diff --git a/caddytls/config.go b/caddytls/config.go index ea5205a0..82c2d654 100644 --- a/caddytls/config.go +++ b/caddytls/config.go @@ -9,11 +9,12 @@ import ( "io/ioutil" "time" - "github.com/mholt/caddy" - "github.com/xenolf/lego/acme" "log" "net/url" "strings" + + "github.com/mholt/caddy" + "github.com/xenolf/lego/acme" ) // Config describes how TLS should be configured and used. @@ -322,10 +323,10 @@ func MakeTLSConfig(configs []*Config) (*tls.Config, error) { } // Go with the widest range of protocol versions - if cfg.ProtocolMinVersion < config.MinVersion { + if config.MinVersion == 0 || cfg.ProtocolMinVersion < config.MinVersion { config.MinVersion = cfg.ProtocolMinVersion } - if cfg.ProtocolMaxVersion < config.MaxVersion { + if cfg.ProtocolMaxVersion > config.MaxVersion { config.MaxVersion = cfg.ProtocolMaxVersion } diff --git a/caddytls/config_test.go b/caddytls/config_test.go index 4ca22c6a..7152d76d 100644 --- a/caddytls/config_test.go +++ b/caddytls/config_test.go @@ -1,12 +1,34 @@ package caddytls import ( + "crypto/tls" "errors" "net/url" "reflect" "testing" ) +func TestMakeTLSConfig(t *testing.T) { + // same min and max protocol versions + configs := []*Config{ + { + Enabled: true, + ProtocolMinVersion: tls.VersionTLS12, + ProtocolMaxVersion: tls.VersionTLS12, + }, + } + result, err := MakeTLSConfig(configs) + if err != nil { + t.Fatalf("Did not expect an error, but got %v", err) + } + if got, want := result.MinVersion, uint16(tls.VersionTLS12); got != want { + t.Errorf("Expected min version to be %x, got %x", want, got) + } + if got, want := result.MaxVersion, uint16(tls.VersionTLS12); got != want { + t.Errorf("Expected max version to be %x, got %x", want, got) + } +} + func TestStorageForNoURL(t *testing.T) { c := &Config{} if _, err := c.StorageFor(""); err == nil { diff --git a/caddytls/setup.go b/caddytls/setup.go index b0635e6f..7269eea2 100644 --- a/caddytls/setup.go +++ b/caddytls/setup.go @@ -88,6 +88,9 @@ func setupTLS(c *caddy.Controller) error { return c.Errf("Wrong protocol name or protocol not supported: '%s'", args[1]) } config.ProtocolMaxVersion = value + if config.ProtocolMinVersion > config.ProtocolMaxVersion { + return c.Errf("Minimum protocol version cannot be higher than maximum (reverse the order)") + } case "ciphers": for c.NextArg() { value, ok := supportedCiphersMap[strings.ToUpper(c.Val())]