Merge branch 'main' into client-updates

docs/api/fiber.md

@@ -116,7 +116,8 @@ app.Listen(":8080", fiber.ListenConfig{
 | <Reference id="onshutdownerror">OnShutdownError</Reference>             | `func(err error)`             | Allows to customize error behavior when gracefully shutting down the server by given signal.  Prints error with `log.Fatalf()`                | `nil`   |
 | <Reference id="onshutdownsuccess">OnShutdownSuccess</Reference>         | `func()`                      | Allows customizing success behavior when gracefully shutting down the server by given signal.                                                 | `nil`   |
 | <Reference id="tlsconfigfunc">TLSConfigFunc</Reference>                 | `func(tlsConfig *tls.Config)` | Allows customizing `tls.Config` as you want.                                                                                                  | `nil`   |
-| <Reference id="autocertmanager">AutoCertManager</Reference>                 | `func(tlsConfig *tls.Config)` | Manages TLS certificates automatically using the ACME protocol. Enables integration with Let's Encrypt or other ACME-compatible providers.                                                            | `nil`   |
+| <Reference id="autocertmanager">AutoCertManager</Reference>             | `*autocert.Manager`           | Manages TLS certificates automatically using the ACME protocol. Enables integration with Let's Encrypt or other ACME-compatible providers.    | `nil`   |
+| <Reference id="tlsminversion">TLSMinVersion</Reference>                 | `uint16`                      | Allows customizing the TLS minimum version.    | `tls.VersionTLS12`   |
 
 ### Listen
 

docs/whats_new.md

@@ -130,6 +130,14 @@ In this example, a custom context `CustomCtx` is created with an additional meth
 
 </details>
 
+### Configurable TLS Minimum Version
+
+We have added support for configuring the TLS minimum version. This field allows you to set the TLS minimum version for TLSAutoCert and the server listener.
+
+```go
+app.Listen(":444", fiber.ListenConfig{TLSMinVersion: tls.VersionTLS12})
+```
+
 #### TLS AutoCert support (ACME / Let's Encrypt)
 
 We have added native support for automatic certificates management from Let's Encrypt and any other ACME-based providers.

go.mod

@@ -11,7 +11,7 @@ require (
 	github.com/stretchr/testify v1.10.0
 	github.com/tinylib/msgp v1.2.5
 	github.com/valyala/bytebufferpool v1.0.0
-	github.com/valyala/fasthttp v1.57.0
+	github.com/valyala/fasthttp v1.58.0
 	golang.org/x/crypto v0.31.0
 )
 
@@ -24,7 +24,7 @@ require (
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/valyala/tcplisten v1.0.0 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
-	golang.org/x/net v0.30.0 // indirect
+	golang.org/x/net v0.31.0 // indirect
 	golang.org/x/sys v0.28.0 // indirect
 	golang.org/x/text v0.21.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect

go.sum

@@ -27,8 +27,8 @@ github.com/tinylib/msgp v1.2.5 h1:WeQg1whrXRFiZusidTQqzETkRpGjFjcIhW6uqWH09po=
 github.com/tinylib/msgp v1.2.5/go.mod h1:ykjzy2wzgrlvpDCRc4LA8UXy6D8bzMSuAF3WD57Gok0=
 github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6KllzawFIhcdPw=
 github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc=
-github.com/valyala/fasthttp v1.57.0 h1:Xw8SjWGEP/+wAAgyy5XTvgrWlOD1+TxbbvNADYCm1Tg=
-github.com/valyala/fasthttp v1.57.0/go.mod h1:h6ZBaPRlzpZ6O3H5t2gEk1Qi33+TmLvfwgLLp0t9CpE=
+github.com/valyala/fasthttp v1.58.0 h1:GGB2dWxSbEprU9j0iMJHgdKYJVDyjrOwF9RE59PbRuE=
+github.com/valyala/fasthttp v1.58.0/go.mod h1:SYXvHHaFp7QZHGKSHmoMipInhrI5StHrhDTYVEjK/Kw=
 github.com/valyala/tcplisten v1.0.0 h1:rBHj/Xf+E1tRGZyWIWwJDiRY0zc1Js+CV5DqwacVSA8=
 github.com/valyala/tcplisten v1.0.0/go.mod h1:T0xQ8SeCZGxckz9qRXTfG43PvQ/mcWh7FwZEA7Ioqkc=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
@@ -37,8 +37,8 @@ github.com/xyproto/randomstring v1.0.5 h1:YtlWPoRdgMu3NZtP45drfy1GKoojuR7hmRcnhZ
 github.com/xyproto/randomstring v1.0.5/go.mod h1:rgmS5DeNXLivK7YprL0pY+lTuhNQW3iGxZ18UQApw/E=
 golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
 golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
-golang.org/x/net v0.30.0 h1:AcW1SDZMkb8IpzCdQUaIq2sP4sZ4zw+55h6ynffypl4=
-golang.org/x/net v0.30.0/go.mod h1:2wGyMJ5iFasEhkwi13ChkO/t1ECNC4X4eBKkVFyYFlU=
+golang.org/x/net v0.31.0 h1:68CPQngjLL0r2AlUKiSxtQFKvzRVbnzLwMUn5SzcLHo=
+golang.org/x/net v0.31.0/go.mod h1:P4fl1q7dY2hnZFxEk4pPSkDHF+QqjitcnDjUQyMM+pM=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=

listen.go

@@ -108,6 +108,12 @@ type ListenConfig struct {
 	// Default: 10 * time.Second
 	ShutdownTimeout time.Duration `json:"shutdown_timeout"`
 
+	// TLSMinVersion allows to set TLS minimum version.
+	//
+	// Default: tls.VersionTLS12
+	// WARNING: TLS1.0 and TLS1.1 versions are not supported.
+	TLSMinVersion uint16 `json:"tls_min_version"`
+
 	// When set to true, it will not print out the «Fiber» ASCII art and listening address.
 	//
 	// Default: false
@@ -128,6 +134,7 @@ type ListenConfig struct {
 func listenConfigDefault(config ...ListenConfig) ListenConfig {
 	if len(config) < 1 {
 		return ListenConfig{
+			TLSMinVersion:   tls.VersionTLS12,
 			ListenerNetwork: NetworkTCP4,
 			OnShutdownError: func(err error) {
 				log.Fatalf("shutdown: %v", err) //nolint:revive // It's an option
@@ -147,6 +154,14 @@ func listenConfigDefault(config ...ListenConfig) ListenConfig {
 		}
 	}
 
+	if cfg.TLSMinVersion == 0 {
+		cfg.TLSMinVersion = tls.VersionTLS12
+	}
+
+	if cfg.TLSMinVersion != tls.VersionTLS12 && cfg.TLSMinVersion != tls.VersionTLS13 {
+		panic("unsupported TLS version, please use tls.VersionTLS12 or tls.VersionTLS13")
+	}
+
 	return cfg
 }
 
@@ -168,8 +183,8 @@ func (app *App) Listen(addr string, config ...ListenConfig) error {
 		}
 
 		tlsHandler := &TLSHandler{}
-		tlsConfig = &tls.Config{
-			MinVersion: tls.VersionTLS12,
+		tlsConfig = &tls.Config{ //nolint:gosec // This is a user input
+			MinVersion: cfg.TLSMinVersion,
 			Certificates: []tls.Certificate{
 				cert,
 			},
@@ -192,8 +207,8 @@ func (app *App) Listen(addr string, config ...ListenConfig) error {
 		// Attach the tlsHandler to the config
 		app.SetTLSHandler(tlsHandler)
 	} else if cfg.AutoCertManager != nil {
-		tlsConfig = &tls.Config{
-			MinVersion:     tls.VersionTLS12,
+		tlsConfig = &tls.Config{ //nolint:gosec // This is a user input
+			MinVersion:     cfg.TLSMinVersion,
 			GetCertificate: cfg.AutoCertManager.GetCertificate,
 			NextProtos:     []string{"http/1.1", "acme-tls/1"},
 		}

listen_test.go

@@ -236,6 +236,43 @@ func Test_Listen_Prefork(t *testing.T) {
 	require.NoError(t, app.Listen(":99999", ListenConfig{DisableStartupMessage: true, EnablePrefork: true}))
 }
 
+// go test -run Test_Listen_TLSMinVersion
+func Test_Listen_TLSMinVersion(t *testing.T) {
+	testPreforkMaster = true
+
+	app := New()
+
+	// Invalid TLSMinVersion
+	require.Panics(t, func() {
+		_ = app.Listen(":443", ListenConfig{TLSMinVersion: tls.VersionTLS10}) //nolint:errcheck // ignore error
+	})
+	require.Panics(t, func() {
+		_ = app.Listen(":443", ListenConfig{TLSMinVersion: tls.VersionTLS11}) //nolint:errcheck // ignore error
+	})
+
+	// Prefork
+	require.Panics(t, func() {
+		_ = app.Listen(":443", ListenConfig{DisableStartupMessage: true, EnablePrefork: true, TLSMinVersion: tls.VersionTLS10}) //nolint:errcheck // ignore error
+	})
+	require.Panics(t, func() {
+		_ = app.Listen(":443", ListenConfig{DisableStartupMessage: true, EnablePrefork: true, TLSMinVersion: tls.VersionTLS11}) //nolint:errcheck // ignore error
+	})
+
+	// Valid TLSMinVersion
+	go func() {
+		time.Sleep(1000 * time.Millisecond)
+		assert.NoError(t, app.Shutdown())
+	}()
+	require.NoError(t, app.Listen(":0", ListenConfig{TLSMinVersion: tls.VersionTLS13}))
+
+	// Valid TLSMinVersion with Prefork
+	go func() {
+		time.Sleep(1000 * time.Millisecond)
+		assert.NoError(t, app.Shutdown())
+	}()
+	require.NoError(t, app.Listen(":99999", ListenConfig{DisableStartupMessage: true, EnablePrefork: true, TLSMinVersion: tls.VersionTLS13}))
+}
+
 // go test -run Test_Listen_TLS
 func Test_Listen_TLS(t *testing.T) {
 	app := New()

middleware/session/middleware_test.go

@@ -166,25 +166,9 @@ func Test_Session_Middleware(t *testing.T) {
 	h(ctx)
 	require.Equal(t, fiber.StatusOK, ctx.Response.StatusCode())
 
-	// Verify the session cookie is set to expire
+	// Verify the session cookie has expired
 	setCookieHeader := string(ctx.Response.Header.Peek(fiber.HeaderSetCookie))
-	require.Contains(t, setCookieHeader, "expires=")
-	cookieParts := strings.Split(setCookieHeader, ";")
-	expired := false
-	for _, part := range cookieParts {
-		if strings.Contains(part, "expires=") {
-			part = strings.TrimSpace(part)
-			expiryDateStr := strings.TrimPrefix(part, "expires=")
-			// Correctly parse the date with "GMT" timezone
-			expiryDate, err := time.Parse(time.RFC1123, strings.TrimSpace(expiryDateStr))
-			require.NoError(t, err)
-			if expiryDate.Before(time.Now()) {
-				expired = true
-				break
-			}
-		}
-	}
-	require.True(t, expired, "Session cookie should be expired")
+	require.Contains(t, setCookieHeader, "max-age=0")
 
 	// Sleep so that the session expires
 	time.Sleep(1 * time.Second)