Skip to content

Commit befc29d

Browse files
gtcooke94gtcooke94
authored
advancedTLS: Rename {Min/Max}Version to {Min/Max}TLSVersion (#7173)
* rename `MinVersion` and `MaxVersion` to `MinTLSVersion` and `MaxTLSVersion`
1 parent f2d6421 commit befc29d

File tree

3 files changed

+104
-28
lines changed

3 files changed

+104
-28
lines changed

security/advancedtls/advancedtls.go

Lines changed: 74 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -215,14 +215,26 @@ type ClientOptions struct {
215215
// It could be nil if such checks are not needed.
216216
RevocationOptions *RevocationOptions
217217
// MinVersion contains the minimum TLS version that is acceptable.
218-
// By default, TLS 1.2 is currently used as the minimum when acting as a
219-
// client, and TLS 1.0 when acting as a server. TLS 1.0 is the minimum
220-
// supported by this package, both as a client and as a server.
218+
//
219+
// Deprecated: use MinTLSVersion instead.
221220
MinVersion uint16
222221
// MaxVersion contains the maximum TLS version that is acceptable.
223-
// By default, the maximum version supported by this package is used,
224-
// which is currently TLS 1.3.
222+
//
223+
// Deprecated: use MaxTLSVersion instead.
225224
MaxVersion uint16
225+
// MinTLSVersion contains the minimum TLS version that is acceptable.
226+
// The value should be set using tls.VersionTLSxx from https://pkg.go.dev/crypto/tls
227+
// By default, TLS 1.2 is currently used as the minimum when acting as a
228+
// client, and TLS 1.0 when acting as a server. TLS 1.0 is the minimum
229+
// supported by this package, both as a client and as a server. This
230+
// default may be changed over time affecting backwards compatibility.
231+
MinTLSVersion uint16
232+
// MaxTLSVersion contains the maximum TLS version that is acceptable.
233+
// The value should be set using tls.VersionTLSxx from https://pkg.go.dev/crypto/tls
234+
// By default, the maximum version supported by this package is used,
235+
// which is currently TLS 1.3. This default may be changed over time
236+
// affecting backwards compatibility.
237+
MaxTLSVersion uint16
226238
// serverNameOverride is for testing only. If set to a non-empty string, it
227239
// will override the virtual host name of authority (e.g. :authority header
228240
// field) in requests and the target hostname used during server cert
@@ -263,14 +275,26 @@ type ServerOptions struct {
263275
// It could be nil if such checks are not needed.
264276
RevocationOptions *RevocationOptions
265277
// MinVersion contains the minimum TLS version that is acceptable.
266-
// By default, TLS 1.2 is currently used as the minimum when acting as a
267-
// client, and TLS 1.0 when acting as a server. TLS 1.0 is the minimum
268-
// supported by this package, both as a client and as a server.
278+
//
279+
// Deprecated: use MinTLSVersion instead.
269280
MinVersion uint16
270281
// MaxVersion contains the maximum TLS version that is acceptable.
271-
// By default, the maximum version supported by this package is used,
272-
// which is currently TLS 1.3.
282+
//
283+
// Deprecated: use MaxTLSVersion instead.
273284
MaxVersion uint16
285+
// MinTLSVersion contains the minimum TLS version that is acceptable.
286+
// The value should be set using tls.VersionTLSxx from https://pkg.go.dev/crypto/tls
287+
// By default, TLS 1.2 is currently used as the minimum when acting as a
288+
// client, and TLS 1.0 when acting as a server. TLS 1.0 is the minimum
289+
// supported by this package, both as a client and as a server. This
290+
// default may be changed over time affecting backwards compatibility.
291+
MinTLSVersion uint16
292+
// MaxTLSVersion contains the maximum TLS version that is acceptable.
293+
// The value should be set using tls.VersionTLSxx from https://pkg.go.dev/crypto/tls
294+
// By default, the maximum version supported by this package is used,
295+
// which is currently TLS 1.3. This default may be changed over time
296+
// affecting backwards compatibility.
297+
MaxTLSVersion uint16
274298
}
275299

276300
func (o *ClientOptions) config() (*tls.Config, error) {
@@ -285,6 +309,15 @@ func (o *ClientOptions) config() (*tls.Config, error) {
285309
if o.VType != CertAndHostVerification {
286310
o.VerificationType = o.VType
287311
}
312+
// TODO(gtcooke94) MinVersion and MaxVersion are deprected, eventually
313+
// remove this block. This is a temporary fallback to ensure that if the
314+
// refactored names aren't set we use the old names.
315+
if o.MinTLSVersion == 0 {
316+
o.MinTLSVersion = o.MinVersion
317+
}
318+
if o.MaxTLSVersion == 0 {
319+
o.MaxTLSVersion = o.MaxVersion
320+
}
288321
if o.VerificationType == SkipVerification && o.AdditionalPeerVerification == nil {
289322
return nil, fmt.Errorf("client needs to provide custom verification mechanism if choose to skip default verification")
290323
}
@@ -299,16 +332,24 @@ func (o *ClientOptions) config() (*tls.Config, error) {
299332
if o.IdentityOptions.GetIdentityCertificatesForServer != nil {
300333
return nil, fmt.Errorf("GetIdentityCertificatesForServer cannot be specified on the client side")
301334
}
302-
if o.MinVersion > o.MaxVersion {
335+
if o.MinTLSVersion > o.MaxTLSVersion {
303336
return nil, fmt.Errorf("the minimum TLS version is larger than the maximum TLS version")
304337
}
338+
// If the MinTLSVersion isn't set, default to 1.2
339+
if o.MinTLSVersion == 0 {
340+
o.MinTLSVersion = tls.VersionTLS12
341+
}
342+
// If the MaxTLSVersion isn't set, default to 1.3
343+
if o.MaxTLSVersion == 0 {
344+
o.MaxTLSVersion = tls.VersionTLS13
345+
}
305346
config := &tls.Config{
306347
ServerName: o.serverNameOverride,
307348
// We have to set InsecureSkipVerify to true to skip the default checks and
308349
// use the verification function we built from buildVerifyFunc.
309350
InsecureSkipVerify: true,
310-
MinVersion: o.MinVersion,
311-
MaxVersion: o.MaxVersion,
351+
MinVersion: o.MinTLSVersion,
352+
MaxVersion: o.MaxTLSVersion,
312353
}
313354
// Propagate root-certificate-related fields in tls.Config.
314355
switch {
@@ -372,6 +413,15 @@ func (o *ServerOptions) config() (*tls.Config, error) {
372413
if o.VType != CertAndHostVerification {
373414
o.VerificationType = o.VType
374415
}
416+
// TODO(gtcooke94) MinVersion and MaxVersion are deprected, eventually
417+
// remove this block. This is a temporary fallback to ensure that if the
418+
// refactored names aren't set we use the old names.
419+
if o.MinTLSVersion == 0 {
420+
o.MinTLSVersion = o.MinVersion
421+
}
422+
if o.MaxTLSVersion == 0 {
423+
o.MaxTLSVersion = o.MaxVersion
424+
}
375425
if o.RequireClientCert && o.VerificationType == SkipVerification && o.AdditionalPeerVerification == nil {
376426
return nil, fmt.Errorf("server needs to provide custom verification mechanism if choose to skip default verification, but require client certificate(s)")
377427
}
@@ -386,7 +436,7 @@ func (o *ServerOptions) config() (*tls.Config, error) {
386436
if o.IdentityOptions.GetIdentityCertificatesForClient != nil {
387437
return nil, fmt.Errorf("GetIdentityCertificatesForClient cannot be specified on the server side")
388438
}
389-
if o.MinVersion > o.MaxVersion {
439+
if o.MinTLSVersion > o.MaxTLSVersion {
390440
return nil, fmt.Errorf("the minimum TLS version is larger than the maximum TLS version")
391441
}
392442
clientAuth := tls.NoClientCert
@@ -396,10 +446,18 @@ func (o *ServerOptions) config() (*tls.Config, error) {
396446
// buildVerifyFunc.
397447
clientAuth = tls.RequireAnyClientCert
398448
}
449+
// If the MinTLSVersion isn't set, default to 1.2
450+
if o.MinTLSVersion == 0 {
451+
o.MinTLSVersion = tls.VersionTLS12
452+
}
453+
// If the MaxTLSVersion isn't set, default to 1.3
454+
if o.MaxTLSVersion == 0 {
455+
o.MaxTLSVersion = tls.VersionTLS13
456+
}
399457
config := &tls.Config{
400458
ClientAuth: clientAuth,
401-
MinVersion: o.MinVersion,
402-
MaxVersion: o.MaxVersion,
459+
MinVersion: o.MinTLSVersion,
460+
MaxVersion: o.MaxTLSVersion,
403461
}
404462
// Propagate root-certificate-related fields in tls.Config.
405463
switch {

security/advancedtls/advancedtls_integration_test.go

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -908,8 +908,8 @@ func (s) TestTLSVersions(t *testing.T) {
908908
},
909909
RequireClientCert: false,
910910
VerificationType: CertAndHostVerification,
911-
MinVersion: test.serverMinVersion,
912-
MaxVersion: test.serverMaxVersion,
911+
MinTLSVersion: test.serverMinVersion,
912+
MaxTLSVersion: test.serverMaxVersion,
913913
}
914914
serverTLSCreds, err := NewServerCreds(serverOptions)
915915
if err != nil {
@@ -930,8 +930,8 @@ func (s) TestTLSVersions(t *testing.T) {
930930
RootCACerts: cs.ClientTrust1,
931931
},
932932
VerificationType: CertAndHostVerification,
933-
MinVersion: test.clientMinVersion,
934-
MaxVersion: test.clientMaxVersion,
933+
MinTLSVersion: test.clientMinVersion,
934+
MaxTLSVersion: test.clientMaxVersion,
935935
}
936936
clientTLSCreds, err := NewClientCreds(clientOptions)
937937
if err != nil {

security/advancedtls/advancedtls_test.go

Lines changed: 26 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -138,8 +138,8 @@ func (s) TestClientOptionsConfigErrorCases(t *testing.T) {
138138
VerificationType: test.clientVerificationType,
139139
IdentityOptions: test.IdentityOptions,
140140
RootOptions: test.RootOptions,
141-
MinVersion: test.MinVersion,
142-
MaxVersion: test.MaxVersion,
141+
MinTLSVersion: test.MinVersion,
142+
MaxTLSVersion: test.MaxVersion,
143143
}
144144
_, err := clientOptions.config()
145145
if err == nil {
@@ -196,8 +196,8 @@ func (s) TestClientOptionsConfigSuccessCases(t *testing.T) {
196196
VerificationType: test.clientVerificationType,
197197
IdentityOptions: test.IdentityOptions,
198198
RootOptions: test.RootOptions,
199-
MinVersion: test.MinVersion,
200-
MaxVersion: test.MaxVersion,
199+
MinTLSVersion: test.MinVersion,
200+
MaxTLSVersion: test.MaxVersion,
201201
}
202202
clientConfig, err := clientOptions.config()
203203
if err != nil {
@@ -211,6 +211,24 @@ func (s) TestClientOptionsConfigSuccessCases(t *testing.T) {
211211
t.Fatalf("Failed to assign system-provided certificates on the client side.")
212212
}
213213
}
214+
if test.MinVersion != 0 {
215+
if clientConfig.MinVersion != test.MinVersion {
216+
t.Fatalf("Failed to assign min tls version.")
217+
}
218+
} else {
219+
if clientConfig.MinVersion != tls.VersionTLS12 {
220+
t.Fatalf("Default min tls version not set correctly")
221+
}
222+
}
223+
if test.MaxVersion != 0 {
224+
if clientConfig.MaxVersion != test.MaxVersion {
225+
t.Fatalf("Failed to assign max tls version.")
226+
}
227+
} else {
228+
if clientConfig.MaxVersion != tls.VersionTLS13 {
229+
t.Fatalf("Default max tls version not set correctly")
230+
}
231+
}
214232
})
215233
}
216234
}
@@ -275,8 +293,8 @@ func (s) TestServerOptionsConfigErrorCases(t *testing.T) {
275293
RequireClientCert: test.requireClientCert,
276294
IdentityOptions: test.IdentityOptions,
277295
RootOptions: test.RootOptions,
278-
MinVersion: test.MinVersion,
279-
MaxVersion: test.MaxVersion,
296+
MinTLSVersion: test.MinVersion,
297+
MaxTLSVersion: test.MaxVersion,
280298
}
281299
_, err := serverOptions.config()
282300
if err == nil {
@@ -342,8 +360,8 @@ func (s) TestServerOptionsConfigSuccessCases(t *testing.T) {
342360
RequireClientCert: test.requireClientCert,
343361
IdentityOptions: test.IdentityOptions,
344362
RootOptions: test.RootOptions,
345-
MinVersion: test.MinVersion,
346-
MaxVersion: test.MaxVersion,
363+
MinTLSVersion: test.MinVersion,
364+
MaxTLSVersion: test.MaxVersion,
347365
}
348366
serverConfig, err := serverOptions.config()
349367
if err != nil {

0 commit comments

Comments
 (0)