Browse code
Avoid fallback to SSL protocols < TLS1.0
Signed-off-by: Tibor Vass <teabee89@gmail.com>
Docker-DCO-1.1-Signed-off-by: Daniel, Dao Quang Minh <dqminh89@gmail.com> (github: dqminh)
Daniel, Dao Quang Minh authored on 2014/10/16 11:39:51Showing 3 changed files
| ... | ... |
@@ -1439,6 +1439,8 @@ func ListenAndServe(proto, addr string, job *engine.Job) error {
|
| 1439 | 1439 |
tlsConfig := &tls.Config{
|
| 1440 | 1440 |
NextProtos: []string{"http/1.1"},
|
| 1441 | 1441 |
Certificates: []tls.Certificate{cert},
|
| 1442 |
+ // Avoid fallback on insecure SSL protocols |
|
| 1443 |
+ MinVersion: tls.VersionTLS10, |
|
| 1442 | 1444 |
} |
| 1443 | 1445 |
if job.GetenvBool("TlsVerify") {
|
| 1444 | 1446 |
certPool := x509.NewCertPool() |
| ... | ... |
@@ -36,7 +36,11 @@ const ( |
| 36 | 36 |
) |
| 37 | 37 |
|
| 38 | 38 |
func newClient(jar http.CookieJar, roots *x509.CertPool, cert *tls.Certificate, timeout TimeoutType) *http.Client {
|
| 39 |
- tlsConfig := tls.Config{RootCAs: roots}
|
|
| 39 |
+ tlsConfig := tls.Config{
|
|
| 40 |
+ RootCAs: roots, |
|
| 41 |
+ // Avoid fallback to SSL protocols < TLS1.0 |
|
| 42 |
+ MinVersion: tls.VersionTLS10, |
|
| 43 |
+ } |
|
| 40 | 44 |
|
| 41 | 45 |
if cert != nil {
|
| 42 | 46 |
tlsConfig.Certificates = append(tlsConfig.Certificates, *cert) |