From 8e7aaa23d5c0069406f260c3acbfac58f840b798 Mon Sep 17 00:00:00 2001
From: Chaim Lev-Ari <chiptus@users.noreply.github.com>
Date: Wed, 22 Jul 2020 03:16:00 +0300
Subject: [PATCH] feat(server): support minimum tls v1.2 (#4076)

---
 api/crypto/tls.go  | 18 ++++++++++++++++++
 api/http/server.go | 13 ++++++++++---
 2 files changed, 28 insertions(+), 3 deletions(-)

diff --git a/api/crypto/tls.go b/api/crypto/tls.go
index 641aed142..e46998898 100644
--- a/api/crypto/tls.go
+++ b/api/crypto/tls.go
@@ -6,6 +6,24 @@ import (
 	"io/ioutil"
 )
 
+// CreateServerTLSConfiguration creates a basic tls.Config to be used by servers with recommended TLS settings
+func CreateServerTLSConfiguration() *tls.Config {
+	return &tls.Config{
+		MinVersion: tls.VersionTLS12,
+		CipherSuites: []uint16{
+			tls.TLS_AES_128_GCM_SHA256,
+			tls.TLS_AES_256_GCM_SHA384,
+			tls.TLS_CHACHA20_POLY1305_SHA256,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+			tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+		},
+	}
+}
+
 // CreateTLSConfigurationFromBytes initializes a tls.Config using a CA certificate, a certificate and a key
 // loaded from memory.
 func CreateTLSConfigurationFromBytes(caCert, cert, key []byte, skipClientVerification, skipServerVerification bool) (*tls.Config, error) {
diff --git a/api/http/server.go b/api/http/server.go
index 1b1e24b76..fb62c842e 100644
--- a/api/http/server.go
+++ b/api/http/server.go
@@ -6,6 +6,7 @@ import (
 	"time"
 
 	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/crypto"
 	"github.com/portainer/portainer/api/docker"
 	"github.com/portainer/portainer/api/http/handler"
 	"github.com/portainer/portainer/api/http/handler/auth"
@@ -243,8 +244,14 @@ func (server *Server) Start() error {
 		WebhookHandler:         webhookHandler,
 	}
 
-	if server.SSL {
-		return http.ListenAndServeTLS(server.BindAddress, server.SSLCert, server.SSLKey, server.Handler)
+	httpServer := &http.Server{
+		Addr:    server.BindAddress,
+		Handler: server.Handler,
 	}
-	return http.ListenAndServe(server.BindAddress, server.Handler)
+
+	if server.SSL {
+		httpServer.TLSConfig = crypto.CreateServerTLSConfiguration()
+		return httpServer.ListenAndServeTLS(server.SSLCert, server.SSLKey)
+	}
+	return httpServer.ListenAndServe()
 }