Merge pull request #447 from kgutwin/f-tlsvers

Specify Vault listener minimum TLS version
2015-07-23 13:42:42 -07:00 · 2015-07-23 13:42:42 -07:00 · eeb623bca0
parent 9ec3cefea9 3a5e036727
commit eeb623bca0
2 changed files with 21 additions and 1 deletions
--- a/command/server/listener.go
+++ b/command/server/listener.go
@ -50,10 +50,24 @@ func listenerWrapTLS(
 		return nil, nil, fmt.Errorf("error loading TLS cert: %s", err)
 	}

+	tlslookup := map[string]uint16{
+		"tls10": tls.VersionTLS10,
+		"tls11": tls.VersionTLS11,
+		"tls12": tls.VersionTLS12,
+	}
+	
+	tlsvers, ok := config["tls_min_version"]
+	if !ok {
+		tlsvers = "tls12"
+	}
+	
 	tlsConf := &tls.Config{}
 	tlsConf.Certificates = []tls.Certificate{cert}
 	tlsConf.NextProtos = []string{"http/1.1"}
-	tlsConf.MinVersion = tls.VersionTLS12 // Minimum version is TLS 1.2
+	tlsConf.MinVersion, ok = tlslookup[tlsvers]
+	if !ok {
+		return nil, nil, fmt.Errorf("'tls_min_version' value %s not supported, please specify one of [tls10,tls11,tls12]", tlsvers)
+	}
 	tlsConf.ClientAuth = tls.RequestClientCert

 	ln = tls.NewListener(ln, tlsConf)
--- a/website/source/docs/config/index.html.md
+++ b/website/source/docs/config/index.html.md
@ -195,6 +195,12 @@ The supported options are:
  * `tls_key_file` (required unless disabled) - The path to the private key
      for the certificate.
      
+  * `tls_min_version` (optional) - If provided, specifies the minimum
+      supported version of TLS. Accepted values are "tls10", "tls11"
+      or "tls12". This defaults to "tls12". WARNING: TLS 1.1 and lower
+      are generally considered less secure; avoid using these if
+      possible.
+
 ## Telemetry Reference

 For the `telemetry` section, there is no resource name. All configuration