security: set minimum version to TLS11 (#265)

pingcap · Apr 11, 2023 · bd8d8aa · bd8d8aa
1 parent 9e46036
commit bd8d8aa
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 8 deletions.
diff --git a/lib/util/security/cert.go b/lib/util/security/cert.go
@@ -167,7 +167,7 @@ func (ci *CertInfo) buildServerConfig(lg *zap.Logger) (*tls.Config, error) {
 	}
 
 	tcfg := &tls.Config{
-		MinVersion:            tls.VersionTLS12,
+		MinVersion:            tls.VersionTLS11,
 		GetCertificate:        ci.getCert,
 		GetClientCertificate:  ci.getClientCert,
 		VerifyPeerCertificate: ci.verifyPeerCertificate,
@@ -243,15 +243,15 @@ func (ci *CertInfo) buildClientConfig(lg *zap.Logger) (*tls.Config, error) {
 			// still enable TLS without verify server certs
 			return &tls.Config{
 				InsecureSkipVerify: true,
-				MinVersion:         tls.VersionTLS12,
+				MinVersion:         tls.VersionTLS11,
 			}, nil
 		}
 		lg.Info("no CA to verify server connections, disable TLS")
 		return nil, nil
 	}
 
 	tcfg := &tls.Config{
-		MinVersion:            tls.VersionTLS12,
+		MinVersion:            tls.VersionTLS11,
 		GetCertificate:        ci.getCert,
 		GetClientCertificate:  ci.getClientCert,
 		InsecureSkipVerify:    true,

diff --git a/lib/util/security/cert_test.go b/lib/util/security/cert_test.go
@@ -73,6 +73,7 @@ func TestCertServer(t *testing.T) {
 				require.NotNil(t, c)
 				require.Nil(t, ci.ca.Load())
 				require.NotNil(t, ci.cert.Load())
+				require.Equal(t, tls.VersionTLS11, int(c.MinVersion))
 			},
 			err: "",
 		},
@@ -86,6 +87,7 @@ func TestCertServer(t *testing.T) {
 				require.NotNil(t, c)
 				require.Nil(t, ci.ca.Load())
 				require.NotNil(t, ci.cert.Load())
+				require.Equal(t, tls.VersionTLS11, int(c.MinVersion))
 			},
 			err: "",
 		},
@@ -101,6 +103,7 @@ func TestCertServer(t *testing.T) {
 				require.Equal(t, tls.RequireAnyClientCert, c.ClientAuth)
 				require.NotNil(t, ci.ca.Load())
 				require.NotNil(t, ci.cert.Load())
+				require.Equal(t, tls.VersionTLS11, int(c.MinVersion))
 			},
 			err: "",
 		},
@@ -117,6 +120,7 @@ func TestCertServer(t *testing.T) {
 				require.Equal(t, tls.RequestClientCert, c.ClientAuth)
 				require.NotNil(t, ci.ca.Load())
 				require.NotNil(t, ci.cert.Load())
+				require.Equal(t, tls.VersionTLS11, int(c.MinVersion))
 			},
 			err: "",
 		},
@@ -131,6 +135,7 @@ func TestCertServer(t *testing.T) {
 				require.Equal(t, tls.RequireAnyClientCert, c.ClientAuth)
 				require.NotNil(t, ci.ca.Load())
 				require.NotNil(t, ci.cert.Load())
+				require.Equal(t, tls.VersionTLS11, int(c.MinVersion))
 			},
 			err: "",
 		},
@@ -162,6 +167,7 @@ func TestCertServer(t *testing.T) {
 				require.NotNil(t, c)
 				require.Nil(t, ci.ca.Load())
 				require.Nil(t, ci.cert.Load())
+				require.Equal(t, tls.VersionTLS11, int(c.MinVersion))
 			},
 			err: "",
 		},
@@ -174,6 +180,7 @@ func TestCertServer(t *testing.T) {
 				require.NotNil(t, c)
 				require.Nil(t, ci.ca.Load())
 				require.Nil(t, ci.cert.Load())
+				require.Equal(t, tls.VersionTLS11, int(c.MinVersion))
 			},
 			err: "",
 		},
@@ -185,6 +192,7 @@ func TestCertServer(t *testing.T) {
 				require.NotNil(t, c)
 				require.NotNil(t, ci.ca.Load())
 				require.Nil(t, ci.cert.Load())
+				require.Equal(t, tls.VersionTLS11, int(c.MinVersion))
 			},
 			err: "",
 		},
@@ -198,6 +206,7 @@ func TestCertServer(t *testing.T) {
 				require.NotNil(t, c)
 				require.NotNil(t, ci.ca.Load())
 				require.NotNil(t, ci.cert.Load())
+				require.Equal(t, tls.VersionTLS11, int(c.MinVersion))
 			},
 			err: "",
 		},

diff --git a/lib/util/security/tls.go b/lib/util/security/tls.go
@@ -195,14 +195,14 @@ func CreateTLSConfigForTest() (serverTLSConf *tls.Config, clientTLSConf *tls.Con
 	}
 
 	serverTLSConf = &tls.Config{
-		MinVersion:   tls.VersionTLS12,
+		MinVersion:   tls.VersionTLS11,
 		Certificates: []tls.Certificate{serverCert},
 	}
 
 	certpool := x509.NewCertPool()
 	certpool.AppendCertsFromPEM(caPEM)
 	clientTLSConf = &tls.Config{
-		MinVersion:         tls.VersionTLS12,
+		MinVersion:         tls.VersionTLS11,
 		InsecureSkipVerify: true,
 		RootCAs:            certpool,
 	}
@@ -218,7 +218,7 @@ func BuildServerTLSConfig(logger *zap.Logger, cfg config.TLSConfig) (*tls.Config
 	}
 
 	tcfg := &tls.Config{
-		MinVersion: tls.VersionTLS12,
+		MinVersion: tls.VersionTLS11,
 	}
 	cert, err := tls.LoadX509KeyPair(cfg.Cert, cfg.Key)
 	if err != nil {
@@ -250,15 +250,15 @@ func BuildClientTLSConfig(logger *zap.Logger, cfg config.TLSConfig) (*tls.Config
 			// still enable TLS without verify server certs
 			return &tls.Config{
 				InsecureSkipVerify: true,
-				MinVersion:         tls.VersionTLS12,
+				MinVersion:         tls.VersionTLS11,
 			}, nil
 		}
 		logger.Info("no CA to verify server connections, disable TLS")
 		return nil, nil
 	}
 
 	tcfg := &tls.Config{
-		MinVersion: tls.VersionTLS12,
+		MinVersion: tls.VersionTLS11,
 	}
 	tcfg.RootCAs = x509.NewCertPool()
 	certBytes, err := os.ReadFile(cfg.CA)