handlers.go: Added parameter for TLS min version

rest-server/main.go: Added parameter handling for TLS min version

rest-server/main.go: Added crypto.tls, implemented and configured tlsConfig object

cmd/rest-server/main.go

@@ -7,6 +7,7 @@ import (
 	"log"
 	"net"
 	"net/http"
+	"crypto/tls"
 	"os"
 	"os/signal"
 	"path/filepath"
@@ -47,6 +48,7 @@ func newRestServerApp() *restServerApp {
 		Server: restserver.Server{
 			Path:   filepath.Join(os.TempDir(), "restic"),
 			Listen: ":8000",
+			TLSMinVer: "1.2",
 		},
 	}
 	rv.CmdRoot.RunE = rv.runRoot
@@ -61,6 +63,7 @@ func newRestServerApp() *restServerApp {
 	flags.BoolVar(&rv.Server.TLS, "tls", rv.Server.TLS, "turn on TLS support")
 	flags.StringVar(&rv.Server.TLSCert, "tls-cert", rv.Server.TLSCert, "TLS certificate path")
 	flags.StringVar(&rv.Server.TLSKey, "tls-key", rv.Server.TLSKey, "TLS key path")
+        flags.StringVar(&rv.Server.TLSMinVer, "tls-min-ver", rv.Server.TLSMinVer, "TLS min version (default: 1.2)")
 	flags.BoolVar(&rv.Server.NoAuth, "no-auth", rv.Server.NoAuth, "disable .htpasswd authentication")
 	flags.StringVar(&rv.Server.HtpasswdPath, "htpasswd-file", rv.Server.HtpasswdPath, "location of .htpasswd file (default: \"<data directory>/.htpasswd)\"")
 	flags.BoolVar(&rv.Server.NoVerifyUpload, "no-verify-upload", rv.Server.NoVerifyUpload,
@@ -162,8 +165,37 @@ func (app *restServerApp) runRoot(cmd *cobra.Command, args []string) error {
 	app.listenerAddress = listener.Addr()
 	app.listenerAddressMu.Unlock()
 
+	tlscfg := &tls.Config{
+		MinVersion:		tls.VersionTLS12,
+		CurvePreferences:	[]tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256},
+		CipherSuites:		[]uint16{
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+			tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+		},
+	}
+	switch app.Server.TLSMinVer {
+	case "1.0":
+		// Only available with GODEBUG="tls10server=1"
+		tlscfg.MinVersion = tls.VersionTLS10
+	case "1.1":
+		// Only available with GODEBUG="tls10server=1"
+		tlscfg.MinVersion = tls.VersionTLS11
+	case "1.2":
+		tlscfg.MinVersion = tls.VersionTLS12
+	case "1.3":
+		tlscfg.MinVersion = tls.VersionTLS13
+	default:
+		tlscfg.MinVersion = tls.VersionTLS12
+	}
+
+
 	srv := &http.Server{
 		Handler: handler,
+		TLSConfig: tlscfg,
 	}
 
 	// run server in background

handlers.go

@@ -22,6 +22,7 @@ type Server struct {
 	CPUProfile       string
 	TLSKey           string
 	TLSCert          string
+	TLSMinVer        string
 	TLS              bool
 	NoAuth           bool
 	AppendOnly       bool