|
@@ -59,6 +59,7 @@ type listenerConfigBlock struct {
|
59
|
59
|
TLS TLSListenConfig
|
60
|
60
|
// SNI configuration, with multiple certificates:
|
61
|
61
|
TLSCertificates []TLSListenConfig `yaml:"tls-certificates"`
|
|
62
|
+ MinTLSVersion string `yaml:"min-tls-version"`
|
62
|
63
|
Proxy bool
|
63
|
64
|
Tor bool
|
64
|
65
|
STSOnly bool `yaml:"sts-only"`
|
|
@@ -881,10 +882,29 @@ func loadTlsConfig(config listenerConfigBlock) (tlsConfig *tls.Config, err error
|
881
|
882
|
result := tls.Config{
|
882
|
883
|
Certificates: certificates,
|
883
|
884
|
ClientAuth: clientAuth,
|
|
885
|
+ MinVersion: tlsMinVersionFromString(config.MinTLSVersion),
|
884
|
886
|
}
|
885
|
887
|
return &result, nil
|
886
|
888
|
}
|
887
|
889
|
|
|
890
|
+func tlsMinVersionFromString(version string) uint16 {
|
|
891
|
+ version = strings.ToLower(version)
|
|
892
|
+ version = strings.TrimPrefix(version, "v")
|
|
893
|
+ switch version {
|
|
894
|
+ case "1", "1.0":
|
|
895
|
+ return tls.VersionTLS10
|
|
896
|
+ case "1.1":
|
|
897
|
+ return tls.VersionTLS11
|
|
898
|
+ case "1.2":
|
|
899
|
+ return tls.VersionTLS12
|
|
900
|
+ case "1.3":
|
|
901
|
+ return tls.VersionTLS13
|
|
902
|
+ default:
|
|
903
|
+ // tls package will fill in a sane value, currently 1.0
|
|
904
|
+ return 0
|
|
905
|
+ }
|
|
906
|
+}
|
|
907
|
+
|
888
|
908
|
func loadCertWithLeaf(certFile, keyFile string) (cert tls.Certificate, err error) {
|
889
|
909
|
// LoadX509KeyPair: "On successful return, Certificate.Leaf will be nil because
|
890
|
910
|
// the parsed form of the certificate is not retained." tls.Config:
|