Skip to content

Commit a443622

Browse files
ofekshenawagithub-advanced-security[bot]
ofekshenawa
and
github-advanced-security[bot]
authored
Potential fix for code scanning alert no. 13: Insecure TLS configuration
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
1 parent 1cfe757 commit a443622

File tree

1 file changed

+5
-2
lines changed

1 file changed

+5
-2
lines changed

options.go

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -602,14 +602,17 @@ func setupConnParams(u *url.URL, o *Options) (*Options, error) {
602602
if minVer < 0 || minVer > 65535 {
603603
return nil, fmt.Errorf("redis: invalid tls_min_version: %d (must be between 0 and 65535)", minVer)
604604
}
605-
// Handle TLS version setting securely
605+
// Always set MinVersion to at least TLS 1.2
606606
if minVer == 0 {
607-
// Don't set MinVersion, let Go use its secure default
607+
o.TLSConfig.MinVersion = tls.VersionTLS12
608608
} else if minVer < int(tls.VersionTLS12) {
609609
return nil, fmt.Errorf("redis: tls_min_version %d is insecure (minimum allowed is TLS 1.2: %d)", minVer, tls.VersionTLS12)
610610
} else {
611611
o.TLSConfig.MinVersion = uint16(minVer)
612612
}
613+
} else {
614+
// If not set, default to TLS 1.2
615+
o.TLSConfig.MinVersion = tls.VersionTLS12
613616
}
614617
if q.has("tls_max_version") {
615618
maxVer := q.int("tls_max_version")

0 commit comments

Comments
 (0)