diff options
| author | Patrick Steinhardt <psteinhardt@gitlab.com> | 2021-01-08 16:53:22 +0300 |
|---|---|---|
| committer | Patrick Steinhardt <psteinhardt@gitlab.com> | 2021-01-11 09:59:49 +0300 |
| commit | 129afb067c0ffaf111904b3557ffb23ab55b6139 (patch) | |
| tree | f5a0e0b0473aa4d394e4ede48a6cb5c93c9e986b /client | |
| parent | e81b6d55cfd30c06c0f3e83e7b8a428b8090d3d9 (diff) | |
grpc: raise minimum TLS version to 1.2
The default minimum TLS version in Go is currently TLS 1.0. Because
there are known weaknesses and vulnerabilities in both TLS 1.0 and
1.1, GitLab has announced the end of support for those versions on
October 2018 already [1]. But Gitaly never followed through and still
accepts the old TLS versions.
Fix this by raising the minimum required TLS version to TLS 1.2 for both
client- and server-side connections.
[1]: https://about.gitlab.com/blog/2018/10/15/gitlab-to-deprecate-older-tls/
Diffstat (limited to 'client')
| -rw-r--r-- | client/dial.go | 3 | ||||
| -rw-r--r-- | client/dial_test.go | 1 |
2 files changed, 3 insertions, 1 deletions
diff --git a/client/dial.go b/client/dial.go index e728d6dc4..68570d159 100644 --- a/client/dial.go +++ b/client/dial.go @@ -49,7 +49,8 @@ func DialContext(ctx context.Context, rawAddress string, connOpts []grpc.DialOpt } connOpts = append(connOpts, grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{ - RootCAs: certPool, + RootCAs: certPool, + MinVersion: tls.VersionTLS12, }))) case tcpConnection: diff --git a/client/dial_test.go b/client/dial_test.go index 440622b01..ba0440e11 100644 --- a/client/dial_test.go +++ b/client/dial_test.go @@ -425,6 +425,7 @@ func startTLSListener() (func(), string, error) { grpcServer := grpc.NewServer(grpc.Creds(credentials.NewTLS(&tls.Config{ Certificates: []tls.Certificate{cert}, + MinVersion: tls.VersionTLS12, }))) healthpb.RegisterHealthServer(grpcServer, &healthServer{}) go grpcServer.Serve(listener) |