diff --git a/api/server/server.go b/api/server/server.go index 897dd6142f..93b8b60a8f 100644 --- a/api/server/server.go +++ b/api/server/server.go @@ -1439,6 +1439,8 @@ func ListenAndServe(proto, addr string, job *engine.Job) error { tlsConfig := &tls.Config{ NextProtos: []string{"http/1.1"}, Certificates: []tls.Certificate{cert}, + // Avoid fallback on insecure SSL protocols + MinVersion: tls.VersionTLS10, } if job.GetenvBool("TlsVerify") { certPool := x509.NewCertPool() diff --git a/docker/docker.go b/docker/docker.go index 37cd155bb7..f0cbb6f6ab 100644 --- a/docker/docker.go +++ b/docker/docker.go @@ -93,6 +93,8 @@ func main() { } tlsConfig.Certificates = []tls.Certificate{cert} } + // Avoid fallback to SSL protocols < TLS1.0 + tlsConfig.MinVersion = tls.VersionTLS10 } if *flTls || *flTlsVerify { diff --git a/registry/registry.go b/registry/registry.go index 15fed1b8a9..a03790af03 100644 --- a/registry/registry.go +++ b/registry/registry.go @@ -37,7 +37,11 @@ const ( ) func newClient(jar http.CookieJar, roots *x509.CertPool, cert *tls.Certificate, timeout TimeoutType, secure bool) *http.Client { - tlsConfig := tls.Config{RootCAs: roots} + tlsConfig := tls.Config{ + RootCAs: roots, + // Avoid fallback to SSL protocols < TLS1.0 + MinVersion: tls.VersionTLS10, + } if cert != nil { tlsConfig.Certificates = append(tlsConfig.Certificates, *cert)