Merge pull request #280 from GlintPay/feature/SocketMinimumTLSVersion

Feature/socket minimum tls version

Author: cbusbey

config/configuration.go

@@ -20,6 +20,7 @@ const (
 	SocketCertificateFile        string = "SocketCertificateFile"
 	SocketCAFile                 string = "SocketCAFile"
 	SocketInsecureSkipVerify     string = "SocketInsecureSkipVerify"
+	SocketMinimumTLSVersion      string = "SocketMinimumTLSVersion"
 	DefaultApplVerID             string = "DefaultApplVerID"
 	StartTime                    string = "StartTime"
 	EndTime                      string = "EndTime"

config/doc.go

@@ -239,6 +239,10 @@ SocketCAFile
 
 Optional root CA to use for secure TLS connections. For acceptors, client certificates will be verified against this CA.  For initiators, clients will use the CA to verify the server certificate. If not configurated, initiators will verify the server certificate using the host's root CA set.
 
+SocketMinimumTLSVersion
+
+Specify the Minimum TLS version to use when creating a secure connection. The valid choices are SSL30, TLS10, TLS11, TLS12. Defaults to TLS12.
+
 FileLogPath
 
 Directory to store logs.	Value must be valid directory for storing files, application must have write access.

tls.go

@@ -40,6 +40,26 @@ func loadTLSConfig(settings *SessionSettings) (tlsConfig *tls.Config, err error)
 	tlsConfig.Certificates = make([]tls.Certificate, 1)
 	tlsConfig.InsecureSkipVerify = insecureSkipVerify
 
+	minVersion := "TLS12"
+	if settings.HasSetting(config.SocketMinimumTLSVersion) {
+		minVersion, err = settings.Setting(config.SocketMinimumTLSVersion)
+		if err != nil {
+			return
+		}
+
+		switch minVersion {
+		case "SSL30":
+			tlsConfig.MinVersion = tls.VersionSSL30
+		case "TLS10":
+			tlsConfig.MinVersion = tls.VersionTLS10
+		case "TLS11":
+			tlsConfig.MinVersion = tls.VersionTLS11
+		case "TLS12":
+			tlsConfig.MinVersion = tls.VersionTLS12
+		}
+	}
+
+
 	if tlsConfig.Certificates[0], err = tls.LoadX509KeyPair(certificateFile, privateKeyFile); err != nil {
 		return
 	}

tls_test.go

@@ -109,3 +109,40 @@ func (s *TLSTestSuite) TestInsecureSkipVerifyAndCerts() {
 	s.True(tlsConfig.InsecureSkipVerify)
 	s.Len(tlsConfig.Certificates, 1)
 }
+
+func (s *TLSTestSuite) TestMinimumTLSVersion() {
+	s.settings.GlobalSettings().Set(config.SocketPrivateKeyFile, s.PrivateKeyFile)
+	s.settings.GlobalSettings().Set(config.SocketCertificateFile, s.CertificateFile)
+
+	// SSL30
+	s.settings.GlobalSettings().Set(config.SocketMinimumTLSVersion, "SSL30")
+	tlsConfig, err := loadTLSConfig(s.settings.GlobalSettings())
+
+	s.Nil(err)
+	s.NotNil(tlsConfig)
+	s.Equal(tlsConfig.MinVersion, uint16(tls.VersionSSL30))
+
+	// TLS10
+	s.settings.GlobalSettings().Set(config.SocketMinimumTLSVersion, "TLS10")
+	tlsConfig, err = loadTLSConfig(s.settings.GlobalSettings())
+
+	s.Nil(err)
+	s.NotNil(tlsConfig)
+	s.Equal(tlsConfig.MinVersion, uint16(tls.VersionTLS10))
+
+	// TLS11
+	s.settings.GlobalSettings().Set(config.SocketMinimumTLSVersion, "TLS11")
+	tlsConfig, err = loadTLSConfig(s.settings.GlobalSettings())
+
+	s.Nil(err)
+	s.NotNil(tlsConfig)
+	s.Equal(tlsConfig.MinVersion, uint16(tls.VersionTLS11))
+
+	// TLS12
+	s.settings.GlobalSettings().Set(config.SocketMinimumTLSVersion, "TLS12")
+	tlsConfig, err = loadTLSConfig(s.settings.GlobalSettings())
+
+	s.Nil(err)
+	s.NotNil(tlsConfig)
+	s.Equal(tlsConfig.MinVersion, uint16(tls.VersionTLS12))
+}