Add AllowTLS12 option to switch minimum TLS version between 1.2 and 1.3.

README.md

@@ -382,7 +382,16 @@ startup, database connection etc. on each request).
   SCGI applications are responsible for generating their own response
   headers.
 
-### Certificate zones
+### TLS options
+
+* `AllowTLS12` (boolean): if true, Molly Brown will accept connections
+  from clients using TLS version 1.2 or later (1.2 is the bare minimum
+  allowed by the Gemini spec).  If set to false, Molly Brown will
+  instead require TLS version 1.3 or later - 1.2 to 1.3 was a big
+  change and drastic simplification of the TLS spec which discarded a
+  wide range of old and insecure configurations.  (default value `true`)
+
+#### Certificate zones
 
 Molly Brown allows you to use client certificates to restrict access
 to certain resources (which may be static or dynamic).  The overall

config.go

@@ -28,6 +28,7 @@ type Config struct {
 	CGIPaths              []string
 	SCGIPaths             map[string]string
 	CertificateZones      map[string][]string
+	AllowTLS12            bool
 	DirectorySort         string
 	DirectorySubdirsFirst bool
 	DirectoryReverse      bool
@@ -68,6 +69,7 @@ func getConfig(filename string) (Config, error) {
 	config.PermRedirects = make(map[string]string)
 	config.CGIPaths = make([]string, 0)
 	config.SCGIPaths = make(map[string]string)
+	config.AllowTLS12 = true
 	config.DirectorySort = "Name"
 	config.DirectorySubdirsFirst = false
 

launch.go

@@ -56,7 +56,11 @@ func launch(config Config, privInfo userInfo) int {
 	}
 	var tlscfg tls.Config
 	tlscfg.Certificates = []tls.Certificate{cert}
+	if config.AllowTLS12 {
 		tlscfg.MinVersion = tls.VersionTLS12
+	} else {
+		tlscfg.MinVersion = tls.VersionTLS13
+	}
 	if len(config.CertificateZones) > 0 {
 		tlscfg.ClientAuth = tls.RequestClientCert
 	}