Allow configurable HTTPS SSL/TLS version(#4451)

cmd/web.go

@@ -672,8 +672,21 @@ func runWeb(ctx *cli.Context) error {
 	case setting.SCHEME_HTTP:
 		err = http.ListenAndServe(listenAddr, m)
 	case setting.SCHEME_HTTPS:
+		var tlsMinVersion uint16
+		switch setting.TLSMinVersion {
+		case "SSL30":
+			tlsMinVersion = tls.VersionSSL30
+		case "TLS12":
+			tlsMinVersion = tls.VersionTLS12
+		case "TLS11":
+			tlsMinVersion = tls.VersionTLS11
+		case "TLS10":
+			fallthrough
+		default:
+			tlsMinVersion = tls.VersionTLS10
+		}
 		server := &http.Server{Addr: listenAddr, TLSConfig: &tls.Config{
-			MinVersion:               tls.VersionTLS10,
+			MinVersion:               tlsMinVersion,
 			CurvePreferences:         []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256},
 			PreferServerCipherSuites: true,
 			CipherSuites: []uint16{

conf/app.ini

@@ -56,6 +56,9 @@ DISABLE_ROUTER_LOG = false
 ; $ openssl pkcs12 -in cert.pfx -out key.pem -nocerts -nodes
 CERT_FILE = custom/https/cert.pem
 KEY_FILE = custom/https/key.pem
+; Allowed TLS version values: SSL30, TLS10, TLS11, TLS12
+TLS_MIN_VERSION = TLS10
+
 ; Upper level of template and static file path
 ; default is the path where Gogs is executed
 STATIC_ROOT_PATH =

pkg/setting/setting.go

@@ -69,6 +69,7 @@ var (
 	OfflineMode          bool
 	DisableRouterLog     bool
 	CertFile, KeyFile    string
+	TLSMinVersion        string
 	StaticRootPath       string
 	EnableGzip           bool
 	LandingPageURL       LandingPage
@@ -438,6 +439,7 @@ func NewContext() {
 		Protocol = SCHEME_HTTPS
 		CertFile = sec.Key("CERT_FILE").String()
 		KeyFile = sec.Key("KEY_FILE").String()
+		TLSMinVersion = sec.Key("TLS_MIN_VERSION").String()
 	} else if sec.Key("PROTOCOL").String() == "fcgi" {
 		Protocol = SCHEME_FCGI
 	} else if sec.Key("PROTOCOL").String() == "unix" {