Avoid fallback to SSL protocols < TLS1.0

Signed-off-by: Tibor Vass <teabee89@gmail.com> Docker-DCO-1.1-Signed-off-by: Daniel, Dao Quang Minh <dqminh89@gmail.com> (github: dqminh) Conflicts: registry/registry.go Upstream-commit: 8caacb18f8019dfda30d79c327397e5f5783c068 Component: engine
2026-01-16 20:22:36 +03:00 · 2014-10-15 22:39:51 -04:00
parent 973b80b56f
commit 566c43f442
3 changed files with 9 additions and 1 deletions
--- a/components/engine/api/server/server.go
+++ b/components/engine/api/server/server.go
@@ -1439,6 +1439,8 @@ func ListenAndServe(proto, addr string, job *engine.Job) error {
 		tlsConfig := &tls.Config{
 			NextProtos:   []string{"http/1.1"},
 			Certificates: []tls.Certificate{cert},
+			// Avoid fallback on insecure SSL protocols
+			MinVersion: tls.VersionTLS10,
 		}
 		if job.GetenvBool("TlsVerify") {
 			certPool := x509.NewCertPool()
--- a/components/engine/docker/docker.go
+++ b/components/engine/docker/docker.go
@@ -93,6 +93,8 @@ func main() {
 			}
 			tlsConfig.Certificates = []tls.Certificate{cert}
 		}
+		// Avoid fallback to SSL protocols < TLS1.0
+		tlsConfig.MinVersion = tls.VersionTLS10
 	}

 	if *flTls || *flTlsVerify {
--- a/components/engine/registry/registry.go
+++ b/components/engine/registry/registry.go
@@ -37,7 +37,11 @@ const (
 )

 func newClient(jar http.CookieJar, roots *x509.CertPool, cert *tls.Certificate, timeout TimeoutType, secure bool) *http.Client {
-	tlsConfig := tls.Config{RootCAs: roots}
+	tlsConfig := tls.Config{
+		RootCAs: roots,
+		// Avoid fallback to SSL protocols < TLS1.0
+		MinVersion: tls.VersionTLS10,
+	}

 	if cert != nil {
 		tlsConfig.Certificates = append(tlsConfig.Certificates, *cert)