docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Avoid fallback to SSL protocols < TLS1.0 

Signed-off-by: Tibor Vass <teabee89@gmail.com>

Docker-DCO-1.1-Signed-off-by: Daniel, Dao Quang Minh <dqminh89@gmail.com> (github: dqminh)
This commit is contained in:
Daniel, Dao Quang Minh 2014-10-15 22:39:51 -04:00
parent dc243c812b
commit 7a062b2b8f
3 changed files with 9 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
api/server/server.go
View File

@ -1439,6 +1439,8 @@ func ListenAndServe(proto, addr string, job *engine.Job) error {
tlsConfig := &tls.Config{ tlsConfig := &tls.Config{
NextProtos: []string{"http/1.1"}, NextProtos: []string{"http/1.1"},
Certificates: []tls.Certificate{cert}, Certificates: []tls.Certificate{cert},
// Avoid fallback on insecure SSL protocols
MinVersion: tls.VersionTLS10,
} }
if job.GetenvBool("TlsVerify") { if job.GetenvBool("TlsVerify") {
certPool := x509.NewCertPool() certPool := x509.NewCertPool()

2
docker/docker.go
View File

@ -93,6 +93,8 @@ func main() {
} }
tlsConfig.Certificates = []tls.Certificate{cert} tlsConfig.Certificates = []tls.Certificate{cert}
} }
// Avoid fallback to SSL protocols < TLS1.0
tlsConfig.MinVersion = tls.VersionTLS10
} }
if *flTls || *flTlsVerify { if *flTls || *flTlsVerify {

6
registry/registry.go
View File

@ -36,7 +36,11 @@ const (
) )
func newClient(jar http.CookieJar, roots *x509.CertPool, cert *tls.Certificate, timeout TimeoutType) *http.Client { func newClient(jar http.CookieJar, roots *x509.CertPool, cert *tls.Certificate, timeout TimeoutType) *http.Client {
tlsConfig := tls.Config{RootCAs: roots} tlsConfig := tls.Config{
RootCAs: roots,
// Avoid fallback to SSL protocols < TLS1.0
MinVersion: tls.VersionTLS10,
}
if cert != nil { if cert != nil {
tlsConfig.Certificates = append(tlsConfig.Certificates, *cert) tlsConfig.Certificates = append(tlsConfig.Certificates, *cert)