Commit cf6fc795 authored by Kirill Smelkov's avatar Kirill Smelkov

X go/neo: Only accept TLS >= 1.2

Tighten up security. NEO/py does something similar:

https://lab.nexedi.com/nexedi/neoppod/blob/v1.12-61-gc1c26894/neo/lib/app.py#L76-78

On CPython 2.7.18:

    In [7]: list((k for k in dir(ssl) if k.startswith("PROTOCOL_TLSv")))
    Out[7]: ['PROTOCOL_TLSv1', 'PROTOCOL_TLSv1_1', 'PROTOCOL_TLSv1_2']
parent 573514c6
...@@ -104,10 +104,9 @@ func tlsForSSL(ca, cert, key string) (_ *tls.Config, err error) { ...@@ -104,10 +104,9 @@ func tlsForSSL(ca, cert, key string) (_ *tls.Config, err error) {
ClientCAs: CA, ClientCAs: CA,
PreferServerCipherSuites: true, PreferServerCipherSuites: true,
MinVersion: tls.VersionTLS12, // only accept TLS >= 1.2
} }
// TODO only accept TLS >= 1.2 ?
// tls docs say we should parse Certificate[0] into Leaf ourselves // tls docs say we should parse Certificate[0] into Leaf ourselves
leaf, err := x509.ParseCertificate(crt.Certificate[0]) leaf, err := x509.ParseCertificate(crt.Certificate[0])
if err != nil { if err != nil {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment