Registry - make minimum TLS version user configurable

Signed-off-by: J. Gregory Rebholz <gregrebholz@gmail.com>
2019-01-08 21:29:40 -05:00 · 2019-01-08 21:29:40 -05:00 · cdb62b2b77
commit cdb62b2b77
parent 91b0f0559e
4 changed files with 26 additions and 3 deletions
--- a/configuration/configuration.go
+++ b/configuration/configuration.go
@ -108,6 +108,9 @@ type Configuration struct {
 			// A file may contain multiple CA certificates encoded as PEM
 			ClientCAs []string `yaml:"clientcas,omitempty"`
 			// Specifies the lowest TLS version allowed
 			MinimumTLS string `yaml:"minimumtls,omitempty"`
 			// LetsEncrypt is used to configuration setting up TLS through
 			// Let's Encrypt instead of manually specifying certificate and
 			// key. If a TLS certificate is specified, the Let's Encrypt
--- a/configuration/configuration_test.go
+++ b/configuration/configuration_test.go
@ -83,6 +83,7 @@ var configStruct = Configuration{
 			Certificate string   `yaml:"certificate,omitempty"`
 			Key         string   `yaml:"key,omitempty"`
 			ClientCAs   []string `yaml:"clientcas,omitempty"`
 			MinimumTLS  string   `yaml:"minimumtls,omitempty"`
 			LetsEncrypt struct {
 				CacheFile string   `yaml:"cachefile,omitempty"`
 				Email     string   `yaml:"email,omitempty"`
@ -105,6 +106,7 @@ var configStruct = Configuration{
 			Certificate string   `yaml:"certificate,omitempty"`
 			Key         string   `yaml:"key,omitempty"`
 			ClientCAs   []string `yaml:"clientcas,omitempty"`
 			MinimumTLS  string   `yaml:"minimumtls,omitempty"`
 			LetsEncrypt struct {
 				CacheFile string   `yaml:"cachefile,omitempty"`
 				Email     string   `yaml:"email,omitempty"`
--- a/docs/configuration.md
+++ b/docs/configuration.md
@ -777,6 +777,7 @@ http:
    clientcas:
      - /path/to/ca.pem
      - /path/to/another/ca.pem
    minimumtls: tls1.0
    letsencrypt:
      cachefile: /path/to/cache-file
      email: emailused@letsencrypt.com
@ -815,6 +816,7 @@ and proxy connections to the registry server.
 | `certificate` | yes  | Absolute path to the x509 certificate file.           |
 | `key`         | yes  | Absolute path to the x509 private key file.           |
 | `clientcas`   | no   | An array of absolute paths to x509 CA files.          |
 | `minimumtls`  | no   | Minimum TLS version allowed (tls1.0, tls1.1, tls1.2). Defaults to tls1.0 |
 ### `letsencrypt`
--- a/registry/registry.go
+++ b/registry/registry.go
@ -135,10 +135,26 @@ func (registry *Registry) ListenAndServe() error {
 	}
 	if config.HTTP.TLS.Certificate != "" || config.HTTP.TLS.LetsEncrypt.CacheFile != "" {
 		var tlsMinVersion uint16
 		if config.HTTP.TLS.MinimumTLS == "" {
 			tlsMinVersion = tls.VersionTLS10
 		} else {
 			switch config.HTTP.TLS.MinimumTLS {
 			case "tls1.0":
 				tlsMinVersion = tls.VersionTLS10
 			case "tls1.1":
 				tlsMinVersion = tls.VersionTLS11
 			case "tls1.2":
 				tlsMinVersion = tls.VersionTLS12
 			default:
 				return fmt.Errorf("unknown minimum TLS level '%s' specified for http.tls.minimumtls", config.HTTP.TLS.MinimumTLS)
 			}
 			dcontext.GetLogger(registry.app).Infof("restricting TLS to %s or higher", config.HTTP.TLS.MinimumTLS)
 		}
 		tlsConf := &tls.Config{
 			ClientAuth:               tls.NoClientCert,
 			NextProtos:               nextProtos(config),
-			MinVersion:               tls.VersionTLS10,
+			MinVersion:               tlsMinVersion,
 			PreferServerCipherSuites: true,
 			CipherSuites: []uint16{
 				tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,