Skip to content

Commit

Permalink
fix: set the minimum TLS version in the client to v1.2 (#156)
Browse files Browse the repository at this point in the history
This commit sets the minimum required TLS version
by the client to 1.2.
  • Loading branch information
pyrooka authored Mar 16, 2022
1 parent dca9e82 commit 0188990
Show file tree
Hide file tree
Showing 3 changed files with 51 additions and 2 deletions.
18 changes: 17 additions & 1 deletion v5/core/base_service.go
Original file line number Diff line number Diff line change
Expand Up @@ -229,6 +229,7 @@ func (service *BaseService) SetDefaultHeaders(headers http.Header) {

// SetHTTPClient updates the client handling the requests.
func (service *BaseService) SetHTTPClient(client *http.Client) {
setMinimumTLSVersion(client)
service.Client = client
}

Expand Down Expand Up @@ -303,6 +304,18 @@ func getClientTransportForSSL(client *http.Client) *http.Transport {
return nil
}

// setMinimumTLSVersion sets the minimum TLS version required by the client to TLS v1.2
func setMinimumTLSVersion(client *http.Client) {
tr := getClientTransportForSSL(client)
if tr != nil {
if tr.TLSClientConfig == nil {
tr.TLSClientConfig = &tls.Config{} // #nosec G402
}

tr.TLSClientConfig.MinVersion = tls.VersionTLS12
}
}

// SetEnableGzipCompression sets the service's EnableGzipCompression field
func (service *BaseService) SetEnableGzipCompression(enableGzip bool) {
service.Options.EnableGzipCompression = enableGzip
Expand Down Expand Up @@ -669,7 +682,9 @@ func (service *BaseService) DisableRetries() {

// DefaultHTTPClient returns a non-retryable http client with default configuration.
func DefaultHTTPClient() *http.Client {
return cleanhttp.DefaultPooledClient()
client := cleanhttp.DefaultPooledClient()
setMinimumTLSVersion(client)
return client
}

// httpLogger is a shim layer used to allow the Go core's logger to be used with the retryablehttp interfaces.
Expand All @@ -691,6 +706,7 @@ func NewRetryableHTTPClient() *retryablehttp.Client {
client.CheckRetry = IBMCloudSDKRetryPolicy
client.Backoff = IBMCloudSDKBackoffPolicy
client.ErrorHandler = retryablehttp.PassthroughErrorHandler
setMinimumTLSVersion(client.HTTPClient)
return client
}

Expand Down
32 changes: 32 additions & 0 deletions v5/core/base_service_test.go
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
//go:build all || fast || basesvc
// +build all fast basesvc

package core
Expand All @@ -18,6 +19,7 @@ package core

import (
"bytes"
"crypto/tls"
"encoding/json"
"fmt"
"io"
Expand Down Expand Up @@ -1966,3 +1968,33 @@ func TestErrorMessage(t *testing.T) {
`{"errorMessage":{"statusCode":500,"message":"Internal Server Error"}}`,
"Internal Server Error")
}

func TestMinSSLVersion(t *testing.T) {
service, err := NewBaseService(
&ServiceOptions{
Authenticator: &NoAuthAuthenticator{},
})
assert.Nil(t, err)
assert.NotNil(t, service)
assert.NotNil(t, service.Client)

// Check the default config.
minTLS := int(getClientTransportForSSL(service.Client).TLSClientConfig.MinVersion)
assert.Equal(t, minTLS, tls.VersionTLS12)

// Set a insecureClient with different value.
insecureClient := &http.Client{}
insecureClient.Transport = &http.Transport{
TLSClientConfig: &tls.Config{
MinVersion: tls.VersionTLS10,
},
}
service.SetHTTPClient(insecureClient)
minTLS = int(getClientTransportForSSL(service.Client).TLSClientConfig.MinVersion)
assert.Equal(t, minTLS, tls.VersionTLS12)

// Check retryable client config.
service.EnableRetries(3, 30*time.Second)
minTLS = int(getClientTransportForSSL(service.Client).TLSClientConfig.MinVersion)
assert.Equal(t, minTLS, tls.VersionTLS12)
}
3 changes: 2 additions & 1 deletion v5/core/common_test.go
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
// +build all
//go:build all || fast || basesvc
// +build all fast basesvc

package core

Expand Down

0 comments on commit 0188990

Please sign in to comment.