gosec: G402 - TLS MinVersion

stablish minumim TLS version, so G402 from gosec doesn't get triggered
2021-11-29 18:10:35 +01:00 · 2021-11-29 18:10:35 +01:00 · ceb72975c4
commit ceb72975c4
parent c8cf835db3
7 changed files with 9 additions and 0 deletions
--- a/cmd/osbuild-auth-tests/main_test.go
+++ b/cmd/osbuild-auth-tests/main_test.go
@ -42,6 +42,7 @@ func createTLSConfig(config *connectionConfig) (*tls.Config, error) {
 	return &tls.Config{
 		RootCAs:      roots,
 		Certificates: []tls.Certificate{cert},
+		MinVersion:   tls.VersionTLS12,
 	}, nil
 }

--- a/cmd/osbuild-composer/composer.go
+++ b/cmd/osbuild-composer/composer.go
@ -348,6 +348,7 @@ func createTLSConfig(c *connectionConfig) (*tls.Config, error) {
 		Certificates: []tls.Certificate{cert},
 		ClientAuth:   c.ClientAuth,
 		ClientCAs:    roots,
+		MinVersion:   tls.VersionTLS12,
 		VerifyPeerCertificate: func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
 			for _, chain := range verifiedChains {
 				for _, domain := range c.AllowedDomains {
--- a/cmd/osbuild-koji-tests/main_test.go
+++ b/cmd/osbuild-koji-tests/main_test.go
@ -45,6 +45,7 @@ func TestKojiRefund(t *testing.T) {

 	transport.TLSClientConfig = &tls.Config{
 		RootCAs: certPool,
+		MinVersion: tls.VersionTLS12,
 	}

 	// login
@ -105,6 +106,7 @@ func TestKojiImport(t *testing.T) {

 	transport.TLSClientConfig = &tls.Config{
 		RootCAs: certPool,
+		MinVersion: tls.VersionTLS12,
 	}

 	// login
--- a/cmd/osbuild-worker/jobimpl-koji-finalize.go
+++ b/cmd/osbuild-worker/jobimpl-koji-finalize.go
@ -28,6 +28,7 @@ func (impl *KojiFinalizeJobImpl) kojiImport(
 	transport := http.DefaultTransport.(*http.Transport).Clone()
 	transport.TLSClientConfig = &tls.Config{
 		Renegotiation: tls.RenegotiateOnceAsClient,
+		MinVersion:    tls.VersionTLS12,
 	}

 	serverURL, err := url.Parse(server)
@ -65,6 +66,7 @@ func (impl *KojiFinalizeJobImpl) kojiFail(server string, buildID int, token stri
 	transport := http.DefaultTransport.(*http.Transport).Clone()
 	transport.TLSClientConfig = &tls.Config{
 		Renegotiation: tls.RenegotiateOnceAsClient,
+		MinVersion:    tls.VersionTLS12,
 	}

 	serverURL, err := url.Parse(server)
--- a/cmd/osbuild-worker/jobimpl-koji-init.go
+++ b/cmd/osbuild-worker/jobimpl-koji-init.go
@ -21,6 +21,7 @@ func (impl *KojiInitJobImpl) kojiInit(server, name, version, release string) (st
 	transport := http.DefaultTransport.(*http.Transport).Clone()
 	transport.TLSClientConfig = &tls.Config{
 		Renegotiation: tls.RenegotiateOnceAsClient,
+		MinVersion:    tls.VersionTLS12,
 	}

 	serverURL, err := url.Parse(server)
--- a/cmd/osbuild-worker/jobimpl-osbuild-koji.go
+++ b/cmd/osbuild-worker/jobimpl-osbuild-koji.go
@ -28,6 +28,7 @@ func (impl *OSBuildKojiJobImpl) kojiUpload(file *os.File, server, directory, fil
 	transport := http.DefaultTransport.(*http.Transport).Clone()
 	transport.TLSClientConfig = &tls.Config{
 		Renegotiation: tls.RenegotiateOnceAsClient,
+		MinVersion:    tls.VersionTLS12,
 	}

 	serverURL, err := url.Parse(server)
--- a/cmd/osbuild-worker/main.go
+++ b/cmd/osbuild-worker/main.go
@ -60,6 +60,7 @@ func createTLSConfig(config *connectionConfig) (*tls.Config, error) {
 	return &tls.Config{
 		RootCAs:      roots,
 		Certificates: certs,
+		MinVersion:   tls.VersionTLS12,
 	}, nil
 }