add minVersion to tls.ini options (#2738)

* add minVersion to tls.ini options

Changes.md

@@ -9,6 +9,7 @@
 ### New features
 
 * connection_close_message: added ability to override close connection message replacing `closing connection. Have a jolly good day.`
+* tls: add configurable minVersion to tls socket options
 
 ### Fixes
 

config/tls.ini

@@ -10,6 +10,11 @@
 ; list, try enabling this "kinda high but more compatible" setting.
 ; ciphers=ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
 
+; minimum TLS version (node.js 11.4+ required)
+; Allowed values are 'TLSv1.3', 'TLSv1.2', 'TLSv1.1', or 'TLSv1'
+; The default value is node.js's tls.DEFAULT_MIN_VERSION
+; minVersion=TLSv1
+
 ; honorCipherOrder=true
 ; rejectUnauthorized=false
 ; requestCert=true

docs/Outbound.md

@@ -43,7 +43,7 @@ plugin uses, along with other values in `tls.ini`. See the [tls plugin
 docs](http://haraka.github.io/manual/plugins/tls.html) for information on generating those
 files.
 
-Within `tls.ini` you can specify global options for the values `ciphers`,
+Within `tls.ini` you can specify global options for the values `ciphers`, `minVersion`,
 `requestCert` and `rejectUnauthorized`, alternatively you can provide
 separate values by putting them under a key: `[outbound]`, such as:
 

docs/plugins/tls.md

@@ -97,7 +97,17 @@ A list of allowable ciphers to use. Example:
 
     ciphers=EECDH+AESGCM:EDH+aRSA+AESGCM:EECDH+AES256:EDH+aRSA+AES256:EECDH+AES128:EDH+aRSA+AES128:RSA+AES:RSA+3DES
 
-See also: [Strong SSL Ciphers](http://cipherli.st) and the [SSLlabs Test Page](https://www.ssllabs.com/ssltest/index.html)
+See also: [Mozilla SSL configuration generator](https://ssl-config.mozilla.org/) and the [SSLlabs Test Page](https://www.ssllabs.com/ssltest/index.html)
+
+### minVersion
+
+Specifies minimum allowable TLS protocol version to use. Example:
+
+     minVersion=TLSv1.1 
+
+If unset, the default is node's tls.DEFAULT_MIN_VERSION constant.
+
+(**Node.js 11.4+ required**, for older instances you can use *secureProtocol* settings)
 
 ### honorCipherOrder
 

outbound/tls.js

@@ -6,7 +6,7 @@ const config       = require('haraka-config');
 const hkredis      = require('haraka-plugin-redis');
 
 const inheritable_opts = [
-    'key', 'cert', 'ciphers', 'dhparam',
+    'key', 'cert', 'ciphers', 'minVersion', 'dhparam',
     'requestCert', 'honorCipherOrder', 'rejectUnauthorized'
 ];
 

tests/config/tls.ini

@@ -4,6 +4,7 @@ cert    = tls_cert.pem
 dhparam = dhparams.pem
 
 ciphers = ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384
+minVersion = TLSv1
 rejectUnauthorized=false
 requestCert=true
 honorCipherOrder=true
@@ -33,6 +34,7 @@ key     = outbound_tls_key.pem
 cert    = outbound_tls_cert.pem
 dhparam = dhparams.pem
 ciphers = ECDHE-RSA-AES256-GCM-SHA384
+minVersion = TLSv1
 rejectUnauthorized=false
 requestCert=false
 honorCipherOrder=false

tests/outbound/index.js

@@ -163,6 +163,7 @@ exports.get_tls_options = {
             cert: fs.readFileSync(path.resolve('tests','config','outbound_tls_cert.pem')),
             dhparam: fs.readFileSync(path.resolve('tests','config','dhparams.pem')),
             ciphers: 'ECDHE-RSA-AES256-GCM-SHA384',
+            minVersion: 'TLSv1',
             rejectUnauthorized: false,
             requestCert: false,
             honorCipherOrder: false,

tests/tls_socket.js

@@ -151,6 +151,7 @@ exports.load_tls_ini2 = {
                 cert: 'tls_cert.pem',
                 dhparam: 'dhparams.pem',
                 ciphers: 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384',
+                minVersion: 'TLSv1',
                 requireAuthorized: [2465, 2587],
             },
             redis: { disable_for_failed_hosts: false },
@@ -159,6 +160,7 @@ exports.load_tls_ini2 = {
                 key: 'outbound_tls_key.pem',
                 cert: 'outbound_tls_cert.pem',
                 ciphers: 'ECDHE-RSA-AES256-GCM-SHA384',
+                minVersion: 'TLSv1',
                 dhparam: 'dhparams.pem',
                 rejectUnauthorized: false,
                 requestCert: false,

tls_socket.js

@@ -293,7 +293,7 @@ exports.applySocketOpts = name => {
     // https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options
     const createSecureContextOptions = [
         'key', 'cert', 'dhparam',
-        'pfx', 'passphrase', 'ca', 'crl', 'ciphers', 'honorCipherOrder',
+        'pfx', 'passphrase', 'ca', 'crl', 'ciphers', 'minVersion', 'honorCipherOrder',
         'ecdhCurve', 'secureProtocol', 'secureOptions', 'sessionIdContext'
     ];