Don't override the minimum TLS version for a tls.Config. Use map literals for CSE prose test 11.

matthewdale · matthewdale · commit a2399ef0cbad · 2024-12-02T21:53:21.000-08:00
diff --git a/internal/integration/client_side_encryption_prose_test.go b/internal/integration/client_side_encryption_prose_test.go
@@ -1517,46 +1517,52 @@ func TestClientSideEncryptionProse(t *testing.T) {
 			SetKeyVaultNamespace(kvNamespace)
 
 		// make TLS opts containing client certificate and CA file
-		tlsConfig := make(map[string]*tls.Config)
 		clientAndCATlsMap := map[string]interface{}{
 			"tlsCertificateKeyFile": tlsClientCertificateKeyFileKMIP,
 			"tlsCAFile":             tlsCAFileKMIP,
 		}
-		certConfig, err := options.BuildTLSConfig(clientAndCATlsMap)
+		clientAndCATLSConfig, err := options.BuildTLSConfig(clientAndCATlsMap)
 		assert.Nil(mt, err, "BuildTLSConfig error: %v", err)
-		tlsConfig["aws"] = certConfig
-		tlsConfig["azure"] = certConfig
-		tlsConfig["gcp"] = certConfig
-		tlsConfig["kmip"] = certConfig
 
 		// create valid Client Encryption options and set valid TLS options
 		validClientEncryptionOptionsWithTLS := options.ClientEncryption().
 			SetKmsProviders(validKmsProviders).
 			SetKeyVaultNamespace(kvNamespace).
-			SetTLSConfig(tlsConfig)
+			SetTLSConfig(map[string]*tls.Config{
+				"aws":   clientAndCATLSConfig,
+				"azure": clientAndCATLSConfig,
+				"gcp":   clientAndCATLSConfig,
+				"kmip":  clientAndCATLSConfig,
+			})
 
 		// make TLS opts containing only CA file
-		caTlsMap := map[string]interface{}{
+		caTlSMap := map[string]interface{}{
 			"tlsCAFile": tlsCAFileKMIP,
 		}
-		certConfig, err = options.BuildTLSConfig(caTlsMap)
+		caTLSConfig, err := options.BuildTLSConfig(caTlSMap)
 		assert.Nil(mt, err, "BuildTLSConfig error: %v", err)
-		tlsConfig["aws"] = certConfig
-		tlsConfig["azure"] = certConfig
-		tlsConfig["gcp"] = certConfig
-		tlsConfig["kmip"] = certConfig
 
 		// create invalid Client Encryption options with expired credentials
 		expiredClientEncryptionOptions := options.ClientEncryption().
 			SetKmsProviders(expiredKmsProviders).
 			SetKeyVaultNamespace(kvNamespace).
-			SetTLSConfig(tlsConfig)
+			SetTLSConfig(map[string]*tls.Config{
+				"aws":   caTLSConfig,
+				"azure": caTLSConfig,
+				"gcp":   caTLSConfig,
+				"kmip":  caTLSConfig,
+			})
 
 		// create invalid Client Encryption options with invalid hostnames
 		invalidHostnameClientEncryptionOptions := options.ClientEncryption().
 			SetKmsProviders(invalidKmsProviders).
 			SetKeyVaultNamespace(kvNamespace).
-			SetTLSConfig(tlsConfig)
+			SetTLSConfig(map[string]*tls.Config{
+				"aws":   caTLSConfig,
+				"azure": caTLSConfig,
+				"gcp":   caTLSConfig,
+				"kmip":  caTLSConfig,
+			})
 
 		awsMasterKeyNoClientCert := map[string]interface{}{
 			"region":   "us-east-1",
diff --git a/mongo/options/autoencryptionoptions.go b/mongo/options/autoencryptionoptions.go
@@ -184,19 +184,9 @@ func (a *AutoEncryptionOptionsBuilder) SetExtraOptions(extraOpts map[string]inte
 // to the KMS provider.
 //
 // This should only be used to set custom TLS configurations. By default, the connection will use an empty tls.Config{} with MinVersion set to tls.VersionTLS12.
-func (a *AutoEncryptionOptionsBuilder) SetTLSConfig(tlsOpts map[string]*tls.Config) *AutoEncryptionOptionsBuilder {
-	tlsConfigs := make(map[string]*tls.Config)
-	for provider, config := range tlsOpts {
-		// Use TLS min version 1.2 to enforce more secure hash algorithms and
-		// advanced cipher suites.
-		if config.MinVersion == 0 {
-			config.MinVersion = tls.VersionTLS12
-		}
-		tlsConfigs[provider] = config
-	}
-
+func (a *AutoEncryptionOptionsBuilder) SetTLSConfig(cfg map[string]*tls.Config) *AutoEncryptionOptionsBuilder {
 	a.Opts = append(a.Opts, func(args *AutoEncryptionOptions) error {
-		args.TLSConfig = tlsConfigs
+		args.TLSConfig = cfg
 
 		return nil
 	})
diff --git a/mongo/options/clientencryptionoptions.go b/mongo/options/clientencryptionoptions.go
@@ -70,19 +70,9 @@ func (c *ClientEncryptionOptionsBuilder) SetKmsProviders(providers map[string]ma
 // to the KMS provider.
 //
 // This should only be used to set custom TLS configurations. By default, the connection will use an empty tls.Config{} with MinVersion set to tls.VersionTLS12.
-func (c *ClientEncryptionOptionsBuilder) SetTLSConfig(tlsOpts map[string]*tls.Config) *ClientEncryptionOptionsBuilder {
-	tlsConfigs := make(map[string]*tls.Config)
-	for provider, config := range tlsOpts {
-		// Use TLS min version 1.2 to enforce more secure hash algorithms and
-		// advanced cipher suites.
-		if config.MinVersion == 0 {
-			config.MinVersion = tls.VersionTLS12
-		}
-		tlsConfigs[provider] = config
-	}
-
+func (c *ClientEncryptionOptionsBuilder) SetTLSConfig(cfg map[string]*tls.Config) *ClientEncryptionOptionsBuilder {
 	c.Opts = append(c.Opts, func(opts *ClientEncryptionOptions) error {
-		opts.TLSConfig = tlsConfigs
+		opts.TLSConfig = cfg
 
 		return nil
 	})
