Merge pull request #745 from rqlite/no-tls-1.0-1.1

Disable TLS v1.0 and v1.1 by default

CHANGELOG.md

@@ -6,6 +6,7 @@
 - [PR #738](https://github.com/rqlite/rqlite/pull/738): Don't use temp file when snapshotting database
 - [PR #738](https://github.com/rqlite/rqlite/pull/738): Switch to rqlite fork of mattn/go-sqlite3. The SQLite C code remains unchanged.
 - [PR #741](https://github.com/rqlite/rqlite/pull/741): Tighten up Store-level locking.
+- [PR #745](https://github.com/rqlite/rqlite/pull/745): TLS version 1.0 and 1.1 disabled by default. Fixes [issue #743](https://github.com/rqlite/rqlite/issues/743).
 
 ## 5.9.0 (January 24th 2021)
 ### New features

cmd/rqlited/main.go

@@ -46,6 +46,7 @@ var (
 
 var httpAddr string
 var httpAdv string
+var tls1011 bool
 var authFile string
 var x509CACert string
 var x509Cert string
@@ -93,6 +94,7 @@ func init() {
 	flag.StringVar(&nodeID, "node-id", "", "Unique name for node. If not set, set to hostname")
 	flag.StringVar(&httpAddr, "http-addr", "localhost:4001", "HTTP server bind address. For HTTPS, set X.509 cert and key")
 	flag.StringVar(&httpAdv, "http-adv-addr", "", "Advertised HTTP address. If not set, same as HTTP server")
+	flag.BoolVar(&tls1011, "tls1011", false, "Support deprecated TLS versions 1.0 and 1.1")
 	flag.StringVar(&x509CACert, "http-ca-cert", "", "Path to root X.509 certificate for HTTP endpoint")
 	flag.StringVar(&x509Cert, "http-cert", "", "Path to X.509 certificate for HTTP endpoint")
 	flag.StringVar(&x509Key, "http-key", "", "Path to X.509 private key for HTTP endpoint")
@@ -412,6 +414,7 @@ func startHTTPService(str *store.Store) error {
 
 	s.CertFile = x509Cert
 	s.KeyFile = x509Key
+	s.TLS1011 = tls1011
 	s.Expvar = expvar
 	s.Pprof = pprofEnabled
 	s.BuildInfo = map[string]interface{}{

http/service.go

@@ -164,6 +164,7 @@ type Service struct {
 	CACertFile string // Path to root X.509 certificate.
 	CertFile   string // Path to SSL certificate.
 	KeyFile    string // Path to SSL private key.
+	TLS1011    bool   // Whether older, deprecated TLS should be supported.
 
 	credentialStore CredentialStore
 
@@ -202,7 +203,7 @@ func (s *Service) Start() error {
 			return err
 		}
 	} else {
-		config, err := createTLSConfig(s.CertFile, s.KeyFile, s.CACertFile)
+		config, err := createTLSConfig(s.CertFile, s.KeyFile, s.CACertFile, s.TLS1011)
 		if err != nil {
 			return err
 		}
@@ -896,10 +897,17 @@ func requestQueries(r *http.Request) ([]*command.Statement, error) {
 }
 
 // createTLSConfig returns a TLS config from the given cert and key.
-func createTLSConfig(certFile, keyFile, caCertFile string) (*tls.Config, error) {
+func createTLSConfig(certFile, keyFile, caCertFile string, tls1011 bool) (*tls.Config, error) {
 	var err error
+
+	var minTls = uint16(tls.VersionTLS12)
+	if tls1011 {
+		minTls = tls.VersionTLS10
+	}
+
 	config := &tls.Config{
 		NextProtos: []string{"h2", "http/1.1"},
+		MinVersion: minTls,
 	}
 	config.Certificates = make([]tls.Certificate, 1)
 	config.Certificates[0], err = tls.LoadX509KeyPair(certFile, keyFile)