Add AllowTLS12 option to switch minimum TLS version between 1.2 and 1.3.
This commit is contained in:
parent
67386cd118
commit
d67f896b84
11
README.md
11
README.md
|
@ -382,7 +382,16 @@ startup, database connection etc. on each request).
|
||||||
SCGI applications are responsible for generating their own response
|
SCGI applications are responsible for generating their own response
|
||||||
headers.
|
headers.
|
||||||
|
|
||||||
### Certificate zones
|
### TLS options
|
||||||
|
|
||||||
|
* `AllowTLS12` (boolean): if true, Molly Brown will accept connections
|
||||||
|
from clients using TLS version 1.2 or later (1.2 is the bare minimum
|
||||||
|
allowed by the Gemini spec). If set to false, Molly Brown will
|
||||||
|
instead require TLS version 1.3 or later - 1.2 to 1.3 was a big
|
||||||
|
change and drastic simplification of the TLS spec which discarded a
|
||||||
|
wide range of old and insecure configurations. (default value `true`)
|
||||||
|
|
||||||
|
#### Certificate zones
|
||||||
|
|
||||||
Molly Brown allows you to use client certificates to restrict access
|
Molly Brown allows you to use client certificates to restrict access
|
||||||
to certain resources (which may be static or dynamic). The overall
|
to certain resources (which may be static or dynamic). The overall
|
||||||
|
|
|
@ -28,6 +28,7 @@ type Config struct {
|
||||||
CGIPaths []string
|
CGIPaths []string
|
||||||
SCGIPaths map[string]string
|
SCGIPaths map[string]string
|
||||||
CertificateZones map[string][]string
|
CertificateZones map[string][]string
|
||||||
|
AllowTLS12 bool
|
||||||
DirectorySort string
|
DirectorySort string
|
||||||
DirectorySubdirsFirst bool
|
DirectorySubdirsFirst bool
|
||||||
DirectoryReverse bool
|
DirectoryReverse bool
|
||||||
|
@ -68,6 +69,7 @@ func getConfig(filename string) (Config, error) {
|
||||||
config.PermRedirects = make(map[string]string)
|
config.PermRedirects = make(map[string]string)
|
||||||
config.CGIPaths = make([]string, 0)
|
config.CGIPaths = make([]string, 0)
|
||||||
config.SCGIPaths = make(map[string]string)
|
config.SCGIPaths = make(map[string]string)
|
||||||
|
config.AllowTLS12 = true
|
||||||
config.DirectorySort = "Name"
|
config.DirectorySort = "Name"
|
||||||
config.DirectorySubdirsFirst = false
|
config.DirectorySubdirsFirst = false
|
||||||
|
|
||||||
|
|
|
@ -56,7 +56,11 @@ func launch(config Config, privInfo userInfo) int {
|
||||||
}
|
}
|
||||||
var tlscfg tls.Config
|
var tlscfg tls.Config
|
||||||
tlscfg.Certificates = []tls.Certificate{cert}
|
tlscfg.Certificates = []tls.Certificate{cert}
|
||||||
|
if config.AllowTLS12 {
|
||||||
tlscfg.MinVersion = tls.VersionTLS12
|
tlscfg.MinVersion = tls.VersionTLS12
|
||||||
|
} else {
|
||||||
|
tlscfg.MinVersion = tls.VersionTLS13
|
||||||
|
}
|
||||||
if len(config.CertificateZones) > 0 {
|
if len(config.CertificateZones) > 0 {
|
||||||
tlscfg.ClientAuth = tls.RequestClientCert
|
tlscfg.ClientAuth = tls.RequestClientCert
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue