From b6a0077d811f04f5759a1b67cc10299e30dc8d90 Mon Sep 17 00:00:00 2001
From: Ramkumar Chinchani <rchincha@cisco.com>
Date: Tue, 27 Aug 2019 15:01:29 -0700
Subject: [PATCH] tls: harden TLS path

---
 errors/errors.go      |  1 +
 pkg/api/controller.go | 14 ++++++++++----
 2 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/errors/errors.go b/errors/errors.go
index c4b8e2d1..31217201 100644
--- a/errors/errors.go
+++ b/errors/errors.go
@@ -15,4 +15,5 @@ var (
 	ErrBadBlob          = errors.New("blob: bad blob")
 	ErrBadBlobDigest    = errors.New("blob: bad blob digest")
 	ErrUnknownCode      = errors.New("error: unknown error code")
+	ErrBadCACert        = errors.New("tls: invalid ca cert")
 )
diff --git a/pkg/api/controller.go b/pkg/api/controller.go
index 2880048e..67e3364b 100644
--- a/pkg/api/controller.go
+++ b/pkg/api/controller.go
@@ -8,6 +8,7 @@ import (
 	"net"
 	"net/http"
 
+	"github.com/anuvu/zot/errors"
 	"github.com/anuvu/zot/pkg/storage"
 	"github.com/gorilla/mux"
 	"github.com/rs/zerolog"
@@ -56,11 +57,16 @@ func (c *Controller) Run() error {
 				panic(err)
 			}
 			caCertPool := x509.NewCertPool()
-			caCertPool.AppendCertsFromPEM(caCert)
-			server.TLSConfig = &tls.Config{
-				ClientAuth: clientAuth,
-				ClientCAs:  caCertPool,
+			if !caCertPool.AppendCertsFromPEM(caCert) {
+				panic(errors.ErrBadCACert)
 			}
+			server.TLSConfig = &tls.Config{
+				ClientAuth:               clientAuth,
+				ClientCAs:                caCertPool,
+				PreferServerCipherSuites: true,
+				MinVersion:               tls.VersionTLS12,
+			}
+			server.TLSConfig.BuildNameToCertificate()
 		}
 
 		return server.ServeTLS(l, c.Config.HTTP.TLS.Cert, c.Config.HTTP.TLS.Key)