Merge pull request #78 from anyu/min-tls-version-1.2

Enforce minimum TLS version to be 1.2
cloudfoundry · Jun 24, 2019 · e6410a0 · e6410a0
2 parents 30a69e4 + c0617e7
commit e6410a0
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 0 deletions.
diff --git a/credhub/client.go b/credhub/client.go
@@ -54,6 +54,7 @@ func httpsClient(insecureSkipVerify bool, rootCAs *x509.CertPool, cert *tls.Cert
 			PreferServerCipherSuites: true,
 			Certificates:             certs,
 			RootCAs:                  rootCAs,
+			MinVersion:               tls.VersionTLS12,
 		},
 		Proxy:               http.ProxyFromEnvironment,
 		Dial:                dialer,

diff --git a/credhub/client_test.go b/credhub/client_test.go
@@ -1,6 +1,7 @@
 package credhub_test
 
 import (
+	"crypto/tls"
 	"crypto/x509"
 	"io/ioutil"
 	"net/http"
@@ -33,6 +34,18 @@ var _ = Describe("Client()", func() {
 		})
 	})
 
+	Context("TLS configuration", func() {
+		It("should require a minimum TLS version of 1.2", func() {
+			ch, err := New("https://example.com")
+			Expect(err).NotTo(HaveOccurred())
+			client := ch.Client()
+			transport := client.Transport.(*http.Transport)
+
+			tlsConfig := transport.TLSClientConfig
+			Expect(tlsConfig.MinVersion).To(Equal(uint16(tls.VersionTLS12)))
+		})
+	})
+
 	Context("With ClientCert", func() {
 		It("should return a http.Client with tls.Config with client cert", func() {
 			ch, err := New("https://example.com", ClientCert("./fixtures/auth-tls-cert.pem", "./fixtures/auth-tls-key.pem"))