Home Explore
Register Sign In
Endevir
/
git-server
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Allow configurable HTTPS SSL/TLS version(#4451)

spacetourist 7 years ago
parent
d71a8fece8
commit
0a6ceabb9b
3 changed files with 21 additions and 3 deletions
Split View Show Diff Stats
  1. 14 1
      cmd/web.go
  2. 5 2
      conf/app.ini
  3. 2 0
      pkg/setting/setting.go

+ 14 - 1
cmd/web.go
View File 

@@ -672,8 +672,21 @@ func runWeb(ctx *cli.Context) error {
 
 	case setting.SCHEME_HTTP:
 
 		err = http.ListenAndServe(listenAddr, m)
 
 	case setting.SCHEME_HTTPS:
 
+		var tlsMinVersion uint16
 
+		switch setting.TLSMinVersion {
 
+		case "SSL30":
 
+			tlsMinVersion = tls.VersionSSL30
 
+		case "TLS12":
 
+			tlsMinVersion = tls.VersionTLS12
 
+		case "TLS11":
 
+			tlsMinVersion = tls.VersionTLS11
 
+		case "TLS10":
 
+			fallthrough
 
+		default:
 
+			tlsMinVersion = tls.VersionTLS10
 
+		}
 
 		server := &http.Server{Addr: listenAddr, TLSConfig: &tls.Config{
 
-			MinVersion:               tls.VersionTLS10,
 
+			MinVersion:               tlsMinVersion,
 
 			CurvePreferences:         []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256},
 
 			PreferServerCipherSuites: true,
 
 			CipherSuites: []uint16{

+ 5 - 2
conf/app.ini
View File 

@@ -56,6 +56,9 @@ DISABLE_ROUTER_LOG = false
 
 ; $ openssl pkcs12 -in cert.pfx -out key.pem -nocerts -nodes
 
 CERT_FILE = custom/https/cert.pem
 
 KEY_FILE = custom/https/key.pem
 
+; Allowed TLS version values: SSL30, TLS10, TLS11, TLS12
 
+TLS_MIN_VERSION = TLS10
 
+
 
 ; Upper level of template and static file path
 
 ; default is the path where Gogs is executed
 
 STATIC_ROOT_PATH =
 
@@ -148,7 +151,7 @@ ANGLED_QUOTES = true
 
 
 [http]
 
 ; Value for Access-Control-Allow-Origin header, default is not to present
 
-ACCESS_CONTROL_ALLOW_ORIGIN = 
+ACCESS_CONTROL_ALLOW_ORIGIN =
 
 
 ; Define allowed algorithms and their minimum key length (use -1 to disable a type)
 
 [ssh.minimum_key_sizes]
 
@@ -346,7 +349,7 @@ MAX_DAYS = 7
 
 ; leave empty to inherit
 
 LEVEL =
 
 ; Webhook URL
 
-URL = 
+URL =
 
 
 [log.xorm]
 
 ; Enable file rotation

+ 2 - 0
pkg/setting/setting.go
View File 

@@ -69,6 +69,7 @@ var (
 
 	OfflineMode          bool
 
 	DisableRouterLog     bool
 
 	CertFile, KeyFile    string
 
+	TLSMinVersion        string
 
 	StaticRootPath       string
 
 	EnableGzip           bool
 
 	LandingPageURL       LandingPage
 
@@ -438,6 +439,7 @@ func NewContext() {
 
 		Protocol = SCHEME_HTTPS
 
 		CertFile = sec.Key("CERT_FILE").String()
 
 		KeyFile = sec.Key("KEY_FILE").String()
 
+		TLSMinVersion = sec.Key("TLS_MIN_VERSION").String()
 
 	} else if sec.Key("PROTOCOL").String() == "fcgi" {
 
 		Protocol = SCHEME_FCGI
 
 	} else if sec.Key("PROTOCOL").String() == "unix" {