From 0a6ceabb9baa4f0058f4403b392b8fda845a5d5a Mon Sep 17 00:00:00 2001
From: spacetourist <guy.callum@gmail.com>
Date: Sat, 20 May 2017 13:31:25 +0100
Subject: [PATCH] Allow configurable HTTPS SSL/TLS version(#4451)

---
 cmd/web.go             | 15 ++++++++++++++-
 conf/app.ini           |  7 +++++--
 pkg/setting/setting.go |  2 ++
 3 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/cmd/web.go b/cmd/web.go
index b2003be91..d9cd59c1a 100644
--- a/cmd/web.go
+++ b/cmd/web.go
@@ -672,8 +672,21 @@ func runWeb(ctx *cli.Context) error {
 	case setting.SCHEME_HTTP:
 		err = http.ListenAndServe(listenAddr, m)
 	case setting.SCHEME_HTTPS:
+		var tlsMinVersion uint16
+		switch setting.TLSMinVersion {
+		case "SSL30":
+			tlsMinVersion = tls.VersionSSL30
+		case "TLS12":
+			tlsMinVersion = tls.VersionTLS12
+		case "TLS11":
+			tlsMinVersion = tls.VersionTLS11
+		case "TLS10":
+			fallthrough
+		default:
+			tlsMinVersion = tls.VersionTLS10
+		}
 		server := &http.Server{Addr: listenAddr, TLSConfig: &tls.Config{
-			MinVersion:               tls.VersionTLS10,
+			MinVersion:               tlsMinVersion,
 			CurvePreferences:         []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256},
 			PreferServerCipherSuites: true,
 			CipherSuites: []uint16{
diff --git a/conf/app.ini b/conf/app.ini
index 2927c2aa9..e9bbf4846 100644
--- a/conf/app.ini
+++ b/conf/app.ini
@@ -56,6 +56,9 @@ DISABLE_ROUTER_LOG = false
 ; $ openssl pkcs12 -in cert.pfx -out key.pem -nocerts -nodes
 CERT_FILE = custom/https/cert.pem
 KEY_FILE = custom/https/key.pem
+; Allowed TLS version values: SSL30, TLS10, TLS11, TLS12
+TLS_MIN_VERSION = TLS10
+
 ; Upper level of template and static file path
 ; default is the path where Gogs is executed
 STATIC_ROOT_PATH =
@@ -148,7 +151,7 @@ ANGLED_QUOTES = true
 
 [http]
 ; Value for Access-Control-Allow-Origin header, default is not to present
-ACCESS_CONTROL_ALLOW_ORIGIN = 
+ACCESS_CONTROL_ALLOW_ORIGIN =
 
 ; Define allowed algorithms and their minimum key length (use -1 to disable a type)
 [ssh.minimum_key_sizes]
@@ -346,7 +349,7 @@ MAX_DAYS = 7
 ; leave empty to inherit
 LEVEL =
 ; Webhook URL
-URL = 
+URL =
 
 [log.xorm]
 ; Enable file rotation
diff --git a/pkg/setting/setting.go b/pkg/setting/setting.go
index c8902b459..1b701d123 100644
--- a/pkg/setting/setting.go
+++ b/pkg/setting/setting.go
@@ -69,6 +69,7 @@ var (
 	OfflineMode          bool
 	DisableRouterLog     bool
 	CertFile, KeyFile    string
+	TLSMinVersion        string
 	StaticRootPath       string
 	EnableGzip           bool
 	LandingPageURL       LandingPage
@@ -438,6 +439,7 @@ func NewContext() {
 		Protocol = SCHEME_HTTPS
 		CertFile = sec.Key("CERT_FILE").String()
 		KeyFile = sec.Key("KEY_FILE").String()
+		TLSMinVersion = sec.Key("TLS_MIN_VERSION").String()
 	} else if sec.Key("PROTOCOL").String() == "fcgi" {
 		Protocol = SCHEME_FCGI
 	} else if sec.Key("PROTOCOL").String() == "unix" {