From 8e2ef7ca655c41f4bb4e70a00ea88af34f209dc7 Mon Sep 17 00:00:00 2001 From: Cuong Manh Le Date: Fri, 8 May 2026 15:03:28 +0700 Subject: [PATCH] all: explicit TLS MinVersion in tls.Config Go's default is already TLS 1.2+ (since Go 1.18), but making this explicit satisfies RFC 7858/9250 recommendations and makes the security intent clear for auditors. --- config.go | 1 + config_quic.go | 2 +- doh_test.go | 2 ++ doq.go | 1 + doq_test.go | 1 + dot.go | 3 ++- internal/certs/root_ca_test.go | 3 ++- internal/controld/config.go | 2 +- 8 files changed, 11 insertions(+), 4 deletions(-) diff --git a/config.go b/config.go index e38e50d..75f17e5 100644 --- a/config.go +++ b/config.go @@ -611,6 +611,7 @@ func (uc *UpstreamConfig) newDOHTransport(ctx context.Context, addrs []string) * transport.TLSClientConfig = &tls.Config{ RootCAs: uc.certPool, ClientSessionCache: tls.NewLRUClientSessionCache(0), + MinVersion: tls.VersionTLS12, } // Prevent bad tcp connection hanging the requests for too long. diff --git a/config_quic.go b/config_quic.go index f2469a3..a8c6872 100644 --- a/config_quic.go +++ b/config_quic.go @@ -18,7 +18,7 @@ func (uc *UpstreamConfig) newDOH3Transport(ctx context.Context, addrs []string) return nil } rt := &http3.Transport{} - rt.TLSClientConfig = &tls.Config{RootCAs: uc.certPool} + rt.TLSClientConfig = &tls.Config{RootCAs: uc.certPool, MinVersion: tls.VersionTLS12} logger := LoggerFromCtx(ctx) rt.Dial = func(ctx context.Context, addr string, tlsCfg *tls.Config, cfg *quic.Config) (*quic.Conn, error) { _, port, _ := net.SplitHostPort(addr) diff --git a/doh_test.go b/doh_test.go index 700b299..9757f5e 100644 --- a/doh_test.go +++ b/doh_test.go @@ -197,6 +197,7 @@ func testTLSServer(t *testing.T, handler http.Handler) (*httptest.Server, *x509. server := httptest.NewUnstartedServer(handler) server.TLS = &tls.Config{ Certificates: []tls.Certificate{testCert.tlsCert}, + MinVersion: tls.VersionTLS12, } server.StartTLS() @@ -233,6 +234,7 @@ func newTestHTTP3Server(t *testing.T, handler http.Handler) *testHTTP3Server { tlsConfig := &tls.Config{ Certificates: []tls.Certificate{testCert.tlsCert}, NextProtos: []string{"h3"}, // HTTP/3 protocol identifier + MinVersion: tls.VersionTLS12, } // Create HTTP/3 server diff --git a/doq.go b/doq.go index fcce376..3aee246 100644 --- a/doq.go +++ b/doq.go @@ -73,6 +73,7 @@ func newDOQConnPool(_ context.Context, uc *UpstreamConfig, addrs []string) *doqC NextProtos: []string{"doq"}, RootCAs: uc.certPool, ServerName: uc.Domain, + MinVersion: tls.VersionTLS12, } quicConfig := &quic.Config{ diff --git a/doq_test.go b/doq_test.go index 14055dd..a6a1c54 100644 --- a/doq_test.go +++ b/doq_test.go @@ -99,6 +99,7 @@ func newTestQUICServer(t *testing.T) *testQUICServer { tlsConfig := &tls.Config{ Certificates: []tls.Certificate{testCert.tlsCert}, NextProtos: []string{"doq"}, + MinVersion: tls.VersionTLS12, } // Create QUIC listener diff --git a/dot.go b/dot.go index 66dc710..287a7cb 100644 --- a/dot.go +++ b/dot.go @@ -73,7 +73,8 @@ func newDOTClientPool(_ context.Context, uc *UpstreamConfig, addrs []string) *do dialer := newDialer(net.JoinHostPort(controldPublicDns, "53")) tlsConfig := &tls.Config{ - RootCAs: uc.certPool, + RootCAs: uc.certPool, + MinVersion: tls.VersionTLS12, } if uc.BootstrapIP != "" { diff --git a/internal/certs/root_ca_test.go b/internal/certs/root_ca_test.go index fcfd16e..295be56 100644 --- a/internal/certs/root_ca_test.go +++ b/internal/certs/root_ca_test.go @@ -11,7 +11,8 @@ func TestCACertPool(t *testing.T) { c := &http.Client{ Transport: &http.Transport{ TLSClientConfig: &tls.Config{ - RootCAs: CACertPool(), + RootCAs: CACertPool(), + MinVersion: tls.VersionTLS12, }, }, Timeout: 2 * time.Second, diff --git a/internal/controld/config.go b/internal/controld/config.go index 765706e..df88609 100644 --- a/internal/controld/config.go +++ b/internal/controld/config.go @@ -351,7 +351,7 @@ func apiTransport(loggerCtx context.Context, cdDev bool) *http.Transport { return dial(ctx, "tcp6", addrsFromPort(apiIpsV6, port)) } if runtime.GOOS == "android" { - transport.TLSClientConfig = &tls.Config{RootCAs: certs.CACertPool()} + transport.TLSClientConfig = &tls.Config{RootCAs: certs.CACertPool(), MinVersion: tls.VersionTLS12} } return transport }