From 0312cb06e61e712d71c00235463bde606d443941 Mon Sep 17 00:00:00 2001
From: Antonio Murdaca <runcom@linux.com>
Date: Tue, 14 Apr 2020 18:11:52 +0200
Subject: [PATCH 1/2] pkg/server: disable weak TLS versions

Coming from an user request but it makes sense as we (OpenShift) use and control
that port.

Signed-off-by: Antonio Murdaca <runcom@linux.com>
---
 pkg/server/api.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/pkg/server/api.go b/pkg/server/api.go
index 4405f7a7f1..2c5ffbaeef 100644
--- a/pkg/server/api.go
+++ b/pkg/server/api.go
@@ -1,6 +1,7 @@
 package server
 
 import (
+	"crypto/tls"
 	"encoding/json"
 	"fmt"
 	"net/http"
@@ -46,6 +47,9 @@ func (a *APIServer) Serve() {
 	mcs := &http.Server{
 		Addr:    fmt.Sprintf(":%v", a.port),
 		Handler: a.handler,
+		TLSConfig: &tls.Config{
+			MinVersion: tls.VersionTLS12,
+		},
 	}
 
 	glog.Infof("Launching server on %s", mcs.Addr)

From b3d27cdb230ecd2eb8b3bea071307964e89dad17 Mon Sep 17 00:00:00 2001
From: Antonio Murdaca <runcom@users.noreply.github.com>
Date: Wed, 15 Apr 2020 10:21:44 +0200
Subject: [PATCH 2/2] pkg/server: add a note on disallowing tls 1.1/1.0

Co-Authored-By: Colin Walters <walters@verbum.org>
Signed-off-by: Antonio Murdaca <runcom@linux.com>
---
 pkg/server/api.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pkg/server/api.go b/pkg/server/api.go
index 2c5ffbaeef..2bf88abfb4 100644
--- a/pkg/server/api.go
+++ b/pkg/server/api.go
@@ -47,6 +47,7 @@ func (a *APIServer) Serve() {
 	mcs := &http.Server{
 		Addr:    fmt.Sprintf(":%v", a.port),
 		Handler: a.handler,
+		// We don't want to allow 1.1 as that's old.  This was flagged in a security audit.
 		TLSConfig: &tls.Config{
 			MinVersion: tls.VersionTLS12,
 		},