Set minimum TLS version in all tls.Config objects

2016-07-12 17:06:28 -04:00 · 2016-07-12 17:06:28 -04:00 · 46d34130ac
parent 04cfa4f88d
commit 46d34130ac
4 changed files with 4 additions and 0 deletions
--- a/builtin/credential/ldap/path_config.go
+++ b/builtin/credential/ldap/path_config.go
@ -215,6 +215,7 @@ type ConfigEntry struct {

 func (c *ConfigEntry) GetTLSConfig(host string) (*tls.Config, error) {
 	tlsConfig := &tls.Config{
+		MinVersion: VersionTLS12,
 		ServerName: host,
 	}
 	if c.InsecureTLS {
--- a/builtin/logical/cassandra/util.go
+++ b/builtin/logical/cassandra/util.go
@ -50,6 +50,7 @@ func createSession(cfg *sessionConfig, s logical.Storage) (*gocql.Session, error
 	if cfg.TLS {
 		tlsConfig := &tls.Config{
 			InsecureSkipVerify: cfg.InsecureTLS,
+			MinVersion:         VersionTLS12,
 		}

 		if len(cfg.Certificate) > 0 || len(cfg.IssuingCA) > 0 {
--- a/helper/certutil/types.go
+++ b/helper/certutil/types.go
@ -438,6 +438,7 @@ func (p *ParsedCertBundle) GetTLSConfig(usage TLSUsage) (*tls.Config, error) {

 	tlsConfig := &tls.Config{
 		NextProtos: []string{"http/1.1"},
+		MinVersion: VersionTLS12,
 	}

 	if p.Certificate != nil {
--- a/physical/consul.go
+++ b/physical/consul.go
@ -191,6 +191,7 @@ func setupTLSConfig(conf map[string]string) (*tls.Config, error) {
 	}

 	tlsClientConfig := &tls.Config{
+		MinVersion:         VersionTLS12,
 		InsecureSkipVerify: insecureSkipVerify,
 		ServerName:         serverName[0],
 	}