Add tls_max_version support

jefferai · jefferai · commit 3330b9bdadf8 · 2021-03-09T08:30:04.000-05:00
diff --git a/configutil/listener.go b/configutil/listener.go
@@ -43,6 +43,7 @@ type Listener struct {
 	TLSCertFile                      string      `hcl:"tls_cert_file"`
 	TLSKeyFile                       string      `hcl:"tls_key_file"`
 	TLSMinVersion                    string      `hcl:"tls_min_version"`
+	TLSMaxVersion                    string      `hcl:"tls_max_version"`
 	TLSCipherSuites                  []uint16    `hcl:"-"`
 	TLSCipherSuitesRaw               string      `hcl:"tls_cipher_suites"`
 	TLSPreferServerCipherSuites      bool        `hcl:"-"`
diff --git a/listenerutil/listener.go b/listenerutil/listener.go
@@ -111,12 +111,25 @@ PASSPHRASECORRECT:
 		l.TLSMinVersion = "tls12"
 	}
 
+	if l.TLSMaxVersion == "" {
+		l.TLSMaxVersion = "tls13"
+	}
+
 	var ok bool
 	tlsConf.MinVersion, ok = tlsutil.TLSLookup[l.TLSMinVersion]
 	if !ok {
 		return nil, nil, fmt.Errorf("'tls_min_version' value %q not supported, please specify one of [tls10,tls11,tls12,tls13]", l.TLSMinVersion)
 	}
 
+	tlsConf.MaxVersion, ok = tlsutil.TLSLookup[l.TLSMaxVersion]
+	if !ok {
+		return nil, nil, fmt.Errorf("'tls_max_version' value %q not supported, please specify one of [tls10,tls11,tls12,tls13]", l.TLSMaxVersion)
+	}
+
+	if tlsConf.MaxVersion < tlsConf.MinVersion {
+		return nil, nil, fmt.Errorf("'tls_max_version' must be greater than or equal to 'tls_min_version'")
+	}
+
 	if len(l.TLSCipherSuites) > 0 {
 		// HTTP/2 with TLS 1.2 blacklists several cipher suites.
 		// https://tools.ietf.org/html/rfc7540#appendix-A
