Allow configurable HTTPS SSL/TLS version(#4451)

2025-05-31 11:42:13 +00:00 · 2017-05-20 13:31:25 +01:00 · 2017-05-20 13:31:25 +01:00 · 0a6ceabb9b
commit 0a6ceabb9b
parent d71a8fece8
3 changed files with 21 additions and 3 deletions
--- a/cmd/web.go
+++ b/cmd/web.go
@ -672,8 +672,21 @@ func runWeb(ctx *cli.Context) error {
 	case setting.SCHEME_HTTP:
 		err = http.ListenAndServe(listenAddr, m)
 	case setting.SCHEME_HTTPS:
+		var tlsMinVersion uint16
+		switch setting.TLSMinVersion {
+		case "SSL30":
+			tlsMinVersion = tls.VersionSSL30
+		case "TLS12":
+			tlsMinVersion = tls.VersionTLS12
+		case "TLS11":
+			tlsMinVersion = tls.VersionTLS11
+		case "TLS10":
+			fallthrough
+		default:
+			tlsMinVersion = tls.VersionTLS10
+		}
 		server := &http.Server{Addr: listenAddr, TLSConfig: &tls.Config{
-			MinVersion:               tls.VersionTLS10,
+			MinVersion:               tlsMinVersion,
 			CurvePreferences:         []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256},
 			PreferServerCipherSuites: true,
 			CipherSuites: []uint16{
--- a/conf/app.ini
+++ b/conf/app.ini
@ -56,6 +56,9 @@ DISABLE_ROUTER_LOG = false
 ; $ openssl pkcs12 -in cert.pfx -out key.pem -nocerts -nodes
 CERT_FILE = custom/https/cert.pem
 KEY_FILE = custom/https/key.pem
+; Allowed TLS version values: SSL30, TLS10, TLS11, TLS12
+TLS_MIN_VERSION = TLS10
+
 ; Upper level of template and static file path
 ; default is the path where Gogs is executed
 STATIC_ROOT_PATH =
@ -148,7 +151,7 @@ ANGLED_QUOTES = true

 [http]
 ; Value for Access-Control-Allow-Origin header, default is not to present
-ACCESS_CONTROL_ALLOW_ORIGIN = 
+ACCESS_CONTROL_ALLOW_ORIGIN =

 ; Define allowed algorithms and their minimum key length (use -1 to disable a type)
 [ssh.minimum_key_sizes]
@ -346,7 +349,7 @@ MAX_DAYS = 7
 ; leave empty to inherit
 LEVEL =
 ; Webhook URL
-URL = 
+URL =

 [log.xorm]
 ; Enable file rotation
--- a/pkg/setting/setting.go
+++ b/pkg/setting/setting.go
@ -69,6 +69,7 @@ var (
 	OfflineMode          bool
 	DisableRouterLog     bool
 	CertFile, KeyFile    string
+	TLSMinVersion        string
 	StaticRootPath       string
 	EnableGzip           bool
 	LandingPageURL       LandingPage
@ -438,6 +439,7 @@ func NewContext() {
 		Protocol = SCHEME_HTTPS
 		CertFile = sec.Key("CERT_FILE").String()
 		KeyFile = sec.Key("KEY_FILE").String()
+		TLSMinVersion = sec.Key("TLS_MIN_VERSION").String()
 	} else if sec.Key("PROTOCOL").String() == "fcgi" {
 		Protocol = SCHEME_FCGI
 	} else if sec.Key("PROTOCOL").String() == "unix" {