Add TLS min and max version

2024-02-24 11:43:54 +01:00 · 2024-02-24 11:43:54 +01:00 · 80401e4c98
parent 47319f709f
commit 80401e4c98
3 changed files with 42 additions and 1 deletions
--- a/cmd/weblug/config.go
+++ b/cmd/weblug/config.go
@ -1,6 +1,7 @@
 package main

 import (
+	"crypto/tls"
 	"fmt"
 	"io/ioutil"

@ -24,6 +25,8 @@ type ConfigSettings struct {

 type TLSSettings struct {
 	Enabled      bool     `yaml:"enabled"`
+	MinVersion   string   `yaml:"minversion"`
+	MaxVersion   string   `yaml:"maxversion"`
 	Keyfile      string   `yaml:"keyfile"`
 	Certificates []string `yaml:"certificates"`
 }
@ -70,3 +73,19 @@ func (cf *Config) LoadYAML(filename string) error {
 	}
 	return cf.Check()
 }
+
+func ParseTLSVersion(version string) (uint16, error) {
+	if version == "" {
+		return tls.VersionTLS12, nil
+	} else if version == "1.0" {
+		return tls.VersionTLS10, nil
+	} else if version == "1.1" {
+		return tls.VersionTLS11, nil
+	} else if version == "1.2" {
+		return tls.VersionTLS12, nil
+	} else if version == "1.3" {
+		return tls.VersionTLS13, nil
+	} else {
+		return 0, fmt.Errorf("invalid tls version string")
+	}
+}
--- a/cmd/weblug/weblug.go
+++ b/cmd/weblug/weblug.go
@ -130,7 +130,26 @@ func main() {
 			WriteTimeout:   time.Duration(cf.Settings.WriteTimeout) * time.Second,
 			MaxHeaderBytes: cf.Settings.MaxHeaderBytes,
 		}
-		tlsConfig := &tls.Config{}
+		tlsConfig := &tls.Config{
+			MinVersion: tls.VersionTLS12,
+		}
+		if cf.Settings.TLS.MinVersion != "" {
+
+			var err error
+			tlsConfig.MinVersion, err = ParseTLSVersion(cf.Settings.TLS.MinVersion)
+			if err != nil {
+				fmt.Fprintf(os.Stderr, "error: tls min version invalid\n")
+				os.Exit(1)
+			}
+		}
+		if cf.Settings.TLS.MaxVersion != "" {
+			var err error
+			tlsConfig.MaxVersion, err = ParseTLSVersion(cf.Settings.TLS.MinVersion)
+			if err != nil {
+				fmt.Fprintf(os.Stderr, "error: tls min version invalid\n")
+				os.Exit(1)
+			}
+		}
 		// Create self-signed certificate, when no keyfile and no certificates are present
 		if cf.Settings.TLS.Keyfile == "" && len(cf.Settings.TLS.Certificates) == 0 {
 			// TODO
--- a/weblug.yml
+++ b/weblug.yml
@ -14,6 +14,9 @@ settings:
  # Enable TLS here here
  tls:
    enabled: true
+    # Minimum and maximum requires TLS version. By default TLS1.2 is the minimum
+    minversion: '1.2'
+    maxversion: ''
    keyfile: 'weblug.key'
    certificates:
      - weblug1.pem