From d67f896b848020a74f52a36e600cd305660b2a43 Mon Sep 17 00:00:00 2001
From: Solderpunk <solderpunk@posteo.net>
Date: Thu, 23 Feb 2023 19:31:16 +0100
Subject: [PATCH] Add AllowTLS12 option to switch minimum TLS version between
 1.2 and 1.3.

---
 README.md | 11 ++++++++++-
 config.go |  2 ++
 launch.go |  6 +++++-
 3 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index fc30482..519749c 100644
--- a/README.md
+++ b/README.md
@@ -382,7 +382,16 @@ startup, database connection etc. on each request).
   SCGI applications are responsible for generating their own response
   headers.
 
-### Certificate zones
+### TLS options
+
+* `AllowTLS12` (boolean): if true, Molly Brown will accept connections
+  from clients using TLS version 1.2 or later (1.2 is the bare minimum
+  allowed by the Gemini spec).  If set to false, Molly Brown will
+  instead require TLS version 1.3 or later - 1.2 to 1.3 was a big
+  change and drastic simplification of the TLS spec which discarded a
+  wide range of old and insecure configurations.  (default value `true`)
+
+#### Certificate zones
 
 Molly Brown allows you to use client certificates to restrict access
 to certain resources (which may be static or dynamic).  The overall
diff --git a/config.go b/config.go
index 0d1ce4c..3623d1d 100644
--- a/config.go
+++ b/config.go
@@ -28,6 +28,7 @@ type Config struct {
 	CGIPaths              []string
 	SCGIPaths             map[string]string
 	CertificateZones      map[string][]string
+	AllowTLS12            bool
 	DirectorySort         string
 	DirectorySubdirsFirst bool
 	DirectoryReverse      bool
@@ -68,6 +69,7 @@ func getConfig(filename string) (Config, error) {
 	config.PermRedirects = make(map[string]string)
 	config.CGIPaths = make([]string, 0)
 	config.SCGIPaths = make(map[string]string)
+	config.AllowTLS12 = true
 	config.DirectorySort = "Name"
 	config.DirectorySubdirsFirst = false
 
diff --git a/launch.go b/launch.go
index 1fd8c25..40eb772 100644
--- a/launch.go
+++ b/launch.go
@@ -56,7 +56,11 @@ func launch(config Config, privInfo userInfo) int {
 	}
 	var tlscfg tls.Config
 	tlscfg.Certificates = []tls.Certificate{cert}
-	tlscfg.MinVersion = tls.VersionTLS12
+	if config.AllowTLS12 {
+		tlscfg.MinVersion = tls.VersionTLS12
+	} else {
+		tlscfg.MinVersion = tls.VersionTLS13
+	}
 	if len(config.CertificateZones) > 0 {
 		tlscfg.ClientAuth = tls.RequestClientCert
 	}