fix: only enable safe cipher suites for tls v1.2 (#2540)

Author: superlinkx

cmd/api/src/daemons/api/bhapi/api.go

@@ -18,6 +18,7 @@ package bhapi
 
 import (
 	"context"
+	"crypto/tls"
 	"errors"
 	"fmt"
 	"log"
@@ -41,6 +42,14 @@ func NewDaemon(cfg config.Configuration, handler http.Handler) Daemon {
 			Addr:     cfg.BindAddress,
 			Handler:  handler,
 			ErrorLog: log.Default(),
+			TLSConfig: &tls.Config{
+				MinVersion: tls.VersionTLS12,
+				CipherSuites: []uint16{
+					tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+					tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+					tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+				},
+			},
 		},
 	}
 }

cmd/api/src/daemons/api/toolapi/api.go

@@ -18,6 +18,7 @@ package toolapi
 
 import (
 	"context"
+	"crypto/tls"
 	"errors"
 	"fmt"
 	"log"
@@ -110,6 +111,14 @@ func NewDaemon[DBType database.Database](ctx context.Context, connections bootst
 			Addr:     cfg.MetricsPort,
 			Handler:  router,
 			ErrorLog: log.Default(),
+			TLSConfig: &tls.Config{
+				MinVersion: tls.VersionTLS12,
+				CipherSuites: []uint16{
+					tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+					tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+					tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+				},
+			},
 		},
 	}
 }