From ad2ded8e9cf1729caf0ed445e2fc625bd06eeb39 Mon Sep 17 00:00:00 2001
From: Mostyn Bramley-Moore <mostyn@antipode.se>
Date: Sun, 3 Dec 2023 14:46:45 +0100
Subject: [PATCH] Add --min_tls_version flag (does not apply to proxy backends)

Allowed values are 1.0 (default), 1.1, 1.2 or 1.3.

At the time of writing, current go versions default to TLS 1.0 as the minimum
version when acting as a server (and 1.2 when acting as a client). This change
allows admins to raise the minium supported TLS version.

Fixes #708.
---
 config/config.go      |  5 +++++
 config/config_test.go |  8 ++++++++
 config/tls.go         | 17 +++++++++++++++++
 main.go               |  1 +
 utils/flags/flags.go  |  6 ++++++
 5 files changed, 37 insertions(+)

diff --git a/config/config.go b/config/config.go
index f885e3bea..bea17f744 100644
--- a/config/config.go
+++ b/config/config.go
@@ -89,6 +89,7 @@ type Config struct {
 	StorageMode                 string                    `yaml:"storage_mode"`
 	ZstdImplementation          string                    `yaml:"zstd_implementation"`
 	HtpasswdFile                string                    `yaml:"htpasswd_file"`
+	MinTLSVersion               string                    `yaml:"min_tls_version"`
 	TLSCaFile                   string                    `yaml:"tls_ca_file"`
 	TLSCertFile                 string                    `yaml:"tls_cert_file"`
 	TLSKeyFile                  string                    `yaml:"tls_key_file"`
@@ -147,6 +148,7 @@ func newFromArgs(dir string, maxSize int, storageMode string, zstdImplementation
 	htpasswdFile string,
 	maxQueuedUploads int,
 	numUploaders int,
+	minTLSVersion string,
 	tlsCaFile string,
 	tlsCertFile string,
 	tlsKeyFile string,
@@ -180,6 +182,7 @@ func newFromArgs(dir string, maxSize int, storageMode string, zstdImplementation
 		HtpasswdFile:                htpasswdFile,
 		MaxQueuedUploads:            maxQueuedUploads,
 		NumUploaders:                numUploaders,
+		MinTLSVersion:               minTLSVersion,
 		TLSCaFile:                   tlsCaFile,
 		TLSCertFile:                 tlsCertFile,
 		TLSKeyFile:                  tlsKeyFile,
@@ -235,6 +238,7 @@ func newFromYaml(data []byte) (*Config, error) {
 			StorageMode:            "zstd",
 			ZstdImplementation:     "go",
 			NumUploaders:           100,
+			MinTLSVersion:          "1.0",
 			MaxQueuedUploads:       1000000,
 			MaxBlobSize:            math.MaxInt64,
 			MaxProxyBlobSize:       math.MaxInt64,
@@ -589,6 +593,7 @@ func get(ctx *cli.Context) (*Config, error) {
 		ctx.String("htpasswd_file"),
 		ctx.Int("max_queued_uploads"),
 		ctx.Int("num_uploaders"),
+		ctx.String("min_tls_version"),
 		ctx.String("tls_ca_file"),
 		ctx.String("tls_cert_file"),
 		ctx.String("tls_key_file"),
diff --git a/config/config_test.go b/config/config_test.go
index 21d6c227e..429e87081 100644
--- a/config/config_test.go
+++ b/config/config_test.go
@@ -44,6 +44,7 @@ log_timezone: local
 		StorageMode:                 "zstd",
 		ZstdImplementation:          "go",
 		HtpasswdFile:                "/opt/.htpasswd",
+		MinTLSVersion:               "1.0",
 		TLSCertFile:                 "/opt/tls.cert",
 		TLSKeyFile:                  "/opt/tls.key",
 		DisableHTTPACValidation:     true,
@@ -95,6 +96,7 @@ gcs_proxy:
 			JSONCredentialsFile:   "/opt/creds.json",
 		},
 		NumUploaders:           100,
+		MinTLSVersion:          "1.0",
 		MaxQueuedUploads:       1000000,
 		MaxBlobSize:            math.MaxInt64,
 		MaxProxyBlobSize:       math.MaxInt64,
@@ -138,6 +140,7 @@ http_proxy:
 			BaseURL: url,
 		},
 		NumUploaders:           100,
+		MinTLSVersion:          "1.0",
 		MaxQueuedUploads:       1000000,
 		MaxBlobSize:            math.MaxInt64,
 		MaxProxyBlobSize:       math.MaxInt64,
@@ -214,6 +217,7 @@ s3_proxy:
 			SecretAccessKey: "EXAMPLE_SECRET_KEY",
 		},
 		NumUploaders:           100,
+		MinTLSVersion:          "1.0",
 		MaxQueuedUploads:       1000000,
 		MaxBlobSize:            math.MaxInt64,
 		MaxProxyBlobSize:       math.MaxInt64,
@@ -247,6 +251,7 @@ profile_address: :7070
 		ZstdImplementation:     "go",
 		ProfileAddress:         ":7070",
 		NumUploaders:           100,
+		MinTLSVersion:          "1.0",
 		MaxQueuedUploads:       1000000,
 		MaxBlobSize:            math.MaxInt64,
 		MaxProxyBlobSize:       math.MaxInt64,
@@ -293,6 +298,7 @@ endpoint_metrics_duration_buckets: [.005, .1, 5]
 		MaxSize:                42,
 		StorageMode:            "zstd",
 		ZstdImplementation:     "go",
+		MinTLSVersion:          "1.0",
 		NumUploaders:           100,
 		MaxQueuedUploads:       1000000,
 		MaxBlobSize:            math.MaxInt64,
@@ -425,6 +431,7 @@ storage_mode: zstd
 		StorageMode:            "zstd",
 		ZstdImplementation:     "go",
 		NumUploaders:           100,
+		MinTLSVersion:          "1.0",
 		MaxQueuedUploads:       1000000,
 		MaxBlobSize:            math.MaxInt64,
 		MaxProxyBlobSize:       math.MaxInt64,
@@ -458,6 +465,7 @@ storage_mode: zstd
 		StorageMode:            "zstd",
 		ZstdImplementation:     "go",
 		NumUploaders:           100,
+		MinTLSVersion:          "1.0",
 		MaxQueuedUploads:       1000000,
 		MaxBlobSize:            math.MaxInt64,
 		MaxProxyBlobSize:       math.MaxInt64,
diff --git a/config/tls.go b/config/tls.go
index ea8ad5d99..a6ec51680 100644
--- a/config/tls.go
+++ b/config/tls.go
@@ -3,11 +3,25 @@ package config
 import (
 	"crypto/tls"
 	"crypto/x509"
+	"errors"
 	"fmt"
 	"os"
 )
 
 func (c *Config) setTLSConfig() error {
+
+	supportedTLSServerVersions := map[string]uint16{
+		"1.0": tls.VersionTLS10,
+		"1.1": tls.VersionTLS11,
+		"1.2": tls.VersionTLS12,
+		"1.3": tls.VersionTLS13,
+	}
+
+	minTLSVersion, ok := supportedTLSServerVersions[c.MinTLSVersion]
+	if !ok {
+		return errors.New("Unsupported min_tls_version: \"" + c.MinTLSVersion + "\", must be one of 1.0, 1.1, 1.2, 1.3.")
+	}
+
 	if len(c.TLSCaFile) != 0 {
 		caCertPool := x509.NewCertPool()
 		caCert, err := os.ReadFile(c.TLSCaFile)
@@ -37,6 +51,8 @@ func (c *Config) setTLSConfig() error {
 			// we require auth for.
 			// See server.checkGRPCClientCert and httpCache.hasValidClientCert.
 			ClientAuth: tls.VerifyClientCertIfGiven,
+
+			MinVersion: minTLSVersion,
 		}
 
 		return nil
@@ -53,6 +69,7 @@ func (c *Config) setTLSConfig() error {
 
 		c.TLSConfig = &tls.Config{
 			Certificates: []tls.Certificate{readCert},
+			MinVersion:   minTLSVersion,
 		}
 
 		return nil
diff --git a/main.go b/main.go
index 8eba8c5eb..f22e0cb12 100644
--- a/main.go
+++ b/main.go
@@ -329,6 +329,7 @@ func startHttpServer(c *config.Config, httpServer **http.Server,
 		}
 
 		log.Printf("Starting HTTPS server on address %s", c.HTTPAddress)
+		log.Println("Minimum supported TLS version:", c.MinTLSVersion)
 		err = (*httpServer).ServeTLS(ln, c.TLSCertFile, c.TLSKeyFile)
 		if err == http.ErrServerClosed {
 			log.Println("HTTPS server stopped")
diff --git a/utils/flags/flags.go b/utils/flags/flags.go
index 45872b2a6..4a5f4ce6a 100644
--- a/utils/flags/flags.go
+++ b/utils/flags/flags.go
@@ -124,6 +124,12 @@ func GetCliFlags() []cli.Flag {
 			Usage:   "Path to a .htpasswd file. This flag is optional. Please read https://httpd.apache.org/docs/2.4/programs/htpasswd.html.",
 			EnvVars: []string{"BAZEL_REMOTE_HTPASSWD_FILE"},
 		},
+		&cli.StringFlag{
+			Name:    "min_tls_version",
+			Value:   "1.0",
+			Usage:   "The minimum TLS version that is acceptable for incoming requests (does not apply to proxy backends). Allowed values: 1.0, 1.1, 1.2, 1.3.",
+			EnvVars: []string{"BAZEL_REMOTE_MIN_TLS_VERSION"},
+		},
 		&cli.StringFlag{
 			Name:    "tls_ca_file",
 			Value:   "",