owncloud · butonic · Nov 3, 2022 · Nov 3, 2022 · Nov 3, 2022
diff --git a/changelog/unreleased/mintls12.md b/changelog/unreleased/mintls12.md
@@ -0,0 +1,3 @@
+Enhancement: default to tls 1.2
+
+https://github.com/owncloud/ocis/pull/4969
diff --git a/services/audit/pkg/command/server.go b/services/audit/pkg/command/server.go
@@ -58,6 +58,7 @@ func Server(cfg *config.Config) *cli.Command {
 				}
 
 				tlsConf = &tls.Config{
+					MinVersion:         tls.VersionTLS12,
 					InsecureSkipVerify: evtsCfg.TLSInsecure, //nolint:gosec
 					RootCAs:            rootCAPool,
 				}

diff --git a/services/graph/pkg/server/http/server.go b/services/graph/pkg/server/http/server.go
@@ -64,6 +64,7 @@ func Server(opts ...Option) (http.Service, error) {
 			}
 
 			tlsConf = &tls.Config{
+				MinVersion:         tls.VersionTLS12,
 				InsecureSkipVerify: options.Config.Events.TLSInsecure, //nolint:gosec
 				RootCAs:            rootCAPool,
 			}

diff --git a/services/graph/pkg/service/v0/service.go b/services/graph/pkg/service/v0/service.go
@@ -89,6 +89,7 @@ func NewService(opts ...Option) Service {
 				// When insecure is set to true then we don't need a certificate.
 				options.Config.Identity.LDAP.CACert = ""
 				tlsConf = &tls.Config{
+					MinVersion: tls.VersionTLS12,
 					//nolint:gosec // We need the ability to run with "insecure" (dev/testing)
 					InsecureSkipVerify: options.Config.Identity.LDAP.Insecure,
 				}
@@ -101,7 +102,9 @@ func NewService(opts ...Option) Service {
 					options.Logger.Fatal().Err(err).Msg("The configured LDAP CA cert does not exist")
 				}
 				if tlsConf == nil {
-					tlsConf = &tls.Config{}
+					tlsConf = &tls.Config{
+						MinVersion: tls.VersionTLS12,
+					}
 				}
 				certs := x509.NewCertPool()
 				pemData, err := ioutil.ReadFile(options.Config.Identity.LDAP.CACert)

diff --git a/services/notifications/pkg/channels/channels.go b/services/notifications/pkg/channels/channels.go
@@ -66,7 +66,9 @@ func (m Mail) getMailClient() (*mail.SMTPClient, error) {
 	}
 	server.Password = m.conf.Notifications.SMTP.Password
 	if server.TLSConfig == nil {
-		server.TLSConfig = &tls.Config{}
+		server.TLSConfig = &tls.Config{
+			MinVersion: tls.VersionTLS12,
+		}
 	}
 	server.TLSConfig.InsecureSkipVerify = m.conf.Notifications.SMTP.Insecure
 

diff --git a/services/notifications/pkg/command/server.go b/services/notifications/pkg/command/server.go
@@ -57,6 +57,7 @@ func Server(cfg *config.Config) *cli.Command {
 				}
 
 				tlsConf = &tls.Config{
+					MinVersion:         tls.VersionTLS12,
 					InsecureSkipVerify: evtsCfg.TLSInsecure, //nolint:gosec
 					RootCAs:            rootCAPool,
 				}

diff --git a/services/proxy/pkg/command/server.go b/services/proxy/pkg/command/server.go
@@ -163,6 +163,7 @@ func loadMiddlewares(ctx context.Context, logger log.Logger, cfg *config.Config)
 	var oidcHTTPClient = &http.Client{
 		Transport: &http.Transport{
 			TLSClientConfig: &tls.Config{
+				MinVersion:         tls.VersionTLS12,
 				InsecureSkipVerify: cfg.OIDC.Insecure, //nolint:gosec
 			},
 			DisableKeepAlives: true,

diff --git a/services/proxy/pkg/proxy/proxy.go b/services/proxy/pkg/proxy/proxy.go
@@ -51,6 +51,7 @@ func NewMultiHostReverseProxy(opts ...Option) (*MultiHostReverseProxy, error) {
 	}
 
 	tlsConf := &tls.Config{
+		MinVersion:         tls.VersionTLS12,
 		InsecureSkipVerify: options.Config.InsecureBackends, //nolint:gosec
 	}
 	if options.Config.BackendHTTPSCACert != "" {

diff --git a/services/search/pkg/service/v0/service.go b/services/search/pkg/service/v0/service.go
@@ -54,6 +54,7 @@ func NewHandler(opts ...Option) (searchsvc.SearchProviderHandler, error) {
 		}
 
 		tlsConf = &tls.Config{
+			MinVersion:         tls.VersionTLS12,
 			InsecureSkipVerify: evtsCfg.TLSInsecure, //nolint:gosec
 			RootCAs:            rootCAPool,
 		}

diff --git a/services/thumbnails/pkg/thumbnail/imgsource/cs3.go b/services/thumbnails/pkg/thumbnail/imgsource/cs3.go
@@ -80,6 +80,7 @@ func (s CS3) Get(ctx context.Context, path string) (io.ReadCloser, error) {
 	httpReq.Header.Set(TokenTransportHeader, tk)
 
 	http.DefaultTransport.(*http.Transport).TLSClientConfig = &tls.Config{
+		MinVersion:         tls.VersionTLS12,
 		InsecureSkipVerify: s.insecure, //nolint:gosec
 	}
 	client := &http.Client{}

diff --git a/services/thumbnails/pkg/thumbnail/imgsource/webdav.go b/services/thumbnails/pkg/thumbnail/imgsource/webdav.go
@@ -34,7 +34,10 @@ func (s WebDav) Get(ctx context.Context, url string) (io.ReadCloser, error) {
 		return nil, errors.Wrapf(err, `could not get the image "%s"`, url)
 	}
 
-	http.DefaultTransport.(*http.Transport).TLSClientConfig = &tls.Config{InsecureSkipVerify: s.insecure} //nolint:gosec
+	http.DefaultTransport.(*http.Transport).TLSClientConfig = &tls.Config{
+		MinVersion:         tls.VersionTLS12,
+		InsecureSkipVerify: s.insecure, //nolint:gosec
+	}
 
 	if auth, ok := ContextGetAuthorization(ctx); ok {
 		req.Header.Add("Authorization", auth)