use TLS min/max version only if they are provided via configuration

dmwm · Jun 18, 2024 · 0d3729e · 0d3729e
1 parent 4329971
commit 0d3729e
Showing 1 changed file with 10 additions and 9 deletions.
diff --git a/utils.go b/utils.go
@@ -200,9 +200,6 @@ func getServer(serverCrt, serverKey string, customVerify bool) (*http.Server, er
 	} else {
 		maxVer = tls.VersionTLS13
 	}
-	if Config.Verbose > 0 {
-		log.Printf("set tlsConfig with min=%d max=%d versions", minVer, maxVer)
-	}
 	cert, err := tls.LoadX509KeyPair(serverCrt, serverKey)
 	if err != nil {
 		log.Fatalf("server loadkeys: %s", err)
@@ -212,22 +209,16 @@ func getServer(serverCrt, serverKey string, customVerify bool) (*http.Server, er
 	// if we do not require custom verification we'll load server crt/key and present to client
 	if customVerify == false { // oauth server
 		tlsConfig = &tls.Config{
-			MinVersion:   uint16(minVer),
-			MaxVersion:   uint16(maxVer),
 			RootCAs:      _rootCAs,
 			Certificates: []tls.Certificate{cert},
 		}
 	} else { // otherwise (x509 server) we'll perform custom verification of client's certificates
 		tlsConfig = &tls.Config{
 			// Set InsecureSkipVerify to skip the default validation we are
 			// replacing. This will not disable VerifyPeerCertificate.
-			MinVersion:         uint16(minVer),
-			MaxVersion:         uint16(maxVer),
 			InsecureSkipVerify: Config.InsecureSkipVerify,
 			// we must use tls.RequestClientCert for CMS proxy, otherwise client
 			// cert will not be present during TLS handshake
-			// we will use other options like
-			//             ClientAuth: tls.VerifyClientCertIfGiven,
 			// then it will only work for user's cert but not for proxies
 			ClientAuth:            tls.RequestClientCert,
 			ClientCAs:             _rootCAs, // this comes from /etc/grid-security/certificate
@@ -236,6 +227,16 @@ func getServer(serverCrt, serverKey string, customVerify bool) (*http.Server, er
 			VerifyPeerCertificate: VerifyPeerCertificate,
 		}
 	}
+	// set min/max TLS version only if they are provided in configuration
+	if Config.MinTLSVersion != "" {
+		log.Println("use minTLSVersion", minVer)
+		tlsConfig.MinVersion = uint16(minVer)
+	}
+	if Config.MaxTLSVersion != "" {
+		log.Println("use maxTLSVersion", maxVer)
+		tlsConfig.MaxVersion = uint16(maxVer)
+	}
+	// setup HTTPs server
 	addr := fmt.Sprintf(":%d", Config.Port)
 	server := &http.Server{
 		Addr:           addr,