[1.2] backport allow setting minimum TLS to 1.3

pkg/backends/websockets.go

@@ -278,6 +278,10 @@ func (cfg websocketListenerCfg) Run() error {
 	if err != nil {
 		return err
 	}
+	// websockets requires at least the following cipher at the top of the list
+	if tlscfg != nil && len(tlscfg.CipherSuites) > 0 {
+		tlscfg.CipherSuites = append([]uint16{tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256}, tlscfg.CipherSuites...)
+	}
 	b, err := NewWebsocketListener(address, tlscfg)
 	if err != nil {
 		logger.Error("Error creating listener %s: %s\n", address, err)

pkg/netceptor/tlsconfig.go

@@ -39,6 +39,28 @@ func decodeFingerprints(fingerprints []string) ([][]byte, error) {
 	return fingerprintBytes, nil
 }
 
+func baseTLS(minTLS13 bool) *tls.Config {
+	var tlscfg *tls.Config
+	if minTLS13 {
+		tlscfg = &tls.Config{
+			PreferServerCipherSuites: true,
+			MinVersion:               tls.VersionTLS13,
+		}
+	} else {
+		tlscfg = &tls.Config{
+			MinVersion:               tls.VersionTLS12,
+			CurvePreferences:         []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256},
+			PreferServerCipherSuites: true,
+			CipherSuites: []uint16{
+				tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+				tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
+			},
+		}
+	}
+
+	return tlscfg
+}
+
 // tlsServerCfg stores the configuration options for a TLS server.
 type tlsServerCfg struct {
 	Name              string   `required:"true" description:"Name of this TLS server configuration"`
@@ -47,15 +69,12 @@ type tlsServerCfg struct {
 	RequireClientCert bool     `description:"Require client certificates" default:"false"`
 	ClientCAs         string   `description:"Filename of CA bundle to verify client certs with"`
 	PinnedClientCert  []string `description:"Pinned fingerprint of required client certificate"`
+	MinTLS13          bool     `required:"false" description:"Set minimum TLS version to 1.3. Otherwise the minimum is 1.2" default:"false"`
 }
 
 // Prepare creates the tls.config and stores it in the global map.
 func (cfg tlsServerCfg) Prepare() error {
-	tlscfg := &tls.Config{
-		PreferServerCipherSuites: true,
-		MinVersion:               tls.VersionTLS12,
-	}
-
+	tlscfg := baseTLS(cfg.MinTLS13)
 	certbytes, err := ioutil.ReadFile(cfg.Cert)
 	if err != nil {
 		return err
@@ -112,15 +131,12 @@ type tlsClientConfig struct {
 	RootCAs            string   `required:"false" description:"Root CA bundle to use instead of system trust"`
 	InsecureSkipVerify bool     `required:"false" description:"Accept any server cert" default:"false"`
 	PinnedServerCert   []string `required:"false" description:"Pinned fingerprint of required server certificate"`
+	MinTLS13           bool     `required:"false" description:"Set minimum TLS version to 1.3. Otherwise the minimum is 1.2" default:"false"`
 }
 
 // Prepare creates the tls.config and stores it in the global map.
 func (cfg tlsClientConfig) Prepare() error {
-	tlscfg := &tls.Config{
-		MinVersion:               tls.VersionTLS12,
-		PreferServerCipherSuites: true,
-	}
-
+	tlscfg := baseTLS(cfg.MinTLS13)
 	if cfg.Cert != "" || cfg.Key != "" {
 		if cfg.Cert == "" || cfg.Key == "" {
 			return fmt.Errorf("cert and key must both be supplied or neither")