CalvinBackup/ctrld
1
0
Fork 0
mirror of https://github.com/Control-D-Inc/ctrld.git synced 2026-05-27 12:52:27 +02:00
Code Issues Packages Projects Releases Wiki Activity

all: explicit TLS MinVersion in tls.Config

Browse Source 
Go's default is already TLS 1.2+ (since Go 1.18), but making this
explicit satisfies RFC 7858/9250 recommendations and makes the security
intent clear for auditors.
This commit is contained in:
Cuong Manh Le
2026-05-08 15:03:28 +07:00
committed by Cuong Manh Le
parent 1735d3d55b
commit 8e2ef7ca65
8 changed files with 11 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
config.go
+1
View File
@@ -611,6 +611,7 @@ func (uc *UpstreamConfig) newDOHTransport(ctx context.Context, addrs []string) *
transport.TLSClientConfig = &tls.Config{
RootCAs: uc.certPool,
ClientSessionCache: tls.NewLRUClientSessionCache(0),
MinVersion: tls.VersionTLS12,
}
// Prevent bad tcp connection hanging the requests for too long.
config_quic.go
+1 -1
View File
@@ -18,7 +18,7 @@ func (uc *UpstreamConfig) newDOH3Transport(ctx context.Context, addrs []string)
return nil
}
rt := &http3.Transport{}
rt.TLSClientConfig = &tls.Config{RootCAs: uc.certPool}
rt.TLSClientConfig = &tls.Config{RootCAs: uc.certPool, MinVersion: tls.VersionTLS12}
logger := LoggerFromCtx(ctx)
rt.Dial = func(ctx context.Context, addr string, tlsCfg *tls.Config, cfg *quic.Config) (*quic.Conn, error) {
_, port, _ := net.SplitHostPort(addr)
doh_test.go
+2
View File
@@ -197,6 +197,7 @@ func testTLSServer(t *testing.T, handler http.Handler) (*httptest.Server, *x509.
server := httptest.NewUnstartedServer(handler)
server.TLS = &tls.Config{
Certificates: []tls.Certificate{testCert.tlsCert},
MinVersion: tls.VersionTLS12,
}
server.StartTLS()
@@ -233,6 +234,7 @@ func newTestHTTP3Server(t *testing.T, handler http.Handler) *testHTTP3Server {
tlsConfig := &tls.Config{
Certificates: []tls.Certificate{testCert.tlsCert},
NextProtos: []string{"h3"}, // HTTP/3 protocol identifier
MinVersion: tls.VersionTLS12,
}
// Create HTTP/3 server
doq.go
+1
View File
@@ -73,6 +73,7 @@ func newDOQConnPool(_ context.Context, uc *UpstreamConfig, addrs []string) *doqC
NextProtos: []string{"doq"},
RootCAs: uc.certPool,
ServerName: uc.Domain,
MinVersion: tls.VersionTLS12,
}
quicConfig := &quic.Config{
doq_test.go
+1
View File
@@ -99,6 +99,7 @@ func newTestQUICServer(t *testing.T) *testQUICServer {
tlsConfig := &tls.Config{
Certificates: []tls.Certificate{testCert.tlsCert},
NextProtos: []string{"doq"},
MinVersion: tls.VersionTLS12,
}
// Create QUIC listener
dot.go
+2 -1
View File
@@ -73,7 +73,8 @@ func newDOTClientPool(_ context.Context, uc *UpstreamConfig, addrs []string) *do
dialer := newDialer(net.JoinHostPort(controldPublicDns, "53"))
tlsConfig := &tls.Config{
RootCAs: uc.certPool,
RootCAs: uc.certPool,
MinVersion: tls.VersionTLS12,
}
if uc.BootstrapIP != "" {
internal/certs/root_ca_test.go
+2 -1
View File
@@ -11,7 +11,8 @@ func TestCACertPool(t *testing.T) {
c := &http.Client{
Transport: &http.Transport{
TLSClientConfig: &tls.Config{
RootCAs: CACertPool(),
RootCAs: CACertPool(),
MinVersion: tls.VersionTLS12,
},
},
Timeout: 2 * time.Second,
internal/controld/config.go
+1 -1
View File
@@ -351,7 +351,7 @@ func apiTransport(loggerCtx context.Context, cdDev bool) *http.Transport {
return dial(ctx, "tcp6", addrsFromPort(apiIpsV6, port))
}
if runtime.GOOS == "android" {
transport.TLSClientConfig = &tls.Config{RootCAs: certs.CACertPool()}
transport.TLSClientConfig = &tls.Config{RootCAs: certs.CACertPool(), MinVersion: tls.VersionTLS12}
}
return transport
}