From 6b198535d671d1d19a5a7afded52c95a441ec5d6 Mon Sep 17 00:00:00 2001
From: David Eads <deads@redhat.com>
Date: Fri, 19 Jan 2018 11:50:47 -0500
Subject: [PATCH 1/2] add options for min tls levels

Kubernetes-commit: ad1680347071cb5bb66ab49c7325eb21d83e143c
---
 pkg/server/options/serving.go           | 12 ++++++++++++
 pkg/util/flag/ciphersuites_flag.go      | 23 +++++++++++++++++++++++
 pkg/util/flag/ciphersuites_flag_test.go | 14 ++++++++++++++
 3 files changed, 49 insertions(+)

diff --git a/pkg/server/options/serving.go b/pkg/server/options/serving.go
index 9606fa0cb..465839597 100644
--- a/pkg/server/options/serving.go
+++ b/pkg/server/options/serving.go
@@ -54,6 +54,9 @@ type SecureServingOptions struct {
 	// CipherSuites is the list of allowed cipher suites for the server.
 	// Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants).
 	CipherSuites []string
+	// MinTLSVersion is the minimum TLS version supported.
+	// Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants).
+	MinTLSVersion string
 }
 
 type CertKey struct {
@@ -142,6 +145,10 @@ func (s *SecureServingOptions) AddFlags(fs *pflag.FlagSet) {
 			"Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants). "+
 			"If omitted, the default Go cipher suites will be used")
 
+	fs.StringVar(&s.MinTLSVersion, "tls-min-version", s.MinTLSVersion,
+		"Minimum TLS version supported. "+
+			"Value must match version names from https://golang.org/pkg/crypto/tls/#pkg-constants.")
+
 	fs.Var(utilflag.NewNamedCertKeyArray(&s.SNICertKeys), "tls-sni-cert-key", ""+
 		"A pair of x509 certificate and private key file paths, optionally suffixed with a list of "+
 		"domain patterns which are fully qualified domain names, possibly with prefixed wildcard "+
@@ -249,6 +256,11 @@ func (s *SecureServingOptions) applyServingInfoTo(c *server.Config) error {
 		secureServingInfo.CipherSuites = cipherSuites
 	}
 
+	secureServingInfo.MinTLSVersion, err = utilflag.TLSVersion(s.MinTLSVersion)
+	if err != nil {
+		return err
+	}
+
 	// load SNI certs
 	namedTLSCerts := make([]server.NamedTLSCert, 0, len(s.SNICertKeys))
 	for _, nck := range s.SNICertKeys {
diff --git a/pkg/util/flag/ciphersuites_flag.go b/pkg/util/flag/ciphersuites_flag.go
index c2ce311e4..73fd62c10 100644
--- a/pkg/util/flag/ciphersuites_flag.go
+++ b/pkg/util/flag/ciphersuites_flag.go
@@ -62,3 +62,26 @@ func TLSCipherSuites(cipherNames []string) ([]uint16, error) {
 	}
 	return ciphersIntSlice, nil
 }
+
+var versions = map[string]uint16{
+	"VersionTLS10": tls.VersionTLS10,
+	"VersionTLS11": tls.VersionTLS11,
+	"VersionTLS12": tls.VersionTLS12,
+}
+
+func TLSVersion(versionName string) (uint16, error) {
+	if len(versionName) == 0 {
+		return DefaultTLSVersion(), nil
+	}
+	if version, ok := versions[versionName]; ok {
+		return version, nil
+	}
+	return 0, fmt.Errorf("unknown tls version %q", versionName)
+}
+
+func DefaultTLSVersion() uint16 {
+	// Can't use SSLv3 because of POODLE and BEAST
+	// Can't use TLSv1.0 because of POODLE and BEAST using CBC cipher
+	// Can't use TLSv1.1 because of RC4 cipher usage
+	return tls.VersionTLS12
+}
diff --git a/pkg/util/flag/ciphersuites_flag_test.go b/pkg/util/flag/ciphersuites_flag_test.go
index b050238a3..4a8c4efeb 100644
--- a/pkg/util/flag/ciphersuites_flag_test.go
+++ b/pkg/util/flag/ciphersuites_flag_test.go
@@ -80,8 +80,12 @@ func TestConstantMaps(t *testing.T) {
 		fmt.Printf("error: %s\n", err.Error())
 		return
 	}
+	discoveredVersions := map[string]bool{}
 	discoveredCiphers := map[string]bool{}
 	for _, declName := range pkg.Scope().Names() {
+		if strings.HasPrefix(declName, "VersionTLS") {
+			discoveredVersions[declName] = true
+		}
 		if strings.HasPrefix(declName, "TLS_RSA_") || strings.HasPrefix(declName, "TLS_ECDHE_") {
 			discoveredCiphers[declName] = true
 		}
@@ -97,4 +101,14 @@ func TestConstantMaps(t *testing.T) {
 			t.Errorf("ciphers map has %s not in tls package", k)
 		}
 	}
+	for k := range discoveredVersions {
+		if _, ok := versions[k]; !ok {
+			t.Errorf("discovered version tls.%s not in version map", k)
+		}
+	}
+	for k := range versions {
+		if _, ok := discoveredVersions[k]; !ok {
+			t.Errorf("versions map has %s not in tls package", k)
+		}
+	}
 }

From b16b687dc581ff2d67a9e6994c5e3e5247fdd1e1 Mon Sep 17 00:00:00 2001
From: David Eads <deads@redhat.com>
Date: Fri, 19 Jan 2018 11:55:55 -0500
Subject: [PATCH 2/2] generated

Kubernetes-commit: 4ce7bcced4cc68a833759a218f9c3be7f72fd1c0
---
 pkg/server/options/serving.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/server/options/serving.go b/pkg/server/options/serving.go
index 465839597..ec38ca6b6 100644
--- a/pkg/server/options/serving.go
+++ b/pkg/server/options/serving.go
@@ -256,6 +256,7 @@ func (s *SecureServingOptions) applyServingInfoTo(c *server.Config) error {
 		secureServingInfo.CipherSuites = cipherSuites
 	}
 
+	var err error
 	secureServingInfo.MinTLSVersion, err = utilflag.TLSVersion(s.MinTLSVersion)
 	if err != nil {
 		return err
@@ -273,7 +274,6 @@ func (s *SecureServingOptions) applyServingInfoTo(c *server.Config) error {
 			return fmt.Errorf("failed to load SNI cert and key: %v", err)
 		}
 	}
-	var err error
 	secureServingInfo.SNICerts, err = server.GetNamedCertificateMap(namedTLSCerts)
 	if err != nil {
 		return err