Add config flags to specify TLS versions

Introduce two new configuration options -tls-min-version and
-tls-max-version to control which TLS versions will be supported by the
server. Accepted values are ssl3, tls1.0, tls1.1, tls1.2, and tls1.3.

Closing https://gitlab.com/gitlab-org/gitlab-pages/issues/187

1 files changed, 72 insertions, 16 deletions

diff --git a/acceptance_test.go b/acceptance_test.go
index f68b31ef..b22d5e97 100644
--- a/acceptance_test.go
+++ b/acceptance_test.go
@@ -1063,15 +1063,17 @@ func TestAcceptsSupportedCiphers(t *testing.T) {
 	teardown := RunPagesProcess(t, *pagesBinary, listeners, "")
 	defer teardown()
 
-	ciphers := []uint16{
-		tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
-		tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
-		tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-		tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
-		tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
-		tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+	tlsConfig := &tls.Config{
+		CipherSuites: []uint16{
+			tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+			tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+		},
 	}
-	client, cleanup := ClientWithCiphers(ciphers)
+	client, cleanup := ClientWithConfig(tlsConfig)
 	defer cleanup()
 
 	rsp, err := client.Get(httpsListener.URL("/"))
@@ -1088,11 +1090,13 @@ func TestRejectsUnsupportedCiphers(t *testing.T) {
 	teardown := RunPagesProcess(t, *pagesBinary, listeners, "")
 	defer teardown()
 
-	ciphers := []uint16{
-		tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
-		tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+	tlsConfig := &tls.Config{
+		CipherSuites: []uint16{
+			tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
+			tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+		},
 	}
-	client, cleanup := ClientWithCiphers(ciphers)
+	client, cleanup := ClientWithConfig(tlsConfig)
 	defer cleanup()
 
 	rsp, err := client.Get(httpsListener.URL("/"))
@@ -1110,11 +1114,13 @@ func TestEnableInsecureCiphers(t *testing.T) {
 	teardown := RunPagesProcess(t, *pagesBinary, listeners, "", "-insecure-ciphers")
 	defer teardown()
 
-	ciphers := []uint16{
-		tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
-		tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+	tlsConfig := &tls.Config{
+		CipherSuites: []uint16{
+			tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
+			tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+		},
 	}
-	client, cleanup := ClientWithCiphers(ciphers)
+	client, cleanup := ClientWithConfig(tlsConfig)
 	defer cleanup()
 
 	rsp, err := client.Get(httpsListener.URL("/"))
@@ -1125,3 +1131,53 @@ func TestEnableInsecureCiphers(t *testing.T) {
 
 	require.NoError(t, err)
 }
+
+func TestTLSVersions(t *testing.T) {
+	skipUnlessEnabled(t)
+
+	tests := map[string]struct {
+		tlsMin      string
+		tlsMax      string
+		tlsClient   uint16
+		expectError bool
+	}{
+		"client version not supported":             {tlsMin: "tls1.1", tlsMax: "tls1.2", tlsClient: tls.VersionTLS10, expectError: true},
+		"client version supported":                 {tlsMin: "tls1.1", tlsMax: "tls1.2", tlsClient: tls.VersionTLS12, expectError: false},
+		"client and server using default settings": {tlsMin: "", tlsMax: "", tlsClient: 0, expectError: false},
+	}
+
+	for name, tc := range tests {
+		t.Run(name, func(t *testing.T) {
+			args := []string{}
+			if tc.tlsMin != "" {
+				args = append(args, "-tls-min-version", tc.tlsMin)
+			}
+			if tc.tlsMax != "" {
+				args = append(args, "-tls-max-version", tc.tlsMax)
+			}
+
+			teardown := RunPagesProcess(t, *pagesBinary, listeners, "", args...)
+			defer teardown()
+
+			tlsConfig := &tls.Config{}
+			if tc.tlsClient != 0 {
+				tlsConfig.MinVersion = tc.tlsClient
+				tlsConfig.MaxVersion = tc.tlsClient
+			}
+			client, cleanup := ClientWithConfig(tlsConfig)
+			defer cleanup()
+
+			rsp, err := client.Get(httpsListener.URL("/"))
+
+			if rsp != nil {
+				rsp.Body.Close()
+			}
+
+			if tc.expectError {
+				require.Error(t, err)
+			} else {
+				require.NoError(t, err)
+			}
+		})
+	}
+}