Default to TLS 1.2 as minimum version

[jmcampanini]

The stdlib's HTTP server allows TLS 1.0 / 1.1 connections by default. This library should be secure by default and require TLS 1.2 as the minimum TSL version.

This PR does the following:

• adds a new Param called WithTLSConfig which allows the user to set the TLS configuration
• adds a call to WithTLSConfig to the DefaultParams that sets the MinVersion to TLS 1.2

Downstream owners can opt out of using TLS 1.2 by adding their own Param or configuring their http/server themselves.

[derekjobst]

Do we need to add MinVersion to the TLSConfig struct? Perhaps adding these options set to their defaults in the example/config.yaml may help with discoverability as well?

[jmcampanini]

hrmm. i guess it depends on how we want to treat server.TLSConfig (as opposed to our YAML object) configuration: is it runtime configurable, specifically: will a single binary be deployed to different scenarios where we want to set the minimum TLS version.

considering TLS 1.0 and 1.1 have been widely deprecated since early 2020, i feel okay with the cost of downstream consumers that require TLS 1.0/1.1 support to explicitly add code to set the server.TLSConfig.MinVersion in their services.

[bluekeyes]

I think we should leave this as a code-only option until there are two or more places where having it as part of the configuration file would be useful.

[dreamlibrarian]

👍

[bluekeyes]

Setting the minimum TLS version to 1.2 when TLS is enabled sounds reasonable to me. A few things to consider:

1. Is the tls.Config struct ignored when calling ListenAndServe instead of ListenAndServeTLS?
2. WithTLSConfig() sounds reasonable but introduces a third way to modify these settings. Clients can currently use WithHTTPServer to provide a pre-configured server or use HTTPServer() to access and modify the underlying server instance before calling Start(). While modifying the server after creation always wins, it might not be clear how WithHTTPServer and WithTLSConfig interact if both are provided.

[bluekeyes]

I think we should leave this as a code-only option until there are two or more places where having it as part of the configuration file would be useful.

[bluekeyes]

s.server is nil when Param functions are called, unless WithHTTPServer appears earlier in the parameter list.

[jmcampanini]

Is the tls.Config struct ignored when calling ListenAndServe instead of ListenAndServeTLS?

ListenAndServeTLS calls srv.ServeTLS, while ListenAndServe calls srv.Serve. they end up using different listeners (and the listener is what is constructed with the TLSConfig), so the ListenAndServe doesn't need/use the TLSConfig.

WithTLSConfig() sounds reasonable but introduces a third way to modify these settings... it might not be clear how WithHTTPServer and WithTLSConfig interact if both are provided.

this makes sense to me. I've changed the impl to just create the http.Server with the TLSConfig.MinVersion already set. there is now only 1 Params way of modifying the http.Server.