* app, dnsforward: add MinVersion for TLS configs

2024-11-16 10:28:29 -07:00 · 2019-04-17 12:02:56 +03:00 · 2019-04-17 12:02:56 +03:00 · c82887d3aa
commit c82887d3aa
parent faeda3f075
3 changed files with 11 additions and 3 deletions
--- a/app.go
+++ b/app.go
@ -197,6 +197,7 @@ func run(args options) {
 				Addr: address,
 				TLSConfig: &tls.Config{
 					Certificates: []tls.Certificate{cert},
+					MinVersion:   tls.VersionTLS12,
 				},
 			}

--- a/dnsforward/dnsforward.go
+++ b/dnsforward/dnsforward.go
@ -175,7 +175,10 @@ func (s *Server) startInternal(config *ServerConfig) error {
 		if err != nil {
 			return errorx.Decorate(err, "Failed to parse TLS keypair")
 		}
-		proxyConfig.TLSConfig = &tls.Config{Certificates: []tls.Certificate{keypair}}
+		proxyConfig.TLSConfig = &tls.Config{
+			Certificates: []tls.Certificate{keypair},
+			MinVersion:   tls.VersionTLS12,
+		}
 	}

 	if proxyConfig.UDPListenAddr == nil {
--- a/dnsforward/dnsforward_test.go
+++ b/dnsforward/dnsforward_test.go
@ -101,7 +101,11 @@ func TestDotServer(t *testing.T) {
 	// Add our self-signed generated config to roots
 	roots := x509.NewCertPool()
 	roots.AppendCertsFromPEM(certPem)
-	tlsConfig := &tls.Config{ServerName: tlsServerName, RootCAs: roots}
+	tlsConfig := &tls.Config{
+		ServerName: tlsServerName,
+		RootCAs:    roots,
+		MinVersion: tls.VersionTLS12,
+	}

 	// Create a DNS-over-TLS client connection
 	addr := s.dnsProxy.Addr(proxy.ProtoTLS)
@ -459,7 +463,7 @@ func createServerTLSConfig(t *testing.T) (*tls.Config, []byte, []byte) {
 		t.Fatalf("failed to create certificate: %s", err)
 	}

-	return &tls.Config{Certificates: []tls.Certificate{cert}, ServerName: tlsServerName}, certPem, keyPem
+	return &tls.Config{Certificates: []tls.Certificate{cert}, ServerName: tlsServerName, MinVersion: tls.VersionTLS12}, certPem, keyPem
 }

 func createDataDir(t *testing.T) string {