add SSL MinVersion

Signed-off-by: Ryan Leung <[email protected]>
tikv · Jul 29, 2024 · 59fffd2 · 59fffd2
1 parent 5d77447
commit 59fffd2
Show file tree

Hide file tree

Showing 4 changed files with 8 additions and 6 deletions.
diff --git a/client/pd_service_discovery_test.go b/client/pd_service_discovery_test.go
@@ -314,17 +314,17 @@ func TestServiceClientScheme(t *testing.T) {
 	re.Equal("http://127.0.0.1:2379", cli.GetURL())
 	cli = newPDServiceClient(modifyURLScheme("http://127.0.0.1:2379", nil), modifyURLScheme("127.0.0.1:2379", nil), nil, false)
 	re.Equal("http://127.0.0.1:2379", cli.GetURL())
-	cli = newPDServiceClient(modifyURLScheme("127.0.0.1:2379", &tls.Config{}), modifyURLScheme("127.0.0.1:2379", &tls.Config{}), nil, false)
+	cli = newPDServiceClient(modifyURLScheme("127.0.0.1:2379", &tls.Config{MinVersion: tls.VersionTLS12}), modifyURLScheme("127.0.0.1:2379", &tls.Config{MinVersion: tls.VersionTLS12}), nil, false)
 	re.Equal("https://127.0.0.1:2379", cli.GetURL())
-	cli = newPDServiceClient(modifyURLScheme("https://127.0.0.1:2379", &tls.Config{}), modifyURLScheme("127.0.0.1:2379", &tls.Config{}), nil, false)
+	cli = newPDServiceClient(modifyURLScheme("https://127.0.0.1:2379", &tls.Config{MinVersion: tls.VersionTLS12}), modifyURLScheme("127.0.0.1:2379", &tls.Config{MinVersion: tls.VersionTLS12}), nil, false)
 	re.Equal("https://127.0.0.1:2379", cli.GetURL())
-	cli = newPDServiceClient(modifyURLScheme("http://127.0.0.1:2379", &tls.Config{}), modifyURLScheme("127.0.0.1:2379", &tls.Config{}), nil, false)
+	cli = newPDServiceClient(modifyURLScheme("http://127.0.0.1:2379", &tls.Config{MinVersion: tls.VersionTLS12}), modifyURLScheme("127.0.0.1:2379", &tls.Config{MinVersion: tls.VersionTLS12}), nil, false)
 	re.Equal("https://127.0.0.1:2379", cli.GetURL())
 }
 
 func TestSchemeFunction(t *testing.T) {
 	re := require.New(t)
-	tlsCfg := &tls.Config{}
+	tlsCfg := &tls.Config{MinVersion: tls.VersionTLS12}
 
 	endpoints1 := []string{
 		"http://tc-pd:2379",

diff --git a/client/tlsutil/tlsconfig.go b/client/tlsutil/tlsconfig.go
@@ -79,7 +79,7 @@ func (info TLSInfo) ClientConfig() (*tls.Config, error) {
 			return nil, err
 		}
 	} else {
-		cfg = &tls.Config{ServerName: info.ServerName}
+		cfg = &tls.Config{ServerName: info.ServerName, MinVersion: tls.VersionTLS12}
 	}
 	cfg.InsecureSkipVerify = info.InsecureSkipVerify
 
@@ -188,6 +188,7 @@ func (s TLSConfig) ToTLSConfig() (*tls.Config, error) {
 			Certificates: certificates,
 			RootCAs:      certPool,
 			NextProtos:   []string{"h2", "http/1.1"}, // specify `h2` to let Go use HTTP/2.
+			MinVersion:   tls.VersionTLS12,
 		}, nil
 	}
 

diff --git a/pkg/utils/grpcutil/grpcutil.go b/pkg/utils/grpcutil/grpcutil.go
@@ -96,6 +96,7 @@ func (s TLSConfig) ToTLSConfig() (*tls.Config, error) {
 			Certificates: certificates,
 			RootCAs:      certPool,
 			NextProtos:   []string{"h2", "http/1.1"}, // specify `h2` to let Go use HTTP/2.
+			MinVersion:   tls.VersionTLS12,
 		}, nil
 	}
 

diff --git a/pkg/utils/netutil/address_test.go b/pkg/utils/netutil/address_test.go
@@ -51,7 +51,7 @@ func TestIsEnableHttps(t *testing.T) {
 	httpClient = &http.Client{
 		Transport: &http.Transport{
 			DisableKeepAlives: true,
-			TLSClientConfig:   &tls.Config{},
+			TLSClientConfig:   &tls.Config{MinVersion: tls.VersionTLS12},
 		},
 	}
 	re.False(IsEnableHTTPS(httpClient))