From ddc5ad1a3c69aff9e9b3377e5b9348fd6410a0da Mon Sep 17 00:00:00 2001
From: darkspir <forgejo.darkspir@teemitmil.ch>
Date: Thu, 5 Dec 2024 12:58:02 +0100
Subject: [PATCH] handlers.go: Added parameter for TLS min version

rest-server/main.go: Added parameter handling for TLS min version

rest-server/main.go: Added crypto.tls, implemented and configured tlsConfig object
---
 cmd/rest-server/main.go | 32 ++++++++++++++++++++++++++++++++
 handlers.go             |  1 +
 2 files changed, 33 insertions(+)

diff --git a/cmd/rest-server/main.go b/cmd/rest-server/main.go
index 0bdd1eb..bedd608 100644
--- a/cmd/rest-server/main.go
+++ b/cmd/rest-server/main.go
@@ -7,6 +7,7 @@ import (
 	"log"
 	"net"
 	"net/http"
+	"crypto/tls"
 	"os"
 	"os/signal"
 	"path/filepath"
@@ -47,6 +48,7 @@ func newRestServerApp() *restServerApp {
 		Server: restserver.Server{
 			Path:   filepath.Join(os.TempDir(), "restic"),
 			Listen: ":8000",
+			TLSMinVer: "1.2",
 		},
 	}
 	rv.CmdRoot.RunE = rv.runRoot
@@ -61,6 +63,7 @@ func newRestServerApp() *restServerApp {
 	flags.BoolVar(&rv.Server.TLS, "tls", rv.Server.TLS, "turn on TLS support")
 	flags.StringVar(&rv.Server.TLSCert, "tls-cert", rv.Server.TLSCert, "TLS certificate path")
 	flags.StringVar(&rv.Server.TLSKey, "tls-key", rv.Server.TLSKey, "TLS key path")
+        flags.StringVar(&rv.Server.TLSMinVer, "tls-min-ver", rv.Server.TLSMinVer, "TLS min version (default: 1.2)")
 	flags.BoolVar(&rv.Server.NoAuth, "no-auth", rv.Server.NoAuth, "disable .htpasswd authentication")
 	flags.StringVar(&rv.Server.HtpasswdPath, "htpasswd-file", rv.Server.HtpasswdPath, "location of .htpasswd file (default: \"<data directory>/.htpasswd)\"")
 	flags.BoolVar(&rv.Server.NoVerifyUpload, "no-verify-upload", rv.Server.NoVerifyUpload,
@@ -162,8 +165,37 @@ func (app *restServerApp) runRoot(cmd *cobra.Command, args []string) error {
 	app.listenerAddress = listener.Addr()
 	app.listenerAddressMu.Unlock()
 
+	tlscfg := &tls.Config{
+		MinVersion:		tls.VersionTLS12,
+		CurvePreferences:	[]tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256},
+		CipherSuites:		[]uint16{
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+			tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+		},
+	}
+	switch app.Server.TLSMinVer {
+	case "1.0":
+		// Only available with GODEBUG="tls10server=1"
+		tlscfg.MinVersion = tls.VersionTLS10
+	case "1.1":
+		// Only available with GODEBUG="tls10server=1"
+		tlscfg.MinVersion = tls.VersionTLS11
+	case "1.2":
+		tlscfg.MinVersion = tls.VersionTLS12
+	case "1.3":
+		tlscfg.MinVersion = tls.VersionTLS13
+	default:
+		tlscfg.MinVersion = tls.VersionTLS12
+	}
+
+
 	srv := &http.Server{
 		Handler: handler,
+		TLSConfig: tlscfg,
 	}
 
 	// run server in background
diff --git a/handlers.go b/handlers.go
index 8163ccf..7d78b61 100644
--- a/handlers.go
+++ b/handlers.go
@@ -22,6 +22,7 @@ type Server struct {
 	CPUProfile       string
 	TLSKey           string
 	TLSCert          string
+	TLSMinVer        string
 	TLS              bool
 	NoAuth           bool
 	AppendOnly       bool