fix #1611

Allow setting the minimum TLS version

default.yaml

             # always send a PROXY protocol header ahead of the connection. See the
             # manual ("Reverse proxies") for more details.
             proxy: false
+            # set the minimum TLS version:
+            min-tls-version: 1.2
 
         # Example of a Unix domain socket for proxying:
         # "/tmp/oragono_sock":

irc/config.go

 	TLS TLSListenConfig
 	// SNI configuration, with multiple certificates:
 	TLSCertificates []TLSListenConfig `yaml:"tls-certificates"`
+	MinTLSVersion   string            `yaml:"min-tls-version"`
 	Proxy           bool
 	Tor             bool
 	STSOnly         bool `yaml:"sts-only"`
 	result := tls.Config{
 		Certificates: certificates,
 		ClientAuth:   clientAuth,
+		MinVersion:   tlsMinVersionFromString(config.MinTLSVersion),
 	}
 	return &result, nil
 }
 
+func tlsMinVersionFromString(version string) uint16 {
+	version = strings.ToLower(version)
+	version = strings.TrimPrefix(version, "v")
+	switch version {
+	case "1", "1.0":
+		return tls.VersionTLS10
+	case "1.1":
+		return tls.VersionTLS11
+	case "1.2":
+		return tls.VersionTLS12
+	case "1.3":
+		return tls.VersionTLS13
+	default:
+		// tls package will fill in a sane value, currently 1.0
+		return 0
+	}
+}
+
 func loadCertWithLeaf(certFile, keyFile string) (cert tls.Certificate, err error) {
 	// LoadX509KeyPair: "On successful return, Certificate.Leaf will be nil because
 	// the parsed form of the certificate is not retained." tls.Config:

traditional.yaml

             # always send a PROXY protocol header ahead of the connection. See the
             # manual ("Reverse proxies") for more details.
             proxy: false
+            # optionally set the minimum TLS version (defaults to 1.0):
+            # min-tls-version: 1.2
 
         # Example of a Unix domain socket for proxying:
         # "/tmp/oragono_sock":