fix: validate tls version in config (#287)

kruskall · web-flow · commit ed5e3c2bdf69 · 2025-03-05T20:13:29.000+01:00
TLSVersion validate method is never called when validating the config
causing min supported version to not be enforced

bump tls version in tests to 1.2 to avoid failing in fips mode
diff --git a/transport/tlscommon/config.go b/transport/tlscommon/config.go
@@ -92,6 +92,12 @@ func LoadTLSConfig(config *Config) (*TLSConfig, error) {
 // Validate values the TLSConfig struct making sure certificate sure we have both a certificate and
 // a key.
 func (c *Config) Validate() error {
+	for _, v := range c.Versions {
+		if err := v.Validate(); err != nil {
+			return err
+		}
+
+	}
 	return c.Certificate.Validate()
 }
 
diff --git a/transport/tlscommon/tls_test.go b/transport/tlscommon/tls_test.go
@@ -76,7 +76,7 @@ func TestValuesSet(t *testing.T) {
     cipher_suites:
       - ECDHE-ECDSA-AES-256-CBC-SHA
       - ECDHE-ECDSA-AES-256-GCM-SHA384
-    supported_protocols: [TLSv1.1, TLSv1.2]
+    supported_protocols: [TLSv1.3]
     curve_types:
       - P-521
     renegotiation: freely
@@ -92,7 +92,7 @@ func TestValuesSet(t *testing.T) {
 	assert.Equal(t, VerifyNone, cfg.VerificationMode)
 	assert.Len(t, cfg.CipherSuites, 2)
 	assert.Equal(t,
-		[]TLSVersion{TLSVersion11, TLSVersion12},
+		[]TLSVersion{TLSVersion13},
 		cfg.Versions)
 	assert.Len(t, cfg.CurveTypes, 1)
 	assert.Equal(t,
diff --git a/transport/tlscommon/types_test.go b/transport/tlscommon/types_test.go
@@ -50,19 +50,33 @@ func TestLoadWithEmptyStringVerificationMode(t *testing.T) {
     certificate: mycert.pem
     key: mycert.key
     verification_mode: ""
-    supported_protocols: [TLSv1.1, TLSv1.2]
+    supported_protocols: [TLSv1.2, TLSv1.3]
     renegotiation: freely
   `)
 
 	assert.NoError(t, err)
 	assert.Equal(t, cfg.VerificationMode, VerifyFull)
 }
 
+func TestLoadUnsupportedProtocols(t *testing.T) {
+	cfg, err := load(`
+    enabled: true
+    certificate: mycert.pem
+    key: mycert.key
+    verification_mode: ""
+    supported_protocols: [TLSv1.0, TLSv1.2]
+    renegotiation: freely
+  `)
+
+	assert.ErrorContains(t, err, "unsupported tls version")
+	assert.Nil(t, cfg)
+}
+
 func TestLoadWithEmptyVerificationMode(t *testing.T) {
 	cfg, err := load(`
     enabled: true
     verification_mode:
-    supported_protocols: [TLSv1.1, TLSv1.2]
+    supported_protocols: [TLSv1.2, TLSv1.3]
     curve_types:
       - P-521
     renegotiation: freely
@@ -76,7 +90,7 @@ func TestRepackConfig(t *testing.T) {
 	cfg, err := load(`
     enabled: true
     verification_mode: certificate
-    supported_protocols: [TLSv1.1, TLSv1.2]
+    supported_protocols: [TLSv1.2, TLSv1.3]
     cipher_suites:
       - RSA-AES-256-CBC-SHA
     certificate_authorities:
@@ -106,7 +120,7 @@ func TestRepackConfigFromJSON(t *testing.T) {
 	cfg, err := loadJSON(`{
     "enabled": true,
     "verification_mode": "certificate",
-    "supported_protocols": ["TLSv1.1", "TLSv1.2"],
+    "supported_protocols": ["TLSv1.2", "TLSv1.3"],
     "cipher_suites": ["RSA-AES-256-CBC-SHA"],
     "certificate_authorities": ["/path/to/ca.crt"],
     "certificate": "/path/to/cert.crt",
