bundle-server: make server min TLS version configurable

vdye · vdye · commit 3ac4b2637521 · 2023-04-06T16:12:20.000-07:00
Add a '--tls-version' option, which takes values matching those of the
'http.sslVersion' config in Git, to set the 'tls.Config.MinVersion' setting
in the web server.

Signed-off-by: Victoria Dye &lt;vdye@github.com&gt;
diff --git a/cmd/git-bundle-web-server/bundle-server.go b/cmd/git-bundle-web-server/bundle-server.go
@@ -2,6 +2,7 @@ package main
 
 import (
 	"context"
+	"crypto/tls"
 	"fmt"
 	"net/http"
 	"os"
@@ -28,7 +29,9 @@ type bundleWebServer struct {
 }
 
 func NewBundleWebServer(logger log.TraceLogger,
-	port string, certFile string, keyFile string,
+	port string,
+	certFile string, keyFile string,
+	tlsMinVersion uint16,
 ) *bundleWebServer {
 	bundleServer := &bundleWebServer{
 		logger:          logger,
@@ -43,11 +46,18 @@ func NewBundleWebServer(logger log.TraceLogger,
 		Addr:    ":" + port,
 	}
 
-	if certFile != "" {
-		bundleServer.listenAndServeFunc = func() error { return bundleServer.server.ListenAndServeTLS(certFile, keyFile) }
-	} else {
+	// No TLS configuration to be done, return
+	if certFile == "" {
 		bundleServer.listenAndServeFunc = func() error { return bundleServer.server.ListenAndServe() }
+		return bundleServer
+	}
+
+	// Configure for TLS
+	tlsConfig := &tls.Config{
+		MinVersion: tlsMinVersion,
 	}
+	bundleServer.server.TLSConfig = tlsConfig
+	bundleServer.listenAndServeFunc = func() error { return bundleServer.server.ListenAndServeTLS(certFile, keyFile) }
 
 	return bundleServer
 }
diff --git a/cmd/git-bundle-web-server/main.go b/cmd/git-bundle-web-server/main.go
@@ -26,9 +26,14 @@ func main() {
 		port := utils.GetFlagValue[string](parser, "port")
 		cert := utils.GetFlagValue[string](parser, "cert")
 		key := utils.GetFlagValue[string](parser, "key")
+		tlsMinVersion := utils.GetFlagValue[uint16](parser, "tls-version")
 
 		// Configure the server
-		bundleServer := NewBundleWebServer(logger, port, cert, key)
+		bundleServer := NewBundleWebServer(logger,
+			port,
+			cert, key,
+			tlsMinVersion,
+		)
 
 		// Start the server asynchronously
 		bundleServer.StartServerAsync(ctx)
diff --git a/cmd/utils/common-args.go b/cmd/utils/common-args.go
@@ -2,9 +2,11 @@ package utils
 
 import (
 	"context"
+	"crypto/tls"
 	"flag"
 	"fmt"
 	"strconv"
+	"strings"
 )
 
 // Helpers
@@ -39,11 +41,50 @@ func GetFlagValue[T any](parser argParser, name string) T {
 
 // Sets of flags shared between multiple commands/programs
 
+type tlsVersionValue uint16
+
+var tlsVersions = map[tlsVersionValue]string{
+	tls.VersionTLS11: "tlsv1.1",
+	tls.VersionTLS12: "tlsv1.2",
+	tls.VersionTLS13: "tlsv1.3",
+}
+
+func (v *tlsVersionValue) String() string {
+	if strVal, ok := tlsVersions[*v]; ok {
+		return strVal
+	} else {
+		panic(fmt.Sprintf("invalid tlsVersionValue '%d'", *v))
+	}
+}
+
+func (v *tlsVersionValue) Set(strVal string) error {
+	strLower := strings.ToLower(strVal)
+	for val, str := range tlsVersions {
+		if str == strLower {
+			*v = val
+			return nil
+		}
+	}
+
+	// add details to "invalid value for flag" message
+	validTlsVersions := []string{}
+	for _, str := range tlsVersions {
+		validTlsVersions = append(validTlsVersions, "'"+str+"'")
+	}
+	return fmt.Errorf("valid TLS versions are: %s", strings.Join(validTlsVersions, ", "))
+}
+
+func (v *tlsVersionValue) Get() any {
+	return uint16(*v)
+}
+
 func WebServerFlags(parser argParser) (*flag.FlagSet, func(context.Context)) {
 	f := flag.NewFlagSet("", flag.ContinueOnError)
 	port := f.String("port", "8080", "The port on which the server should be hosted")
 	cert := f.String("cert", "", "The path to the X.509 SSL certificate file to use in securely hosting the server")
 	key := f.String("key", "", "The path to the certificate's private key")
+	tlsVersion := tlsVersionValue(tls.VersionTLS12)
+	f.Var(&tlsVersion, "tls-version", "The minimum TLS version the server will accept")
 
 	// Function to call for additional arg validation (may exit with 'Usage()')
 	validationFunc := func(ctx context.Context) {
diff --git a/docs/man/server-options.asc b/docs/man/server-options.asc
@@ -10,3 +10,17 @@
 *--key* _path_:::
   Use the contents of the specified file as the private key of the X.509 SSL
   certificate specified with *--cert*.
+
+*--tls-version* _version_:::
+  If the web server is configured for TLS (i.e., *--cert* and *--key* are
+  specified), reject requests using a version of TLS less than the given
+  version. The _version_ must be one of the following non-case sensitive values:
+
+  - tlsv1.1
+  - tlsv1.2
+  - tlsv1.3
+
++
+These strings match those used in the *http.sslVersion* Git config setting
+(see man:git-config[1]). The default value is *tlsv1.2*. If the server is not
+configured for TLS, this option is a no-op.
