Add the ability to specify the maximum acceptable TLS version (#414)

Signed-off-by: Lyas Spiehler <lspiehler@gmail.com>

config/http_config.go

@@ -779,6 +779,13 @@ func NewTLSConfig(cfg *TLSConfig) (*tls.Config, error) {
 	tlsConfig := &tls.Config{
 		InsecureSkipVerify: cfg.InsecureSkipVerify,
 		MinVersion:         uint16(cfg.MinVersion),
+		MaxVersion:         uint16(cfg.MaxVersion),
+	}
+
+	if cfg.MaxVersion != 0 && cfg.MinVersion != 0 {
+		if cfg.MaxVersion < cfg.MinVersion {
+			return nil, fmt.Errorf("tls_config.max_version must be greater than or equal to tls_config.min_version if both are specified")
+		}
 	}
 
 	// If a CA cert is provided then let's read it in so we can validate the
@@ -826,6 +833,8 @@ type TLSConfig struct {
 	InsecureSkipVerify bool `yaml:"insecure_skip_verify" json:"insecure_skip_verify"`
 	// Minimum TLS version.
 	MinVersion TLSVersion `yaml:"min_version,omitempty" json:"min_version,omitempty"`
+	// Maximum TLS version.
+	MaxVersion TLSVersion `yaml:"max_version,omitempty" json:"max_version,omitempty"`
 }
 
 // SetDirectory joins any relative file paths with dir.

config/testdata/tls_config.max_and_min_version.bad.json

@@ -0,0 +1,2 @@
+{"max_version": "TLS11",
+"min_version": "TLS12"}

config/testdata/tls_config.max_and_min_version.bad.yml

@@ -0,0 +1,2 @@
+max_version: TLS11
+min_version: TLS12

config/testdata/tls_config.max_and_min_version.good.json

@@ -0,0 +1,2 @@
+{"max_version": "TLS12",
+"min_version": "TLS11"}

config/testdata/tls_config.max_and_min_version.good.yml

@@ -0,0 +1,2 @@
+max_version: TLS12
+min_version: TLS11

config/testdata/tls_config.max_and_min_version_same.good.json

@@ -0,0 +1,2 @@
+{"max_version": "TLS12",
+"min_version": "TLS12"}

config/testdata/tls_config.max_and_min_version_same.good.yml

@@ -0,0 +1,2 @@
+max_version: TLS12
+min_version: TLS12

config/testdata/tls_config.max_version.good.json

@@ -0,0 +1 @@
+{"max_version": "TLS12"}

config/testdata/tls_config.max_version.good.yml

@@ -0,0 +1 @@
+max_version: TLS12

config/tls_config_test.go

@@ -20,6 +20,7 @@ import (
 	"os"
 	"path/filepath"
 	"reflect"
+	"strings"
 	"testing"
 
 	"encoding/json"
@@ -64,6 +65,9 @@ var expectedTLSConfigs = []struct {
 	}, {
 		filename: "tls_config.tlsversion.good.json",
 		config:   &tls.Config{MinVersion: tls.VersionTLS11},
+	}, {
+		filename: "tls_config.max_version.good.json",
+		config:   &tls.Config{MaxVersion: tls.VersionTLS12},
 	},
 	{
 		filename: "tls_config.empty.good.yml",
@@ -74,6 +78,15 @@ var expectedTLSConfigs = []struct {
 	}, {
 		filename: "tls_config.tlsversion.good.yml",
 		config:   &tls.Config{MinVersion: tls.VersionTLS11},
+	}, {
+		filename: "tls_config.max_version.good.yml",
+		config:   &tls.Config{MaxVersion: tls.VersionTLS12},
+	}, {
+		filename: "tls_config.max_and_min_version.good.yml",
+		config:   &tls.Config{MaxVersion: tls.VersionTLS12, MinVersion: tls.VersionTLS11},
+	}, {
+		filename: "tls_config.max_and_min_version_same.good.yml",
+		config:   &tls.Config{MaxVersion: tls.VersionTLS12, MinVersion: tls.VersionTLS12},
 	},
 }
 
@@ -91,6 +104,29 @@ func TestValidTLSConfig(t *testing.T) {
 	}
 }
 
+var invalidTLSConfigs = []struct {
+	filename string
+	errMsg   string
+}{
+	{
+		filename: "tls_config.max_and_min_version.bad.yml",
+		errMsg:   "tls_config.max_version must be greater than or equal to tls_config.min_version if both are specified",
+	},
+}
+
+func TestInvalidTLSConfig(t *testing.T) {
+	for _, ee := range invalidTLSConfigs {
+		_, err := LoadTLSConfig("testdata/" + ee.filename)
+		if err == nil {
+			t.Error("Expected error with config but got none")
+			continue
+		}
+		if !strings.Contains(err.Error(), ee.errMsg) {
+			t.Errorf("Expected error for invalid HTTP client configuration to contain %q but got: %s", ee.errMsg, err)
+		}
+	}
+}
+
 func TestStringer(t *testing.T) {
 	if s := (TLSVersion)(tls.VersionTLS13); s.String() != "TLS13" {
 		t.Fatalf("tls.VersionTLS13 string should be TLS13, got %s", s.String())