From 79e680e67587848da20964b2173e95e12c4d0a7f Mon Sep 17 00:00:00 2001
From: Jordan Wright <jmwright798@gmail.com>
Date: Wed, 11 Dec 2019 19:52:41 -0600
Subject: [PATCH] Updates the tls.Config of the phishing and admin servers to
 support TLS 1.2 as the minimum TLS version. This addresses #1691 and #1689.

I am making this change since Microsoft, Google, and Apple have all chosen to deprecate TLS 1.0 and TLS 1.1 in early 2020. In late 2018, the companies recorded that less than 1.4 percent (max) of their connections used < TLS 1.2.

Output before change:

```
docker run --rm -ti -p 3333:3333 drwetter/testssl.sh https://host.docker.internal:3333

 Testing protocols via sockets except NPN+ALPN

 SSLv2      not offered (OK)
 SSLv3      not offered (OK)
 TLS 1      offered (deprecated)
 TLS 1.1    offered (deprecated)
 TLS 1.2    offered (OK)
 TLS 1.3    offered (OK): final
 NPN/SPDY   h2, http/1.1 (advertised)
 ALPN/HTTP2 h2, http/1.1 (offered)
```

Output after change:

```
docker run --rm -ti -p 3333:3333 drwetter/testssl.sh https://host.docker.internal:3333

 Testing protocols via sockets except NPN+ALPN

 SSLv2      not offered (OK)
 SSLv3      not offered (OK)
 TLS 1      not offered
 TLS 1.1    not offered
 TLS 1.2    offered (OK)
 TLS 1.3    offered (OK): final
 NPN/SPDY   h2, http/1.1 (advertised)
 ALPN/HTTP2 h2, http/1.1 (offered)
```
---
 controllers/phish.go | 5 +++++
 controllers/route.go | 5 +++++
 2 files changed, 10 insertions(+)

diff --git a/controllers/phish.go b/controllers/phish.go
index 0d9fc262..f83d9006 100644
--- a/controllers/phish.go
+++ b/controllers/phish.go
@@ -3,6 +3,7 @@ package controllers
 import (
 	"compress/gzip"
 	"context"
+	"crypto/tls"
 	"errors"
 	"fmt"
 	"net"
@@ -84,6 +85,10 @@ func WithContactAddress(addr string) PhishingServerOption {
 // Start launches the phishing server, listening on the configured address.
 func (ps *PhishingServer) Start() {
 	if ps.config.UseTLS {
+		// Only support TLS 1.2 and above - ref #1691, #1689
+		ps.server.TLSConfig = &tls.Config{
+			MinVersion: tls.VersionTLS12,
+		}
 		err := util.CheckAndCreateSSL(ps.config.CertPath, ps.config.KeyPath)
 		if err != nil {
 			log.Fatal(err)
diff --git a/controllers/route.go b/controllers/route.go
index 72cf545d..72cf791b 100644
--- a/controllers/route.go
+++ b/controllers/route.go
@@ -3,6 +3,7 @@ package controllers
 import (
 	"compress/gzip"
 	"context"
+	"crypto/tls"
 	"html/template"
 	"net/http"
 	"net/url"
@@ -70,6 +71,10 @@ func (as *AdminServer) Start() {
 		go as.worker.Start()
 	}
 	if as.config.UseTLS {
+		// Only support TLS 1.2 and above - ref #1691, #1689
+		as.server.TLSConfig = &tls.Config{
+			MinVersion: tls.VersionTLS12,
+		}
 		err := util.CheckAndCreateSSL(as.config.CertPath, as.config.KeyPath)
 		if err != nil {
 			log.Fatal(err)