From 54c0fa5b63ad0db6eaa1c6f409f78b3249b16db2 Mon Sep 17 00:00:00 2001
From: Tero Saarni <tero.saarni@est.tech>
Date: Tue, 29 Sep 2020 01:17:50 +0300
Subject: [PATCH] cmd/contour: force TLS 1.2 for the Contour xDS session
 (#2947)

Set the minimum TLS version to TLSv1.2 for gRPC XDS interface, removing
support for TLSv1.0 and TLSv1.1, which are now deprecated.

Signed-off-by: Tero Saarni <tero.saarni@est.tech>
---
 cmd/contour/servecontext.go      |  1 +
 cmd/contour/servecontext_test.go | 29 +++++++++++++++++++++++++++++
 2 files changed, 30 insertions(+)

diff --git a/cmd/contour/servecontext.go b/cmd/contour/servecontext.go
index b9589b4629e..085ae286b61 100644
--- a/cmd/contour/servecontext.go
+++ b/cmd/contour/servecontext.go
@@ -385,6 +385,7 @@ func (ctx *serveContext) tlsconfig(log logrus.FieldLogger) *tls.Config {
 			ClientAuth:   tls.RequireAndVerifyClientCert,
 			ClientCAs:    certPool,
 			Rand:         rand.Reader,
+			MinVersion:   tls.VersionTLS12,
 		}, nil
 	}
 
diff --git a/cmd/contour/servecontext_test.go b/cmd/contour/servecontext_test.go
index 9c6b41906ea..56423c16e01 100644
--- a/cmd/contour/servecontext_test.go
+++ b/cmd/contour/servecontext_test.go
@@ -381,6 +381,35 @@ func TestServeContextCertificateHandling(t *testing.T) {
 	}
 }
 
+func TestTlsVersionDeprecation(t *testing.T) {
+	// To get tls.Config for the gRPC XDS server, we need to arrange valid TLS certificates and keys.
+	// Create temporary directory to store them for the server.
+	configDir, err := ioutil.TempDir("", "contour-testdata-")
+	checkFatalErr(t, err)
+	defer os.RemoveAll(configDir)
+
+	ctx := serveContext{
+		ServerConfig: ServerConfig{
+			caFile:      filepath.Join(configDir, "CAcert.pem"),
+			contourCert: filepath.Join(configDir, "contourcert.pem"),
+			contourKey:  filepath.Join(configDir, "contourkey.pem"),
+		},
+	}
+
+	err = linkFiles("testdata/1", configDir)
+	checkFatalErr(t, err)
+
+	// Get preliminary TLS config from the serveContext.
+	log := fixture.NewTestLogger(t)
+	preliminaryTLSConfig := ctx.tlsconfig(log)
+
+	// Get actual TLS config that will be used during TLS handshake.
+	tlsConfig, err := preliminaryTLSConfig.GetConfigForClient(nil)
+	checkFatalErr(t, err)
+
+	assert.Equal(t, tlsConfig.MinVersion, uint16(tls.VersionTLS12))
+}
+
 func checkFatalErr(t *testing.T, err error) {
 	t.Helper()
 	if err != nil {