Remove old tls versions 1.0, 1.1 from allowed tls versions

gogatekeeper · Oct 28, 2024 · 35bfe7e · 35bfe7e
1 parent fc55a3e
commit 35bfe7e
Show file tree

Hide file tree

Showing 6 changed files with 7 additions and 15 deletions.
diff --git a/docs/content/configuration/_index.md b/docs/content/configuration/_index.md
@@ -87,7 +87,7 @@ weight: 2
 |    --match-claims value                    | keypair values for matching access token claims e.g. aud=myapp, iss=http://example.* | |
 |    --add-claims value                      | extra claims from the token and inject into headers, e.g given_name -> X-Auth-Given-Name | |
 |    --enable-uma-method-scope               | enables passing request method as 'method:GET' scope to keycloak for authorization | false | PROXY_ENABLE_UMA_METHOD_SCOPE
-|    --tls-min-version                       | specify server minimal TLS version one of tlsv1.0,tlsv1.1,tlsv1.2,tlsv1.3 | | TLS_MIN_VERSION |
+|    --tls-min-version                       | specify server minimal TLS version one of tlsv1.2,tlsv1.3 | | TLS_MIN_VERSION |
 |    --tls-cert value                        | path to ths TLS certificate | | PROXY_TLS_CERTIFICATE
 |    --tls-private-key value                 | path to the private key for TLS | | PROXY_TLS_PRIVATE_KEY
 |    --tls-ca-certificate value              | path to the ca certificate used for signing requests | | PROXY_TLS_CA_CERTIFICATE

diff --git a/pkg/google/config/config.go b/pkg/google/config/config.go
@@ -82,7 +82,7 @@ type Config struct {
 	TLSCaCertificate                string                    `env:"TLS_CA_CERTIFICATE" json:"tls-ca-certificate" usage:"path to the ca certificate used for signing requests" yaml:"tls-ca-certificate"`
 	TLSCaPrivateKey                 string                    `env:"TLS_CA_PRIVATE_KEY" json:"tls-ca-key" usage:"path the ca private key, used by the forward signing proxy" yaml:"tls-ca-key"`
 	TLSClientCertificate            string                    `env:"TLS_CLIENT_CERTIFICATE" json:"tls-client-certificate" usage:"path to the client certificate for outbound connections in reverse and forwarding proxy modes" yaml:"tls-client-certificate"`
-	TLSMinVersion                   string                    `env:"TLS_MIN_VERSION" json:"tls-min-version" usage:"specify server minimal TLS version one of tlsv1.0,tlsv1.1,tlsv1.2,tlsv1.3" yaml:"tls-min-version"`
+	TLSMinVersion                   string                    `env:"TLS_MIN_VERSION" json:"tls-min-version" usage:"specify server minimal TLS version one of tlsv1.2,tlsv1.3" yaml:"tls-min-version"`
 	TLSAdminCertificate             string                    `env:"TLS_ADMIN_CERTIFICATE" json:"tls-admin-cert" usage:"path to ths TLS certificate" yaml:"tls-admin-cert"`
 	TLSAdminPrivateKey              string                    `env:"TLS_ADMIN_PRIVATE_KEY" json:"tls-admin-private-key" usage:"path to the private key for TLS" yaml:"tls-admin-private-key"`
 	TLSAdminCaCertificate           string                    `env:"TLS_ADMIN_CA_CERTIFICATE" json:"tls-admin-ca-certificate" usage:"path to the ca certificate used for signing requests" yaml:"tls-admin-ca-certificate"`
@@ -485,8 +485,6 @@ func (r *Config) isTLSMinValid() error {
 	switch strings.ToLower(r.TLSMinVersion) {
 	case "":
 		return apperrors.ErrMinimalTLSVersionEmpty
-	case "tlsv1.0":
-	case "tlsv1.1":
 	case "tlsv1.2":
 	case "tlsv1.3":
 	default:

diff --git a/pkg/keycloak/config/config.go b/pkg/keycloak/config/config.go
@@ -87,7 +87,7 @@ type Config struct {
 	TLSCaCertificate                string                    `env:"TLS_CA_CERTIFICATE" json:"tls-ca-certificate" usage:"path to the ca certificate used for signing requests" yaml:"tls-ca-certificate"`
 	TLSCaPrivateKey                 string                    `env:"TLS_CA_PRIVATE_KEY" json:"tls-ca-key" usage:"path the ca private key, used by the forward signing proxy" yaml:"tls-ca-key"`
 	TLSClientCertificate            string                    `env:"TLS_CLIENT_CERTIFICATE" json:"tls-client-certificate" usage:"path to the client certificate for outbound connections in reverse and forwarding proxy modes" yaml:"tls-client-certificate"`
-	TLSMinVersion                   string                    `env:"TLS_MIN_VERSION" json:"tls-min-version" usage:"specify server minimal TLS version one of tlsv1.0,tlsv1.1,tlsv1.2,tlsv1.3" yaml:"tls-min-version"`
+	TLSMinVersion                   string                    `env:"TLS_MIN_VERSION" json:"tls-min-version" usage:"specify server minimal TLS version one of tlsv1.2,tlsv1.3" yaml:"tls-min-version"`
 	TLSAdminCertificate             string                    `env:"TLS_ADMIN_CERTIFICATE" json:"tls-admin-cert" usage:"path to ths TLS certificate" yaml:"tls-admin-cert"`
 	TLSAdminPrivateKey              string                    `env:"TLS_ADMIN_PRIVATE_KEY" json:"tls-admin-private-key" usage:"path to the private key for TLS" yaml:"tls-admin-private-key"`
 	TLSAdminCaCertificate           string                    `env:"TLS_ADMIN_CA_CERTIFICATE" json:"tls-admin-ca-certificate" usage:"path to the ca certificate used for signing requests" yaml:"tls-admin-ca-certificate"`
@@ -491,8 +491,6 @@ func (r *Config) isTLSMinValid() error {
 	switch strings.ToLower(r.TLSMinVersion) {
 	case "":
 		return apperrors.ErrMinimalTLSVersionEmpty
-	case "tlsv1.0":
-	case "tlsv1.1":
 	case "tlsv1.2":
 	case "tlsv1.3":
 	default:

diff --git a/pkg/keycloak/config/config_test.go b/pkg/keycloak/config/config_test.go
@@ -1210,14 +1210,14 @@ func TestIsTLSMinValid(t *testing.T) {
 			Config: &Config{
 				TLSMinVersion: "tlsv1.0",
 			},
-			Valid: true,
+			Valid: false,
 		},
 		{
 			Name: "ValidTLS1.1",
 			Config: &Config{
 				TLSMinVersion: "tlsv1.1",
 			},
-			Valid: true,
+			Valid: false,
 		},
 		{
 			Name: "ValidTLS1.2",

diff --git a/pkg/keycloak/proxy/server.go b/pkg/keycloak/proxy/server.go
@@ -1119,10 +1119,6 @@ func makeListenerConfig(config *config.Config) listenerConfig {
 	switch strings.ToLower(config.TLSMinVersion) {
 	case "":
 		minTLSVersion = 0 // zero means default value
-	case "tlsv1.0":
-		minTLSVersion = tls.VersionTLS10
-	case "tlsv1.1":
-		minTLSVersion = tls.VersionTLS11
 	case "tlsv1.2":
 		minTLSVersion = tls.VersionTLS12
 	case "tlsv1.3":

diff --git a/pkg/testsuite/server_test.go b/pkg/testsuite/server_test.go
@@ -1870,15 +1870,15 @@ func TestTLS(t *testing.T) {
 				conf.TLSPrivateKey = os.TempDir() + FakePrivFilePrefix + strconv.Itoa(rand.Intn(10000))
 				conf.TLSCaCertificate = os.TempDir() + FakeCaFilePrefix + strconv.Itoa(rand.Intn(10000))
 				conf.Listen = testProxyAddr
-				conf.TLSMinVersion = "tlsv1.0"
+				conf.TLSMinVersion = "tlsv1.3"
 				conf.NoRedirects = true
 			},
 			ExecutionSettings: []fakeRequest{
 				{
 					URL:          fmt.Sprintf("https://%s/test", testProxyAddr),
 					ExpectedCode: http.StatusUnauthorized,
 					RequestCA:    fakeCA,
-					TLSMin:       tls.VersionTLS10,
+					TLSMin:       tls.VersionTLS13,
 					Redirects:    false,
 				},
 			},