GOMODULES
/
fiber
mirror of https://github.com/gofiber/fiber.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

🔥 feat: Add support for configuring TLS Min Version (#3248) 

* Make tls.Config MinVersion configurable

This commit will resolve #3239
For more info: https://github.com/gofiber/fiber/issues/3239

* Add documents about tls minimum version configurable

* Add if statement for don't allow to use TLS1.0 and TLS1.1

* Fix lint issues, add test for panic()

* Update docs

* Add test with valid TLS version

---------

Co-authored-by: Juan Calderon-Perez <jgcalderonperez@protonmail.com>
pull/3249/head^2
Iliya 2024-12-16 11:37:41 +03:30 committed by GitHub
parent 02999352cd
commit 154c74d578
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 66 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
docs/api/fiber.md
View File

@ -116,7 +116,8 @@ app.Listen(":8080", fiber.ListenConfig{
| <Reference id="onshutdownerror">OnShutdownError</Reference> | `func(err error)` | Allows to customize error behavior when gracefully shutting down the server by given signal. Prints error with `log.Fatalf()` | `nil` | | <Reference id="onshutdownerror">OnShutdownError</Reference> | `func(err error)` | Allows to customize error behavior when gracefully shutting down the server by given signal. Prints error with `log.Fatalf()` | `nil` |
| <Reference id="onshutdownsuccess">OnShutdownSuccess</Reference> | `func()` | Allows customizing success behavior when gracefully shutting down the server by given signal. | `nil` | | <Reference id="onshutdownsuccess">OnShutdownSuccess</Reference> | `func()` | Allows customizing success behavior when gracefully shutting down the server by given signal. | `nil` |
| <Reference id="tlsconfigfunc">TLSConfigFunc</Reference> | `func(tlsConfig *tls.Config)` | Allows customizing `tls.Config` as you want. | `nil` | | <Reference id="tlsconfigfunc">TLSConfigFunc</Reference> | `func(tlsConfig *tls.Config)` | Allows customizing `tls.Config` as you want. | `nil` |
| <Reference id="autocertmanager">AutoCertManager</Reference> | `func(tlsConfig *tls.Config)` | Manages TLS certificates automatically using the ACME protocol. Enables integration with Let's Encrypt or other ACME-compatible providers. | `nil` | | <Reference id="autocertmanager">AutoCertManager</Reference> | `*autocert.Manager` | Manages TLS certificates automatically using the ACME protocol. Enables integration with Let's Encrypt or other ACME-compatible providers. | `nil` |
| <Reference id="tlsminversion">TLSMinVersion</Reference> | `uint16` | Allows customizing the TLS minimum version. | `tls.VersionTLS12` |
### Listen ### Listen

8
docs/whats_new.md
View File

@ -130,6 +130,14 @@ In this example, a custom context `CustomCtx` is created with an additional meth
</details> </details>
### Configurable TLS Minimum Version
We have added support for configuring the TLS minimum version. This field allows you to set the TLS minimum version for TLSAutoCert and the server listener.
```go
app.Listen(":444", fiber.ListenConfig{TLSMinVersion: tls.VersionTLS12})
```
#### TLS AutoCert support (ACME / Let's Encrypt) #### TLS AutoCert support (ACME / Let's Encrypt)
We have added native support for automatic certificates management from Let's Encrypt and any other ACME-based providers. We have added native support for automatic certificates management from Let's Encrypt and any other ACME-based providers.

23
listen.go
View File

@ -108,6 +108,12 @@ type ListenConfig struct {
// Default: 10 * time.Second // Default: 10 * time.Second
ShutdownTimeout time.Duration `json:"shutdown_timeout"` ShutdownTimeout time.Duration `json:"shutdown_timeout"`
// TLSMinVersion allows to set TLS minimum version.
//
// Default: tls.VersionTLS12
// WARNING: TLS1.0 and TLS1.1 versions are not supported.
TLSMinVersion uint16 `json:"tls_min_version"`
// When set to true, it will not print out the «Fiber» ASCII art and listening address. // When set to true, it will not print out the «Fiber» ASCII art and listening address.
// //
// Default: false // Default: false
@ -128,6 +134,7 @@ type ListenConfig struct {
func listenConfigDefault(config ...ListenConfig) ListenConfig { func listenConfigDefault(config ...ListenConfig) ListenConfig {
if len(config) < 1 { if len(config) < 1 {
return ListenConfig{ return ListenConfig{
TLSMinVersion: tls.VersionTLS12,
ListenerNetwork: NetworkTCP4, ListenerNetwork: NetworkTCP4,
OnShutdownError: func(err error) { OnShutdownError: func(err error) {
log.Fatalf("shutdown: %v", err) //nolint:revive // It's an option log.Fatalf("shutdown: %v", err) //nolint:revive // It's an option
@ -147,6 +154,14 @@ func listenConfigDefault(config ...ListenConfig) ListenConfig {
} }
} }
if cfg.TLSMinVersion == 0 {
cfg.TLSMinVersion = tls.VersionTLS12
}
if cfg.TLSMinVersion != tls.VersionTLS12 && cfg.TLSMinVersion != tls.VersionTLS13 {
panic("unsupported TLS version, please use tls.VersionTLS12 or tls.VersionTLS13")
}
return cfg return cfg
} }
@ -168,8 +183,8 @@ func (app *App) Listen(addr string, config ...ListenConfig) error {
} }
tlsHandler := &TLSHandler{} tlsHandler := &TLSHandler{}
tlsConfig = &tls.Config{ tlsConfig = &tls.Config{ //nolint:gosec // This is a user input
MinVersion: tls.VersionTLS12, MinVersion: cfg.TLSMinVersion,
Certificates: []tls.Certificate{ Certificates: []tls.Certificate{
cert, cert,
}, },
@ -192,8 +207,8 @@ func (app *App) Listen(addr string, config ...ListenConfig) error {
// Attach the tlsHandler to the config // Attach the tlsHandler to the config
app.SetTLSHandler(tlsHandler) app.SetTLSHandler(tlsHandler)
} else if cfg.AutoCertManager != nil { } else if cfg.AutoCertManager != nil {
tlsConfig = &tls.Config{ tlsConfig = &tls.Config{ //nolint:gosec // This is a user input
MinVersion: tls.VersionTLS12, MinVersion: cfg.TLSMinVersion,
GetCertificate: cfg.AutoCertManager.GetCertificate, GetCertificate: cfg.AutoCertManager.GetCertificate,
NextProtos: []string{"http/1.1", "acme-tls/1"}, NextProtos: []string{"http/1.1", "acme-tls/1"},
} }

37
listen_test.go
View File

@ -236,6 +236,43 @@ func Test_Listen_Prefork(t *testing.T) {
require.NoError(t, app.Listen(":99999", ListenConfig{DisableStartupMessage: true, EnablePrefork: true})) require.NoError(t, app.Listen(":99999", ListenConfig{DisableStartupMessage: true, EnablePrefork: true}))
} }
// go test -run Test_Listen_TLSMinVersion
func Test_Listen_TLSMinVersion(t *testing.T) {
testPreforkMaster = true
app := New()
// Invalid TLSMinVersion
require.Panics(t, func() {
_ = app.Listen(":443", ListenConfig{TLSMinVersion: tls.VersionTLS10}) //nolint:errcheck // ignore error
})
require.Panics(t, func() {
_ = app.Listen(":443", ListenConfig{TLSMinVersion: tls.VersionTLS11}) //nolint:errcheck // ignore error
})
// Prefork
require.Panics(t, func() {
_ = app.Listen(":443", ListenConfig{DisableStartupMessage: true, EnablePrefork: true, TLSMinVersion: tls.VersionTLS10}) //nolint:errcheck // ignore error
})
require.Panics(t, func() {
_ = app.Listen(":443", ListenConfig{DisableStartupMessage: true, EnablePrefork: true, TLSMinVersion: tls.VersionTLS11}) //nolint:errcheck // ignore error
})
// Valid TLSMinVersion
go func() {
time.Sleep(1000 * time.Millisecond)
assert.NoError(t, app.Shutdown())
}()
require.NoError(t, app.Listen(":0", ListenConfig{TLSMinVersion: tls.VersionTLS13}))
// Valid TLSMinVersion with Prefork
go func() {
time.Sleep(1000 * time.Millisecond)
assert.NoError(t, app.Shutdown())
}()
require.NoError(t, app.Listen(":99999", ListenConfig{DisableStartupMessage: true, EnablePrefork: true, TLSMinVersion: tls.VersionTLS13}))
}
// go test -run Test_Listen_TLS // go test -run Test_Listen_TLS
func Test_Listen_TLS(t *testing.T) { func Test_Listen_TLS(t *testing.T) {
app := New() app := New()