From 093479376b1878d4c5ed32f22f23696561d8d2a4 Mon Sep 17 00:00:00 2001
From: Alyx Holms <aholms@specterops.io>
Date: Mon, 23 Mar 2026 16:12:16 -0700
Subject: [PATCH] fix: only enable safe cipher suites for tls v1.2

---
 cmd/api/src/daemons/api/bhapi/api.go   | 9 +++++++++
 cmd/api/src/daemons/api/toolapi/api.go | 9 +++++++++
 2 files changed, 18 insertions(+)

diff --git a/cmd/api/src/daemons/api/bhapi/api.go b/cmd/api/src/daemons/api/bhapi/api.go
index 035d1fd1123..bb835571e3c 100644
--- a/cmd/api/src/daemons/api/bhapi/api.go
+++ b/cmd/api/src/daemons/api/bhapi/api.go
@@ -18,6 +18,7 @@ package bhapi
 
 import (
 	"context"
+	"crypto/tls"
 	"errors"
 	"fmt"
 	"log"
@@ -41,6 +42,14 @@ func NewDaemon(cfg config.Configuration, handler http.Handler) Daemon {
 			Addr:     cfg.BindAddress,
 			Handler:  handler,
 			ErrorLog: log.Default(),
+			TLSConfig: &tls.Config{
+				MinVersion: tls.VersionTLS12,
+				CipherSuites: []uint16{
+					tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+					tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+					tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+				},
+			},
 		},
 	}
 }
diff --git a/cmd/api/src/daemons/api/toolapi/api.go b/cmd/api/src/daemons/api/toolapi/api.go
index 541f964bbb4..a36b71a66a2 100644
--- a/cmd/api/src/daemons/api/toolapi/api.go
+++ b/cmd/api/src/daemons/api/toolapi/api.go
@@ -18,6 +18,7 @@ package toolapi
 
 import (
 	"context"
+	"crypto/tls"
 	"errors"
 	"fmt"
 	"log"
@@ -110,6 +111,14 @@ func NewDaemon[DBType database.Database](ctx context.Context, connections bootst
 			Addr:     cfg.MetricsPort,
 			Handler:  router,
 			ErrorLog: log.Default(),
+			TLSConfig: &tls.Config{
+				MinVersion: tls.VersionTLS12,
+				CipherSuites: []uint16{
+					tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+					tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+					tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+				},
+			},
 		},
 	}
 }