Skip to content

Commit fbf50b0

Browse files
willthameswillthames
authored
✨ Allow TLS minimum version to be configured (#1548)
* Allow TLS minimum version to be configured Some environments have automated security scans that trigger on TLS versions or insecure cipher suites. Setting TLS to 1.3 would solve both problems (setting to 1.2 only solves the former as the default 1.2 cipher suites are insecure). Default TLS minimum version of 1.0 remains. * Add error handling to tls version conversion
1 parent 750cf33 commit fbf50b0

File tree

1 file changed

+30
-0
lines changed

1 file changed

+30
-0
lines changed

pkg/webhook/server.go

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -70,6 +70,10 @@ type Server struct {
7070
// Defaults to "", which means server does not verify client's certificate.
7171
ClientCAName string
7272

73+
// TLSVersion is the minimum version of TLS supported. Accepts
74+
// "", "1.0", "1.1", "1.2" and "1.3" only ("" is equivalent to "1.0" for backwards compatibility)
75+
TLSMinVersion string
76+
7377
// WebhookMux is the multiplexer that handles different webhooks.
7478
WebhookMux *http.ServeMux
7579

@@ -175,6 +179,26 @@ func (s *Server) StartStandalone(ctx context.Context, scheme *runtime.Scheme) er
175179
return s.Start(ctx)
176180
}
177181

182+
// tlsVersion converts from human-readable TLS version (for example "1.1")
183+
// to the values accepted by tls.Config (for example 0x301)
184+
func tlsVersion(version string) (uint16, error) {
185+
switch version {
186+
// default is previous behaviour
187+
case "":
188+
return tls.VersionTLS10, nil
189+
case "1.0":
190+
return tls.VersionTLS10, nil
191+
case "1.1":
192+
return tls.VersionTLS11, nil
193+
case "1.2":
194+
return tls.VersionTLS12, nil
195+
case "1.3":
196+
return tls.VersionTLS13, nil
197+
default:
198+
return 0, fmt.Errorf("Invalid TLSMinVersion %v: expects 1.0, 1.1, 1.2, 1.3 or empty", version)
199+
}
200+
}
201+
178202
// Start runs the server.
179203
// It will install the webhook related resources depend on the server configuration.
180204
func (s *Server) Start(ctx context.Context) error {
@@ -197,9 +221,15 @@ func (s *Server) Start(ctx context.Context) error {
197221
}
198222
}()
199223

224+
tlsMinVersion, err := tlsVersion(s.TLSMinVersion)
225+
if err != nil {
226+
return err
227+
}
228+
200229
cfg := &tls.Config{
201230
NextProtos: []string{"h2"},
202231
GetCertificate: certWatcher.GetCertificate,
232+
MinVersion: tlsMinVersion,
203233
}
204234

205235
// load CA to verify client certificate

0 commit comments

Comments
 (0)