diff --git a/common/common_test.go b/common/common_test.go index e7ce72b3..cc610e36 100644 --- a/common/common_test.go +++ b/common/common_test.go @@ -1,6 +1,7 @@ package common import ( + "crypto/tls" "encoding/json" "fmt" "net" @@ -869,6 +870,17 @@ func TestUserPerms(t *testing.T) { assert.True(t, u.HasPermsRenameAll("/")) } +func TestGetTLSVersion(t *testing.T) { + tlsVer := util.GetTLSVersion(0) + assert.Equal(t, uint16(tls.VersionTLS12), tlsVer) + tlsVer = util.GetTLSVersion(12) + assert.Equal(t, uint16(tls.VersionTLS12), tlsVer) + tlsVer = util.GetTLSVersion(2) + assert.Equal(t, uint16(tls.VersionTLS12), tlsVer) + tlsVer = util.GetTLSVersion(13) + assert.Equal(t, uint16(tls.VersionTLS13), tlsVer) +} + func BenchmarkBcryptHashing(b *testing.B) { bcryptPassword := "bcryptpassword" for i := 0; i < b.N; i++ { diff --git a/config/config.go b/config/config.go index 03990df5..1f666eac 100644 --- a/config/config.go +++ b/config/config.go @@ -52,6 +52,7 @@ var ( Port: 0, ApplyProxyConfig: true, TLSMode: 0, + MinTLSVersion: 12, ForcePassiveIP: "", PassiveIPOverrides: nil, ClientAuthType: 0, @@ -64,6 +65,7 @@ var ( Address: "", Port: 0, EnableHTTPS: false, + MinTLSVersion: 12, ClientAuthType: 0, TLSCipherSuites: nil, Prefix: "", @@ -75,6 +77,7 @@ var ( EnableWebAdmin: true, EnableWebClient: true, EnableHTTPS: false, + MinTLSVersion: 12, ClientAuthType: 0, TLSCipherSuites: nil, ProxyAllowed: nil, @@ -333,6 +336,7 @@ func Init() { AuthUserFile: "", CertificateFile: "", CertificateKeyFile: "", + MinTLSVersion: 12, TLSCipherSuites: nil, }, PluginsConfig: nil, @@ -916,14 +920,19 @@ func getFTPDPassiveIPOverridesFromEnv(idx int) []ftpd.PassiveIPOverride { return overrides } -func getFTPDBindingFromEnv(idx int) { +func getDefaultFTPDBinding(idx int) ftpd.Binding { binding := ftpd.Binding{ ApplyProxyConfig: true, + MinTLSVersion: 12, } if len(globalConf.FTPD.Bindings) > idx { binding = globalConf.FTPD.Bindings[idx] } + return binding +} +func getFTPDBindingFromEnv(idx int) { + binding := getDefaultFTPDBinding(idx) isSet := false port, ok := lookupIntFromEnv(fmt.Sprintf("SFTPGO_FTPD__BINDINGS__%v__PORT", idx)) @@ -950,6 +959,12 @@ func getFTPDBindingFromEnv(idx int) { isSet = true } + tlsVer, ok := lookupIntFromEnv(fmt.Sprintf("SFTPGO_FTPD__BINDINGS__%v__MIN_TLS_VERSION", idx)) + if ok { + binding.MinTLSVersion = int(tlsVer) + isSet = true + } + passiveIP, ok := os.LookupEnv(fmt.Sprintf("SFTPGO_FTPD__BINDINGS__%v__FORCE_PASSIVE_IP", idx)) if ok { binding.ForcePassiveIP = passiveIP @@ -1002,7 +1017,9 @@ func getFTPDBindingFromEnv(idx int) { } func getWebDAVDBindingFromEnv(idx int) { - binding := webdavd.Binding{} + binding := webdavd.Binding{ + MinTLSVersion: 12, + } if len(globalConf.WebDAVD.Bindings) > idx { binding = globalConf.WebDAVD.Bindings[idx] } @@ -1027,6 +1044,12 @@ func getWebDAVDBindingFromEnv(idx int) { isSet = true } + tlsVer, ok := lookupIntFromEnv(fmt.Sprintf("SFTPGO_WEBDAVD__BINDINGS__%v__MIN_TLS_VERSION", idx)) + if ok { + binding.MinTLSVersion = int(tlsVer) + isSet = true + } + clientAuthType, ok := lookupIntFromEnv(fmt.Sprintf("SFTPGO_WEBDAVD__BINDINGS__%v__CLIENT_AUTH_TYPE", idx)) if ok { binding.ClientAuthType = int(clientAuthType) @@ -1133,6 +1156,7 @@ func getDefaultHTTPBinding(idx int) httpd.Binding { EnableWebAdmin: true, EnableWebClient: true, RenderOpenAPI: true, + MinTLSVersion: 12, } if len(globalConf.HTTPDConfig.Bindings) > idx { binding = globalConf.HTTPDConfig.Bindings[idx] @@ -1142,7 +1166,6 @@ func getDefaultHTTPBinding(idx int) httpd.Binding { func getHTTPDBindingFromEnv(idx int) { binding := getDefaultHTTPBinding(idx) - isSet := false port, ok := lookupIntFromEnv(fmt.Sprintf("SFTPGO_HTTPD__BINDINGS__%v__PORT", idx)) @@ -1187,6 +1210,12 @@ func getHTTPDBindingFromEnv(idx int) { isSet = true } + tlsVer, ok := lookupIntFromEnv(fmt.Sprintf("SFTPGO_HTTPD__BINDINGS__%v__MIN_TLS_VERSION", idx)) + if ok { + binding.MinTLSVersion = int(tlsVer) + isSet = true + } + clientAuthType, ok := lookupIntFromEnv(fmt.Sprintf("SFTPGO_HTTPD__BINDINGS__%v__CLIENT_AUTH_TYPE", idx)) if ok { binding.ClientAuthType = int(clientAuthType) @@ -1217,6 +1246,10 @@ func getHTTPDBindingFromEnv(idx int) { isSet = true } + setHTTPDBinding(isSet, binding, idx) +} + +func setHTTPDBinding(isSet bool, binding httpd.Binding, idx int) { if isSet { if len(globalConf.HTTPDConfig.Bindings) > idx { globalConf.HTTPDConfig.Bindings[idx] = binding @@ -1417,6 +1450,7 @@ func setViperDefaults() { viper.SetDefault("telemetry.auth_user_file", globalConf.TelemetryConfig.AuthUserFile) viper.SetDefault("telemetry.certificate_file", globalConf.TelemetryConfig.CertificateFile) viper.SetDefault("telemetry.certificate_key_file", globalConf.TelemetryConfig.CertificateKeyFile) + viper.SetDefault("telemetry.min_tls_version", globalConf.TelemetryConfig.MinTLSVersion) viper.SetDefault("telemetry.tls_cipher_suites", globalConf.TelemetryConfig.TLSCipherSuites) viper.SetDefault("smtp.host", globalConf.SMTPConfig.Host) viper.SetDefault("smtp.port", globalConf.SMTPConfig.Port) diff --git a/config/config_test.go b/config/config_test.go index 49149168..2bd594ca 100644 --- a/config/config_test.go +++ b/config/config_test.go @@ -663,6 +663,7 @@ func TestFTPDBindingsFromEnv(t *testing.T) { os.Setenv("SFTPGO_FTPD__BINDINGS__9__ADDRESS", "127.0.1.1") os.Setenv("SFTPGO_FTPD__BINDINGS__9__PORT", "2203") os.Setenv("SFTPGO_FTPD__BINDINGS__9__TLS_MODE", "1") + os.Setenv("SFTPGO_FTPD__BINDINGS__9__MIN_TLS_VERSION", "13") os.Setenv("SFTPGO_FTPD__BINDINGS__9__FORCE_PASSIVE_IP", "127.0.1.1") os.Setenv("SFTPGO_FTPD__BINDINGS__9__PASSIVE_IP_OVERRIDES__3__IP", "192.168.1.1") os.Setenv("SFTPGO_FTPD__BINDINGS__9__PASSIVE_IP_OVERRIDES__3__NETWORKS", "192.168.1.0/24, 192.168.3.0/25") @@ -682,6 +683,7 @@ func TestFTPDBindingsFromEnv(t *testing.T) { os.Unsetenv("SFTPGO_FTPD__BINDINGS__9__ADDRESS") os.Unsetenv("SFTPGO_FTPD__BINDINGS__9__PORT") os.Unsetenv("SFTPGO_FTPD__BINDINGS__9__TLS_MODE") + os.Unsetenv("SFTPGO_FTPD__BINDINGS__9__MIN_TLS_VERSION") os.Unsetenv("SFTPGO_FTPD__BINDINGS__9__FORCE_PASSIVE_IP") os.Unsetenv("SFTPGO_FTPD__BINDINGS__9__PASSIVE_IP_OVERRIDES__3__IP") os.Unsetenv("SFTPGO_FTPD__BINDINGS__9__PASSIVE_IP_OVERRIDES__3__NETWORKS") @@ -699,6 +701,7 @@ func TestFTPDBindingsFromEnv(t *testing.T) { require.Equal(t, "127.0.0.1", bindings[0].Address) require.False(t, bindings[0].ApplyProxyConfig) require.Equal(t, 2, bindings[0].TLSMode) + require.Equal(t, 12, bindings[0].MinTLSVersion) require.Equal(t, "127.0.1.2", bindings[0].ForcePassiveIP) require.Len(t, bindings[0].PassiveIPOverrides, 0) require.Equal(t, 0, bindings[0].ClientAuthType) @@ -712,6 +715,7 @@ func TestFTPDBindingsFromEnv(t *testing.T) { require.Equal(t, "127.0.1.1", bindings[1].Address) require.True(t, bindings[1].ApplyProxyConfig) // default value require.Equal(t, 1, bindings[1].TLSMode) + require.Equal(t, 13, bindings[1].MinTLSVersion) require.Equal(t, "127.0.1.1", bindings[1].ForcePassiveIP) require.Len(t, bindings[1].PassiveIPOverrides, 1) require.Equal(t, "192.168.1.1", bindings[1].PassiveIPOverrides[0].IP) @@ -736,6 +740,7 @@ func TestWebDAVBindingsFromEnv(t *testing.T) { os.Setenv("SFTPGO_WEBDAVD__BINDINGS__2__ADDRESS", "127.0.1.1") os.Setenv("SFTPGO_WEBDAVD__BINDINGS__2__PORT", "9000") os.Setenv("SFTPGO_WEBDAVD__BINDINGS__2__ENABLE_HTTPS", "1") + os.Setenv("SFTPGO_WEBDAVD__BINDINGS__2__MIN_TLS_VERSION", "13") os.Setenv("SFTPGO_WEBDAVD__BINDINGS__2__CLIENT_AUTH_TYPE", "1") os.Setenv("SFTPGO_WEBDAVD__BINDINGS__2__PREFIX", "/dav2") t.Cleanup(func() { @@ -747,6 +752,7 @@ func TestWebDAVBindingsFromEnv(t *testing.T) { os.Unsetenv("SFTPGO_WEBDAVD__BINDINGS__2__ADDRESS") os.Unsetenv("SFTPGO_WEBDAVD__BINDINGS__2__PORT") os.Unsetenv("SFTPGO_WEBDAVD__BINDINGS__2__ENABLE_HTTPS") + os.Unsetenv("SFTPGO_WEBDAVD__BINDINGS__2__MIN_TLS_VERSION") os.Unsetenv("SFTPGO_WEBDAVD__BINDINGS__2__CLIENT_AUTH_TYPE") os.Unsetenv("SFTPGO_WEBDAVD__BINDINGS__2__PREFIX") }) @@ -759,11 +765,13 @@ func TestWebDAVBindingsFromEnv(t *testing.T) { require.Equal(t, 0, bindings[0].Port) require.Empty(t, bindings[0].Address) require.False(t, bindings[0].EnableHTTPS) + require.Equal(t, 12, bindings[0].MinTLSVersion) require.Len(t, bindings[0].TLSCipherSuites, 0) require.Empty(t, bindings[0].Prefix) require.Equal(t, 8000, bindings[1].Port) require.Equal(t, "127.0.0.1", bindings[1].Address) require.False(t, bindings[1].EnableHTTPS) + require.Equal(t, 12, bindings[1].MinTLSVersion) require.Equal(t, 0, bindings[1].ClientAuthType) require.Len(t, bindings[1].TLSCipherSuites, 1) require.Equal(t, "TLS_RSA_WITH_AES_128_CBC_SHA", bindings[1].TLSCipherSuites[0]) @@ -772,6 +780,7 @@ func TestWebDAVBindingsFromEnv(t *testing.T) { require.Equal(t, 9000, bindings[2].Port) require.Equal(t, "127.0.1.1", bindings[2].Address) require.True(t, bindings[2].EnableHTTPS) + require.Equal(t, 13, bindings[2].MinTLSVersion) require.Equal(t, 1, bindings[2].ClientAuthType) require.Nil(t, bindings[2].TLSCipherSuites) require.Equal(t, "/dav2", bindings[2].Prefix) @@ -795,6 +804,7 @@ func TestHTTPDBindingsFromEnv(t *testing.T) { os.Setenv("SFTPGO_HTTPD__BINDINGS__2__ENABLE_WEB_CLIENT", "0") os.Setenv("SFTPGO_HTTPD__BINDINGS__2__RENDER_OPENAPI", "0") os.Setenv("SFTPGO_HTTPD__BINDINGS__2__ENABLE_HTTPS", "1 ") + os.Setenv("SFTPGO_HTTPD__BINDINGS__2__MIN_TLS_VERSION", "13") os.Setenv("SFTPGO_HTTPD__BINDINGS__2__CLIENT_AUTH_TYPE", "1") os.Setenv("SFTPGO_HTTPD__BINDINGS__2__TLS_CIPHER_SUITES", " TLS_AES_256_GCM_SHA384 , TLS_CHACHA20_POLY1305_SHA256") os.Setenv("SFTPGO_HTTPD__BINDINGS__2__PROXY_ALLOWED", " 192.168.9.1 , 172.16.25.0/24") @@ -820,6 +830,7 @@ func TestHTTPDBindingsFromEnv(t *testing.T) { os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__ADDRESS") os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__PORT") os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__ENABLE_HTTPS") + os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__MIN_TLS_VERSION") os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__ENABLE_WEB_ADMIN") os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__ENABLE_WEB_CLIENT") os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__RENDER_OPENAPI") @@ -847,6 +858,7 @@ func TestHTTPDBindingsFromEnv(t *testing.T) { require.Equal(t, 0, bindings[0].Port) require.Equal(t, sockPath, bindings[0].Address) require.False(t, bindings[0].EnableHTTPS) + require.Equal(t, 12, bindings[0].MinTLSVersion) require.True(t, bindings[0].EnableWebAdmin) require.True(t, bindings[0].EnableWebClient) require.True(t, bindings[0].RenderOpenAPI) @@ -857,6 +869,7 @@ func TestHTTPDBindingsFromEnv(t *testing.T) { require.Equal(t, 8000, bindings[1].Port) require.Equal(t, "127.0.0.1", bindings[1].Address) require.False(t, bindings[1].EnableHTTPS) + require.Equal(t, 12, bindings[0].MinTLSVersion) require.True(t, bindings[1].EnableWebAdmin) require.True(t, bindings[1].EnableWebClient) require.True(t, bindings[1].RenderOpenAPI) @@ -866,6 +879,7 @@ func TestHTTPDBindingsFromEnv(t *testing.T) { require.Equal(t, 9000, bindings[2].Port) require.Equal(t, "127.0.1.1", bindings[2].Address) require.True(t, bindings[2].EnableHTTPS) + require.Equal(t, 13, bindings[2].MinTLSVersion) require.False(t, bindings[2].EnableWebAdmin) require.False(t, bindings[2].EnableWebClient) require.False(t, bindings[2].RenderOpenAPI) diff --git a/docs/full-configuration.md b/docs/full-configuration.md index e09d98bb..edac2e85 100644 --- a/docs/full-configuration.md +++ b/docs/full-configuration.md @@ -121,6 +121,7 @@ The configuration file contains the following sections: - `address`, string. Leave blank to listen on all available network interfaces. Default: "". - `apply_proxy_config`, boolean. If enabled the common proxy configuration, if any, will be applied. Please note that we expect the proxy header on control and data connections. Default `true`. - `tls_mode`, integer. 0 means accept both cleartext and encrypted sessions. 1 means TLS is required for both control and data connection. 2 means implicit TLS. Do not enable this blindly, please check that a proper TLS config is in place if you set `tls_mode` is different from 0. + - `min_tls_version`, integer. Defines the minimum version of TLS to be enabled. `12` means TLS 1.2 (and therefore TLS 1.2 and TLS 1.3 will be enabled),`13` means TLS 1.3. Default: `12`. - `force_passive_ip`, ip address. External IP address to expose for passive connections. Leavy empty to autodetect. If not empty, it must be a valid IPv4 address. Defaut: "". - `passive_ip_overrides`, list of struct that allows to return a different passive ip based on the client IP address. Each struct has the following fields: - `networks`, list of strings. Each string must define a network in CIDR notation, for example 192.168.1.0/24. @@ -147,6 +148,7 @@ The configuration file contains the following sections: - `port`, integer. The port used for serving WebDAV requests. 0 means disabled. Default: 0. - `address`, string. Leave blank to listen on all available network interfaces. Default: "". - `enable_https`, boolean. Set to `true` and provide both a certificate and a key file to enable HTTPS connection for this binding. Default `false`. + - `min_tls_version`, integer. Defines the minimum version of TLS to be enabled. `12` means TLS 1.2 (and therefore TLS 1.2 and TLS 1.3 will be enabled),`13` means TLS 1.3. Default: `12`. - `client_auth_type`, integer. Set to `1` to require a client certificate and verify it. Set to `2` to request a client certificate during the TLS handshake and verify it if given, in this mode the client is allowed not to send a certificate. At least one certification authority must be defined in order to verify client certificates. If no certification authority is defined, this setting is ignored. Default: 0. - `tls_cipher_suites`, list of strings. List of supported cipher suites for TLS version 1.2. If empty, a default list of secure cipher suites is used, with a preference order based on hardware performance. Note that TLS 1.3 ciphersuites are not configurable. The supported ciphersuites names are defined [here](https://github.com/golang/go/blob/master/src/crypto/tls/cipher_suites.go#L52). Any invalid name will be silently ignored. The order matters, the ciphers listed first will be the preferred ones. Default: empty. - `prefix`, string. Prefix for WebDAV resources, if empty WebDAV resources will be available at the `/` URI. If defined it must be an absolute URI, for example `/dav`. Default: "". @@ -225,6 +227,7 @@ The configuration file contains the following sections: - `enable_web_admin`, boolean. Set to `false` to disable the built-in web admin for this binding. You also need to define `templates_path` and `static_files_path` to use the built-in web admin interface. Default `true`. - `enable_web_client`, boolean. Set to `false` to disable the built-in web client for this binding. You also need to define `templates_path` and `static_files_path` to use the built-in web client interface. Default `true`. - `enable_https`, boolean. Set to `true` and provide both a certificate and a key file to enable HTTPS connection for this binding. Default `false`. + - `min_tls_version`, integer. Defines the minimum version of TLS to be enabled. `12` means TLS 1.2 (and therefore TLS 1.2 and TLS 1.3 will be enabled),`13` means TLS 1.3. Default: `12`. - `client_auth_type`, integer. Set to `1` to require client certificate authentication in addition to JWT/Web authentication. You need to define at least a certificate authority for this to work. Default: 0. - `tls_cipher_suites`, list of strings. List of supported cipher suites for TLS version 1.2. If empty, a default list of secure cipher suites is used, with a preference order based on hardware performance. Note that TLS 1.3 ciphersuites are not configurable. The supported ciphersuites names are defined [here](https://github.com/golang/go/blob/master/src/crypto/tls/cipher_suites.go#L52). Any invalid name will be silently ignored. The order matters, the ciphers listed first will be the preferred ones. Default: blank. - `proxy_allowed`, list of IP addresses and IP ranges allowed to set `X-Forwarded-For`, `X-Real-IP`, `X-Forwarded-Proto`, `CF-Connecting-IP`, `True-Client-IP` headers. Any of the indicated headers, if set on requests from a connection address not in this list, will be silently ignored. Default: blank. @@ -266,6 +269,7 @@ The configuration file contains the following sections: - `auth_user_file`, string. Path to a file used to store usernames and passwords for basic authentication. This can be an absolute path or a path relative to the config dir. We support HTTP basic authentication, and the file format must conform to the one generated using the Apache `htpasswd` tool. The supported password formats are bcrypt (`$2y$` prefix) and md5 crypt (`$apr1$` prefix). If empty, HTTP authentication is disabled. Authentication will be always disabled for the `/healthz` endpoint. - `certificate_file`, string. Certificate for HTTPS. This can be an absolute path or a path relative to the config dir. - `certificate_key_file`, string. Private key matching the above certificate. This can be an absolute path or a path relative to the config dir. If both the certificate and the private key are provided, the server will expect HTTPS connections. Certificate and key files can be reloaded on demand sending a `SIGHUP` signal on Unix based systems and a `paramchange` request to the running service on Windows. + - `min_tls_version`, integer. Defines the minimum version of TLS to be enabled. `12` means TLS 1.2 (and therefore TLS 1.2 and TLS 1.3 will be enabled),`13` means TLS 1.3. Default: `12`. - `tls_cipher_suites`, list of strings. List of supported cipher suites for TLS version 1.2. If empty, a default list of secure cipher suites is used, with a preference order based on hardware performance. Note that TLS 1.3 ciphersuites are not configurable. The supported ciphersuites names are defined [here](https://github.com/golang/go/blob/master/src/crypto/tls/cipher_suites.go#L52). Any invalid name will be silently ignored. The order matters, the ciphers listed first will be the preferred ones. Default: empty. - **"http"**, the configuration for HTTP clients. HTTP clients are used for executing hooks. Some hooks use a retryable HTTP client, for these hooks you can configure the time between retries and the number of retries. Please check the hook specific documentation to understand which hooks use a retryable HTTP client. - `timeout`, float. Timeout specifies a time limit, in seconds, for requests. For requests with retries this is the timeout for a single request diff --git a/ftpd/ftpd.go b/ftpd/ftpd.go index 31d597dd..108ed3ff 100644 --- a/ftpd/ftpd.go +++ b/ftpd/ftpd.go @@ -43,6 +43,8 @@ type Binding struct { // Set to 1 to require TLS for both data and control connection. // Set to 2 to enable implicit TLS TLSMode int `json:"tls_mode" mapstructure:"tls_mode"` + // Defines the minimum TLS version. 13 means TLS 1.3, default is TLS 1.2 + MinTLSVersion int `json:"min_tls_version" mapstructure:"min_tls_version"` // External IP address to expose for passive connections. ForcePassiveIP string `json:"force_passive_ip" mapstructure:"force_passive_ip"` // PassiveIPOverrides allows to define different IP addresses to expose for passive connections diff --git a/ftpd/server.go b/ftpd/server.go index 9055fc8c..8c0fdf60 100644 --- a/ftpd/server.go +++ b/ftpd/server.go @@ -262,7 +262,7 @@ func (s *Server) buildTLSConfig() { if certMgr != nil { s.tlsConfig = &tls.Config{ GetCertificate: certMgr.GetCertificateFunc(), - MinVersion: tls.VersionTLS12, + MinVersion: util.GetTLSVersion(s.binding.MinTLSVersion), CipherSuites: s.binding.ciphers, PreferServerCipherSuites: true, } diff --git a/httpd/httpd.go b/httpd/httpd.go index 7933c625..761c6d9b 100644 --- a/httpd/httpd.go +++ b/httpd/httpd.go @@ -258,6 +258,8 @@ type Binding struct { EnableWebClient bool `json:"enable_web_client" mapstructure:"enable_web_client"` // you also need to provide a certificate for enabling HTTPS EnableHTTPS bool `json:"enable_https" mapstructure:"enable_https"` + // Defines the minimum TLS version. 13 means TLS 1.3, default is TLS 1.2 + MinTLSVersion int `json:"min_tls_version" mapstructure:"min_tls_version"` // set to 1 to require client certificate authentication in addition to basic auth. // You need to define at least a certificate authority for this to work ClientAuthType int `json:"client_auth_type" mapstructure:"client_auth_type"` diff --git a/httpd/server.go b/httpd/server.go index 99275f02..60fa60a8 100644 --- a/httpd/server.go +++ b/httpd/server.go @@ -80,7 +80,7 @@ func (s *httpdServer) listenAndServe() error { if certMgr != nil && s.binding.EnableHTTPS { config := &tls.Config{ GetCertificate: certMgr.GetCertificateFunc(), - MinVersion: tls.VersionTLS12, + MinVersion: util.GetTLSVersion(s.binding.MinTLSVersion), NextProtos: []string{"http/1.1", "h2"}, CipherSuites: util.GetTLSCiphersFromNames(s.binding.TLSCipherSuites), PreferServerCipherSuites: true, diff --git a/sftpgo.json b/sftpgo.json index 66e3604e..b00fa3fa 100644 --- a/sftpgo.json +++ b/sftpgo.json @@ -86,6 +86,7 @@ "address": "", "apply_proxy_config": true, "tls_mode": 0, + "min_tls_version": 12, "force_passive_ip": "", "passive_ip_overrides": [], "client_auth_type": 0, @@ -117,6 +118,7 @@ "port": 0, "address": "", "enable_https": false, + "min_tls_version": 12, "client_auth_type": 0, "tls_cipher_suites": [], "prefix": "", @@ -211,6 +213,7 @@ "enable_web_admin": true, "enable_web_client": true, "enable_https": false, + "min_tls_version": 12, "client_auth_type": 0, "tls_cipher_suites": [], "proxy_allowed": [], @@ -255,6 +258,7 @@ "auth_user_file": "", "certificate_file": "", "certificate_key_file": "", + "min_tls_version": 12, "tls_cipher_suites": [] }, "http": { diff --git a/telemetry/telemetry.go b/telemetry/telemetry.go index 6920c5ee..3d1a209c 100644 --- a/telemetry/telemetry.go +++ b/telemetry/telemetry.go @@ -63,6 +63,8 @@ type Conf struct { // any invalid name will be silently ignored. // The order matters, the ciphers listed first will be the preferred ones. TLSCipherSuites []string `json:"tls_cipher_suites" mapstructure:"tls_cipher_suites"` + // Defines the minimum TLS version. 13 means TLS 1.3, default is TLS 1.2 + MinTLSVersion int `json:"min_tls_version" mapstructure:"min_tls_version"` } // ShouldBind returns true if there service must be started @@ -104,7 +106,7 @@ func (c Conf) Initialize(configDir string) error { } config := &tls.Config{ GetCertificate: certMgr.GetCertificateFunc(), - MinVersion: tls.VersionTLS12, + MinVersion: util.GetTLSVersion(c.MinTLSVersion), NextProtos: []string{"http/1.1", "h2"}, CipherSuites: util.GetTLSCiphersFromNames(c.TLSCipherSuites), PreferServerCipherSuites: true, diff --git a/util/util.go b/util/util.go index dfaa9f21..db78ce67 100644 --- a/util/util.go +++ b/util/util.go @@ -563,3 +563,16 @@ func PrependFileInfo(files []os.FileInfo, info os.FileInfo) []os.FileInfo { files[0] = info return files } + +// GetTLSVersion returns the TLS version for integer: +// - 12 means TLS 1.2 +// - 13 means TLS 1.3 +// default is TLS 1.2 +func GetTLSVersion(val int) uint16 { + switch val { + case 13: + return tls.VersionTLS13 + default: + return tls.VersionTLS12 + } +} diff --git a/webdavd/server.go b/webdavd/server.go index 1b333aee..981be240 100644 --- a/webdavd/server.go +++ b/webdavd/server.go @@ -58,7 +58,7 @@ func (s *webDavServer) listenAndServe(compressor *middleware.Compressor) error { serviceStatus.Bindings = append(serviceStatus.Bindings, s.binding) httpServer.TLSConfig = &tls.Config{ GetCertificate: certMgr.GetCertificateFunc(), - MinVersion: tls.VersionTLS12, + MinVersion: util.GetTLSVersion(s.binding.MinTLSVersion), NextProtos: []string{"http/1.1", "h2"}, CipherSuites: util.GetTLSCiphersFromNames(s.binding.TLSCipherSuites), PreferServerCipherSuites: true, diff --git a/webdavd/webdavd.go b/webdavd/webdavd.go index 3921c886..2f16f3e5 100644 --- a/webdavd/webdavd.go +++ b/webdavd/webdavd.go @@ -74,6 +74,8 @@ type Binding struct { Port int `json:"port" mapstructure:"port"` // you also need to provide a certificate for enabling HTTPS EnableHTTPS bool `json:"enable_https" mapstructure:"enable_https"` + // Defines the minimum TLS version. 13 means TLS 1.3, default is TLS 1.2 + MinTLSVersion int `json:"min_tls_version" mapstructure:"min_tls_version"` // set to 1 to require client certificate authentication in addition to basic auth. // You need to define at least a certificate authority for this to work ClientAuthType int `json:"client_auth_type" mapstructure:"client_auth_type"`