From 3ed22dc16b415ff77579569e65a70cf6fdf4c9e7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rn=20Friedrich=20Dreyer?= <jfd@butonic.de>
Date: Thu, 3 Nov 2022 14:32:45 +0000
Subject: [PATCH 1/2] use min tls 1.2
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
---
 services/audit/pkg/command/server.go                  | 1 +
 services/graph/pkg/server/http/server.go              | 1 +
 services/graph/pkg/service/v0/service.go              | 5 ++++-
 services/notifications/pkg/channels/channels.go       | 4 +++-
 services/notifications/pkg/command/server.go          | 1 +
 services/proxy/pkg/command/server.go                  | 1 +
 services/proxy/pkg/proxy/proxy.go                     | 1 +
 services/search/pkg/service/v0/service.go             | 1 +
 services/thumbnails/pkg/thumbnail/imgsource/cs3.go    | 1 +
 services/thumbnails/pkg/thumbnail/imgsource/webdav.go | 5 ++++-
 10 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/services/audit/pkg/command/server.go b/services/audit/pkg/command/server.go
index 8bbabfe1a31..f28a9e3fb59 100644
--- a/services/audit/pkg/command/server.go
+++ b/services/audit/pkg/command/server.go
@@ -58,6 +58,7 @@ func Server(cfg *config.Config) *cli.Command {
 				}
 
 				tlsConf = &tls.Config{
+					MinVersion:         tls.VersionTLS12,
 					InsecureSkipVerify: evtsCfg.TLSInsecure, //nolint:gosec
 					RootCAs:            rootCAPool,
 				}
diff --git a/services/graph/pkg/server/http/server.go b/services/graph/pkg/server/http/server.go
index 15851c2fe3e..fdb0c2fa08e 100644
--- a/services/graph/pkg/server/http/server.go
+++ b/services/graph/pkg/server/http/server.go
@@ -64,6 +64,7 @@ func Server(opts ...Option) (http.Service, error) {
 			}
 
 			tlsConf = &tls.Config{
+				MinVersion:         tls.VersionTLS12,
 				InsecureSkipVerify: options.Config.Events.TLSInsecure, //nolint:gosec
 				RootCAs:            rootCAPool,
 			}
diff --git a/services/graph/pkg/service/v0/service.go b/services/graph/pkg/service/v0/service.go
index cb7030494c5..94be2c07b11 100644
--- a/services/graph/pkg/service/v0/service.go
+++ b/services/graph/pkg/service/v0/service.go
@@ -89,6 +89,7 @@ func NewService(opts ...Option) Service {
 				// When insecure is set to true then we don't need a certificate.
 				options.Config.Identity.LDAP.CACert = ""
 				tlsConf = &tls.Config{
+					MinVersion: tls.VersionTLS12,
 					//nolint:gosec // We need the ability to run with "insecure" (dev/testing)
 					InsecureSkipVerify: options.Config.Identity.LDAP.Insecure,
 				}
@@ -101,7 +102,9 @@ func NewService(opts ...Option) Service {
 					options.Logger.Fatal().Err(err).Msg("The configured LDAP CA cert does not exist")
 				}
 				if tlsConf == nil {
-					tlsConf = &tls.Config{}
+					tlsConf = &tls.Config{
+						MinVersion: tls.VersionTLS12,
+					}
 				}
 				certs := x509.NewCertPool()
 				pemData, err := ioutil.ReadFile(options.Config.Identity.LDAP.CACert)
diff --git a/services/notifications/pkg/channels/channels.go b/services/notifications/pkg/channels/channels.go
index 7eaa7cb5a9d..eaf51e4e70b 100644
--- a/services/notifications/pkg/channels/channels.go
+++ b/services/notifications/pkg/channels/channels.go
@@ -66,7 +66,9 @@ func (m Mail) getMailClient() (*mail.SMTPClient, error) {
 	}
 	server.Password = m.conf.Notifications.SMTP.Password
 	if server.TLSConfig == nil {
-		server.TLSConfig = &tls.Config{}
+		server.TLSConfig = &tls.Config{
+			MinVersion: tls.VersionTLS12,
+		}
 	}
 	server.TLSConfig.InsecureSkipVerify = m.conf.Notifications.SMTP.Insecure
 
diff --git a/services/notifications/pkg/command/server.go b/services/notifications/pkg/command/server.go
index e761f858817..8110c34f512 100644
--- a/services/notifications/pkg/command/server.go
+++ b/services/notifications/pkg/command/server.go
@@ -57,6 +57,7 @@ func Server(cfg *config.Config) *cli.Command {
 				}
 
 				tlsConf = &tls.Config{
+					MinVersion:         tls.VersionTLS12,
 					InsecureSkipVerify: evtsCfg.TLSInsecure, //nolint:gosec
 					RootCAs:            rootCAPool,
 				}
diff --git a/services/proxy/pkg/command/server.go b/services/proxy/pkg/command/server.go
index 5c8823d37f9..b52c99e74ca 100644
--- a/services/proxy/pkg/command/server.go
+++ b/services/proxy/pkg/command/server.go
@@ -163,6 +163,7 @@ func loadMiddlewares(ctx context.Context, logger log.Logger, cfg *config.Config)
 	var oidcHTTPClient = &http.Client{
 		Transport: &http.Transport{
 			TLSClientConfig: &tls.Config{
+				MinVersion:         tls.VersionTLS12,
 				InsecureSkipVerify: cfg.OIDC.Insecure, //nolint:gosec
 			},
 			DisableKeepAlives: true,
diff --git a/services/proxy/pkg/proxy/proxy.go b/services/proxy/pkg/proxy/proxy.go
index 1642484aeb9..8b06707b02b 100644
--- a/services/proxy/pkg/proxy/proxy.go
+++ b/services/proxy/pkg/proxy/proxy.go
@@ -51,6 +51,7 @@ func NewMultiHostReverseProxy(opts ...Option) (*MultiHostReverseProxy, error) {
 	}
 
 	tlsConf := &tls.Config{
+		MinVersion:         tls.VersionTLS12,
 		InsecureSkipVerify: options.Config.InsecureBackends, //nolint:gosec
 	}
 	if options.Config.BackendHTTPSCACert != "" {
diff --git a/services/search/pkg/service/v0/service.go b/services/search/pkg/service/v0/service.go
index 353bacfca33..ee1c282eb25 100644
--- a/services/search/pkg/service/v0/service.go
+++ b/services/search/pkg/service/v0/service.go
@@ -54,6 +54,7 @@ func NewHandler(opts ...Option) (searchsvc.SearchProviderHandler, error) {
 		}
 
 		tlsConf = &tls.Config{
+			MinVersion:         tls.VersionTLS12,
 			InsecureSkipVerify: evtsCfg.TLSInsecure, //nolint:gosec
 			RootCAs:            rootCAPool,
 		}
diff --git a/services/thumbnails/pkg/thumbnail/imgsource/cs3.go b/services/thumbnails/pkg/thumbnail/imgsource/cs3.go
index b9d46bbea62..be17365c01f 100644
--- a/services/thumbnails/pkg/thumbnail/imgsource/cs3.go
+++ b/services/thumbnails/pkg/thumbnail/imgsource/cs3.go
@@ -80,6 +80,7 @@ func (s CS3) Get(ctx context.Context, path string) (io.ReadCloser, error) {
 	httpReq.Header.Set(TokenTransportHeader, tk)
 
 	http.DefaultTransport.(*http.Transport).TLSClientConfig = &tls.Config{
+		MinVersion:         tls.VersionTLS12,
 		InsecureSkipVerify: s.insecure, //nolint:gosec
 	}
 	client := &http.Client{}
diff --git a/services/thumbnails/pkg/thumbnail/imgsource/webdav.go b/services/thumbnails/pkg/thumbnail/imgsource/webdav.go
index 3d1edd56f90..6e02bc0465b 100644
--- a/services/thumbnails/pkg/thumbnail/imgsource/webdav.go
+++ b/services/thumbnails/pkg/thumbnail/imgsource/webdav.go
@@ -34,7 +34,10 @@ func (s WebDav) Get(ctx context.Context, url string) (io.ReadCloser, error) {
 		return nil, errors.Wrapf(err, `could not get the image "%s"`, url)
 	}
 
-	http.DefaultTransport.(*http.Transport).TLSClientConfig = &tls.Config{InsecureSkipVerify: s.insecure} //nolint:gosec
+	http.DefaultTransport.(*http.Transport).TLSClientConfig = &tls.Config{
+		MinVersion:         tls.VersionTLS12,
+		InsecureSkipVerify: s.insecure, //nolint:gosec
+	}
 
 	if auth, ok := ContextGetAuthorization(ctx); ok {
 		req.Header.Add("Authorization", auth)

From 4cb873b92493511731629f280b9e939cca7f7d39 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rn=20Friedrich=20Dreyer?= <jfd@butonic.de>
Date: Thu, 3 Nov 2022 14:38:41 +0000
Subject: [PATCH 2/2] add changelog
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
---
 changelog/unreleased/mintls12.md | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 changelog/unreleased/mintls12.md

diff --git a/changelog/unreleased/mintls12.md b/changelog/unreleased/mintls12.md
new file mode 100644
index 00000000000..1df5ffa7ea4
--- /dev/null
+++ b/changelog/unreleased/mintls12.md
@@ -0,0 +1,3 @@
+Enhancement: default to tls 1.2
+
+https://github.com/owncloud/ocis/pull/4969
\ No newline at end of file