diff options
| -rw-r--r-- | cmd/web.go | 15 | ||||
| -rw-r--r-- | conf/app.ini | 7 | ||||
| -rw-r--r-- | pkg/setting/setting.go | 2 |
3 files changed, 21 insertions, 3 deletions
@@ -672,8 +672,21 @@ func runWeb(ctx *cli.Context) error { case setting.SCHEME_HTTP: err = http.ListenAndServe(listenAddr, m) case setting.SCHEME_HTTPS: + var tlsMinVersion uint16 + switch setting.TLSMinVersion { + case "SSL30": + tlsMinVersion = tls.VersionSSL30 + case "TLS12": + tlsMinVersion = tls.VersionTLS12 + case "TLS11": + tlsMinVersion = tls.VersionTLS11 + case "TLS10": + fallthrough + default: + tlsMinVersion = tls.VersionTLS10 + } server := &http.Server{Addr: listenAddr, TLSConfig: &tls.Config{ - MinVersion: tls.VersionTLS10, + MinVersion: tlsMinVersion, CurvePreferences: []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256}, PreferServerCipherSuites: true, CipherSuites: []uint16{ diff --git a/conf/app.ini b/conf/app.ini index 2927c2aa..e9bbf484 100644 --- a/conf/app.ini +++ b/conf/app.ini @@ -56,6 +56,9 @@ DISABLE_ROUTER_LOG = false ; $ openssl pkcs12 -in cert.pfx -out key.pem -nocerts -nodes CERT_FILE = custom/https/cert.pem KEY_FILE = custom/https/key.pem +; Allowed TLS version values: SSL30, TLS10, TLS11, TLS12 +TLS_MIN_VERSION = TLS10 + ; Upper level of template and static file path ; default is the path where Gogs is executed STATIC_ROOT_PATH = @@ -148,7 +151,7 @@ ANGLED_QUOTES = true [http] ; Value for Access-Control-Allow-Origin header, default is not to present -ACCESS_CONTROL_ALLOW_ORIGIN = +ACCESS_CONTROL_ALLOW_ORIGIN = ; Define allowed algorithms and their minimum key length (use -1 to disable a type) [ssh.minimum_key_sizes] @@ -346,7 +349,7 @@ MAX_DAYS = 7 ; leave empty to inherit LEVEL = ; Webhook URL -URL = +URL = [log.xorm] ; Enable file rotation diff --git a/pkg/setting/setting.go b/pkg/setting/setting.go index c8902b45..1b701d12 100644 --- a/pkg/setting/setting.go +++ b/pkg/setting/setting.go @@ -69,6 +69,7 @@ var ( OfflineMode bool DisableRouterLog bool CertFile, KeyFile string + TLSMinVersion string StaticRootPath string EnableGzip bool LandingPageURL LandingPage @@ -438,6 +439,7 @@ func NewContext() { Protocol = SCHEME_HTTPS CertFile = sec.Key("CERT_FILE").String() KeyFile = sec.Key("KEY_FILE").String() + TLSMinVersion = sec.Key("TLS_MIN_VERSION").String() } else if sec.Key("PROTOCOL").String() == "fcgi" { Protocol = SCHEME_FCGI } else if sec.Key("PROTOCOL").String() == "unix" { |