nsqd: add --tls-min-version config option

apps/nsq_to_nsq/nsq_to_nsq.go

@@ -69,7 +69,7 @@ func init() {
 
 type PublishHandler struct {
 	// 64bit atomic vars need to be first for proper alignment on 32bit platforms
-	counter   uint64
+	counter uint64
 
 	addresses util.StringArray
 	producers map[string]*nsq.Producer

apps/nsqd/nsqd.go

@@ -1,6 +1,7 @@
 package main
 
 import (
+	"crypto/tls"
 	"flag"
 	"fmt"
 	"log"
@@ -72,6 +73,7 @@ var (
 	tlsClientAuthPolicy = flagSet.String("tls-client-auth-policy", "", "client certificate auth policy ('require' or 'require-verify')")
 	tlsRootCAFile       = flagSet.String("tls-root-ca-file", "", "path to private certificate authority pem")
 	tlsRequired         tlsRequiredOption
+	tlsMinVersion       tlsVersionOption
 
 	// compression
 	deflateEnabled  = flagSet.Bool("deflate", true, "enable deflate feature negotiation (client compression)")
@@ -99,22 +101,40 @@ func (t *tlsRequiredOption) Set(s string) error {
 func (t *tlsRequiredOption) Get() interface{} { return *t }
 
 func (t *tlsRequiredOption) String() string {
-	switch *t {
-	case nsqd.TLSRequiredExceptHTTP:
-		return "1"
-	case nsqd.TLSRequired:
-		return "2"
-	}
-	return "0"
+	return strconv.FormatInt(int64(*t), 10)
 }
 
 func (t *tlsRequiredOption) IsBoolFlag() bool { return true }
 
+type tlsVersionOption uint16
+
+func (t *tlsVersionOption) Set(s string) error {
+	s = strings.ToLower(s)
+	switch s {
+	case "tls10":
+		*t = tls.VersionTLS10
+	case "tls11":
+		*t = tls.VersionTLS11
+	case "tls12":
+		*t = tls.VersionTLS12
+	default:
+		*t = tls.VersionSSL30
+	}
+	return nil
+}
+
+func (t *tlsVersionOption) Get() interface{} { return *t }
+
+func (t *tlsVersionOption) String() string {
+	return strconv.FormatInt(int64(*t), 10)
+}
+
 func init() {
 	flagSet.Var(&lookupdTCPAddrs, "lookupd-tcp-address", "lookupd TCP address (may be given multiple times)")
 	flagSet.Var(&e2eProcessingLatencyPercentiles, "e2e-processing-latency-percentile", "message processing time percentiles to keep track of (can be specified multiple times or comma separated, default none)")
 	flagSet.Var(&authHttpAddresses, "auth-http-address", "<addr>:<port> to query auth server (may be given multiple times)")
 	flagSet.Var(&tlsRequired, "tls-required", "require TLS for client connections (true, false, tcp-https)")
+	flagSet.Var(&tlsMinVersion, "tls-min-version", "minimum SSL/TLS version acceptable ('ssl30', 'tls10', 'tls11', or 'tls12')")
 }
 
 func main() {

nsqd/http_test.go

@@ -171,6 +171,7 @@ func TestHTTPSRequire(t *testing.T) {
 	tlsConfig := &tls.Config{
 		Certificates:       []tls.Certificate{cert},
 		InsecureSkipVerify: true,
+		MinVersion:         0,
 	}
 	transport := &http.Transport{
 		TLSClientConfig: tlsConfig,

nsqd/nsqd.go

@@ -531,6 +531,7 @@ func buildTLSConfig(opts *nsqdOptions) (*tls.Config, error) {
 	tlsConfig = &tls.Config{
 		Certificates: []tls.Certificate{cert},
 		ClientAuth:   tlsClientAuthPolicy,
+		MinVersion:   uint16(opts.TLSMinVersion),
 	}
 
 	if opts.TLSRootCAFile != "" {

nsqd/options.go

@@ -57,6 +57,7 @@ type nsqdOptions struct {
 	TLSClientAuthPolicy string `flag:"tls-client-auth-policy"`
 	TLSRootCAFile       string `flag:"tls-root-ca-file"`
 	TLSRequired         int    `flag:"tls-required"`
+	TLSMinVersion       int    `flag:"tls-min-version"`
 
 	// compression
 	DeflateEnabled  bool `flag:"deflate"`

test.sh

@@ -11,7 +11,7 @@ LOOKUPD_PID=$!
 
 # build and run nsqd configured to use our lookupd above
 NSQD_LOGFILE=$(mktemp -t nsqd.XXXXXXX)
-cmd="apps/nsqd/nsqd --data-path=/tmp --lookupd-tcp-address=127.0.0.1:4160 --tls-cert=nsqd/test/certs/cert.pem --tls-key=nsqd/test/certs/key.pem"
+cmd="apps/nsqd/nsqd --data-path=/tmp --lookupd-tcp-address=127.0.0.1:4160 --tls-cert=nsqd/test/certs/cert.pem --tls-key=nsqd/test/certs/key.pem --tls-min-version=ssl30"
 echo "building and starting $cmd"
 echo "  logging to $NSQD_LOGFILE"
 go build -o apps/nsqd/nsqd ./apps/nsqd
@@ -39,4 +39,4 @@ for dir in nsqadmin apps/* bench/*; do
     else
         echo "WARNING: skipping go build in $dir"
     fi
-done
+done