Avoid fallback to SSL protocols < TLS1.0

Signed-off-by: Tibor Vass <teabee89@gmail.com> Docker-DCO-1.1-Signed-off-by: Daniel, Dao Quang Minh <dqminh89@gmail.com> (github: dqminh)
2014-10-15 22:39:51 -04:00 · 2014-10-15 22:39:51 -04:00 · 7a062b2b8f
parent dc243c812b
commit 7a062b2b8f
3 changed files with 9 additions and 1 deletions
--- a/api/server/server.go
+++ b/api/server/server.go
@ -1439,6 +1439,8 @@ func ListenAndServe(proto, addr string, job *engine.Job) error {
 		tlsConfig := &tls.Config{
 			NextProtos:   []string{"http/1.1"},
 			Certificates: []tls.Certificate{cert},
+			// Avoid fallback on insecure SSL protocols
+			MinVersion: tls.VersionTLS10,
 		}
 		if job.GetenvBool("TlsVerify") {
 			certPool := x509.NewCertPool()
--- a/docker/docker.go
+++ b/docker/docker.go
@ -93,6 +93,8 @@ func main() {
 			}
 			tlsConfig.Certificates = []tls.Certificate{cert}
 		}
+		// Avoid fallback to SSL protocols < TLS1.0
+		tlsConfig.MinVersion = tls.VersionTLS10
 	}

 	if *flTls || *flTlsVerify {
--- a/registry/registry.go
+++ b/registry/registry.go
@ -36,7 +36,11 @@ const (
 )

 func newClient(jar http.CookieJar, roots *x509.CertPool, cert *tls.Certificate, timeout TimeoutType) *http.Client {
-	tlsConfig := tls.Config{RootCAs: roots}
+	tlsConfig := tls.Config{
+		RootCAs: roots,
+		// Avoid fallback to SSL protocols < TLS1.0
+		MinVersion: tls.VersionTLS10,
+	}

 	if cert != nil {
 		tlsConfig.Certificates = append(tlsConfig.Certificates, *cert)