL string // (optional) HTTP that should be redirected to HTTPS
 	SSLCertFile       string // (optional) name of SSL certificate PEM file
 	SSLKeyFile        string // (optional) name of SSL key PEM file
+	TLSVersion        string // (optional) minimum TLS version for SSL connections
 	SiteMode          string // (optional) if 1 then serve offline web page
 	Location          string // reserved
 	ConfigSource      string // tells us if configuration info was obtained from command line or config file
@@ -43,6 +44,7 @@ type httpConfig struct {
 	ForceSSLPort int
 	Cert         string
 	Key          string
+	TLSVersion   string
 }
 
 type databaseConfig struct {

core/env/parser.go

@@ -84,8 +84,13 @@ func configFile() (f Flags, ok bool) {
 	f.ForceHTTPPort2SSL = strconv.Itoa(ct.HTTP.ForceSSLPort)
 	f.SSLCertFile = ct.HTTP.Cert
 	f.SSLKeyFile = ct.HTTP.Key
+	f.TLSVersion = ct.HTTP.TLSVersion
 	f.Location = strings.ToLower(ct.Install.Location)
 
+	if len(f.TLSVersion) == 0 {
+		f.TLSVersion = "1.2"
+	}
+
 	ok = true
 	return
 }
@@ -93,7 +98,7 @@ func configFile() (f Flags, ok bool) {
 // commandLineEnv loads command line and OS environment variables required by the program to function.
 func commandLineEnv() (f Flags, ok bool) {
 	ok = true
-	var dbConn, dbType, jwtKey, siteMode, port, certFile, keyFile, forcePort2SSL, location string
+	var dbConn, dbType, jwtKey, siteMode, port, certFile, keyFile, forcePort2SSL, TLSVersion, location string
 
 	// register(&configFile, "salt", false, "the salt string used to encode JWT tokens, if not set a random value will be generated")
 	register(&jwtKey, "salt", false, "the salt string used to encode JWT tokens, if not set a random value will be generated")
@@ -101,6 +106,7 @@ func commandLineEnv() (f Flags, ok bool) {
 	register(&keyFile, "key", false, "the key.pem file used for https")
 	register(&port, "port", false, "http/https port number")
 	register(&forcePort2SSL, "forcesslport", false, "redirect given http port number to TLS")
+	register(&TLSVersion, "tlsversion", false, "select minimum TLS: 1.0, 1.1, 1.2, 1.3")
 	register(&siteMode, "offline", false, "set to '1' for OFFLINE mode")
 	register(&dbType, "dbtype", true, "specify the database provider: mysql|percona|mariadb|postgresql|sqlserver")
 	register(&dbConn, "db", true, `'database specific connection string for example "user:password@tcp(localhost:3306)/dbname"`)
@@ -118,9 +124,14 @@ func commandLineEnv() (f Flags, ok bool) {
 	f.SiteMode = siteMode
 	f.SSLCertFile = certFile
 	f.SSLKeyFile = keyFile
+	f.TLSVersion = TLSVersion
 	f.Location = strings.ToLower(location)
 	f.ConfigSource = "flags/environment"
 
+	if len(f.TLSVersion) == 0 {
+		f.TLSVersion = "1.2"
+	}
+
 	return f, ok
 }
 

server/server.go

@@ -127,11 +127,21 @@ func Start(rt *env.Runtime, s *store.Store, ready chan struct{}) {
 			rt.Log.Info("***")
 		}
 
-		rt.Log.Info("Web Server: starting SSL server on " + rt.Flags.HTTPPort + " with " + rt.Flags.SSLCertFile + " " + rt.Flags.SSLKeyFile)
+		cfg := &tls.Config{}
-
+		if rt.Flags.TLSVersion == "1.0" {
-		cfg := &tls.Config{
+			cfg.MinVersion = tls.VersionTLS10
-			MinVersion: tls.VersionTLS12,
 		}
+		if rt.Flags.TLSVersion == "1.1" {
+			cfg.MinVersion = tls.VersionTLS11
+		}
+		if rt.Flags.TLSVersion == "1.2" {
+			cfg.MinVersion = tls.VersionTLS12
+		}
+		if rt.Flags.TLSVersion == "1.3" {
+			cfg.MinVersion = tls.VersionTLS13
+		}
+
+		rt.Log.Info("Web Server: starting SSL server on " + rt.Flags.HTTPPort + " with " + rt.Flags.SSLCertFile + " " + rt.Flags.SSLKeyFile + " TLS: " + rt.Flags.TLSVersion)
 
 		server := &http.Server{Addr: ":" + rt.Flags.HTTPPort, Handler: n, TLSConfig: cfg}
 		server.SetKeepAlivesEnabled(true)