grpc/rocsp: Allow use of TLSv1.2 and TLSv1.3 (#6600)

When we clamped our MaxVersion to TLS1.2, there wasn't any support for TLS1.3 yet. Allowing higher versions to be negotiated is good. Fixes #6580
2023-01-24 15:53:13 -05:00 · 2023-01-24 15:53:13 -05:00 · 0d6f8569c5
parent 55e5a24e7d
commit 0d6f8569c5
3 changed files with 6 additions and 4 deletions
--- a/cmd/config.go
+++ b/cmd/config.go
@ -178,10 +178,10 @@ func (t *TLSConfig) Load() (*tls.Config, error) {
 		ClientCAs:    rootCAs,
 		ClientAuth:   tls.RequireAndVerifyClientCert,
 		Certificates: []tls.Certificate{cert},
-		// Set the only acceptable TLS version to 1.2 and the only acceptable cipher suite
+		// Set the only acceptable TLS to v1.2 and v1.3.
-		// to ECDHE-RSA-CHACHA20-POLY1305.
+		MinVersion: tls.VersionTLS12,
-		MinVersion:   tls.VersionTLS12,
+		MaxVersion: tls.VersionTLS13,
-		MaxVersion:   tls.VersionTLS12,
+		// CipherSuites will be ignored for TLS v1.3.
 		CipherSuites: []uint16{tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305},
 	}, nil
 }
--- a/test/redis-cluster.config
+++ b/test/redis-cluster.config
@ -28,6 +28,7 @@ user replication-user  on +@all ~* >435e9c4225f08813ef3af7c725f0d30d263b9cd3
 user unittest-rw       on +@all ~* >824968fa490f4ecec1e52d5e34916bdb60d45f8d
 masteruser replication-user
 masterauth 435e9c4225f08813ef3af7c725f0d30d263b9cd3
 tls-protocols "TLSv1.3"
 tls-cert-file /test/redis-tls/redis/cert.pem
 tls-key-file /test/redis-tls/redis/key.pem
 tls-ca-cert-file /test/redis-tls/minica.pem
--- a/test/redis.config
+++ b/test/redis.config
@ -28,6 +28,7 @@ user replication-user  on +@all ~* >435e9c4225f08813ef3af7c725f0d30d263b9cd3
 user unittest-rw       on +@all ~* >824968fa490f4ecec1e52d5e34916bdb60d45f8d
 masteruser replication-user
 masterauth 435e9c4225f08813ef3af7c725f0d30d263b9cd3
 tls-protocols "TLSv1.3"
 tls-cert-file /test/redis-tls/redis/cert.pem
 tls-key-file /test/redis-tls/redis/key.pem
 tls-ca-cert-file /test/redis-tls/minica.pem