hashicorp · ncabatoff · Mar 29, 2021 · Mar 29, 2021 · Mar 29, 2021 · Mar 29, 2021
diff --git a/changelog/11226.txt b/changelog/11226.txt
@@ -0,0 +1,3 @@
+```changelog:enhancement
+core: Add tls_max_version listener config option.
+```
diff --git a/command/server/config_test_helpers.go b/command/server/config_test_helpers.go
@@ -707,6 +707,7 @@ listener "tcp" {
 	tls_key_file = "./certs/server.key"
 	tls_client_ca_file = "./certs/rootca.crt"
 	tls_min_version = "tls12"
+	tls_max_version = "tls13"
 	tls_require_and_verify_client_cert = true
 	tls_disable_client_certs = true
 }`))
@@ -737,6 +738,7 @@ listener "tcp" {
 					TLSKeyFile:                    "./certs/server.key",
 					TLSClientCAFile:               "./certs/rootca.crt",
 					TLSMinVersion:                 "tls12",
+					TLSMaxVersion:                 "tls13",
 					TLSRequireAndVerifyClientCert: true,
 					TLSDisableClientCerts:         true,
 				},

diff --git a/command/server/listener_tcp_test.go b/command/server/listener_tcp_test.go
@@ -28,7 +28,7 @@ func TestTCPListener(t *testing.T) {
 		return net.Dial("tcp", ln.Addr().String())
 	}
 
-	testListenerImpl(t, ln, connFn, "")
+	testListenerImpl(t, ln, connFn, "", 0)
 }
 
 // TestTCPListener_tls tests TLS generally
@@ -86,7 +86,7 @@ func TestTCPListener_tls(t *testing.T) {
 		}
 	}
 
-	testListenerImpl(t, ln, connFn(true), "foo.example.com")
+	testListenerImpl(t, ln, connFn(true), "foo.example.com", 0)
 
 	ln, _, _, err = tcpListenerFactory(&configutil.Listener{
 		Address:                       "127.0.0.1:0",
@@ -111,7 +111,7 @@ func TestTCPListener_tls(t *testing.T) {
 		t.Fatalf("err: %s", err)
 	}
 
-	testListenerImpl(t, ln, connFn(false), "foo.example.com")
+	testListenerImpl(t, ln, connFn(false), "foo.example.com", 0)
 }
 
 func TestTCPListener_tls13(t *testing.T) {
@@ -169,7 +169,7 @@ func TestTCPListener_tls13(t *testing.T) {
 		}
 	}
 
-	testListenerImpl(t, ln, connFn(true), "foo.example.com")
+	testListenerImpl(t, ln, connFn(true), "foo.example.com", tls.VersionTLS13)
 
 	ln, _, _, err = tcpListenerFactory(&configutil.Listener{
 		Address:                       "127.0.0.1:0",
@@ -196,5 +196,19 @@ func TestTCPListener_tls13(t *testing.T) {
 		t.Fatalf("err: %s", err)
 	}
 
-	testListenerImpl(t, ln, connFn(false), "foo.example.com")
+	testListenerImpl(t, ln, connFn(false), "foo.example.com", tls.VersionTLS13)
+
+	ln, _, _, err = tcpListenerFactory(&configutil.Listener{
+		Address:               "127.0.0.1:0",
+		TLSCertFile:           wd + "reload_foo.pem",
+		TLSKeyFile:            wd + "reload_foo.key",
+		TLSDisableClientCerts: true,
+		TLSClientCAFile:       wd + "reload_ca.pem",
+		TLSMaxVersion:         "tls12",
+	}, nil, cli.NewMockUi())
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+
+	testListenerImpl(t, ln, connFn(false), "foo.example.com", tls.VersionTLS12)
 }
diff --git a/command/server/listener_test.go b/command/server/listener_test.go
@@ -10,7 +10,7 @@ import (
 
 type testListenerConnFn func(net.Listener) (net.Conn, error)
 
-func testListenerImpl(t *testing.T, ln net.Listener, connFn testListenerConnFn, certName string) {
+func testListenerImpl(t *testing.T, ln net.Listener, connFn testListenerConnFn, certName string, expectedVersion uint16) {
 	serverCh := make(chan net.Conn, 1)
 	go func() {
 		server, err := ln.Accept()
@@ -31,6 +31,9 @@ func testListenerImpl(t *testing.T, ln net.Listener, connFn testListenerConnFn,
 
 	if certName != "" {
 		tlsConn := client.(*tls.Conn)
+		if expectedVersion != 0 && tlsConn.ConnectionState().Version != expectedVersion {
+			t.Fatalf("expected version %d, got %d", expectedVersion, tlsConn.ConnectionState().Version)
+		}
 		if len(tlsConn.ConnectionState().PeerCertificates) != 1 {
 			t.Fatalf("err: number of certs too long")
 		}

diff --git a/internalshared/configutil/listener.go b/internalshared/configutil/listener.go
@@ -43,6 +43,7 @@ type Listener struct {
 	TLSCertFile                      string      `hcl:"tls_cert_file"`
 	TLSKeyFile                       string      `hcl:"tls_key_file"`
 	TLSMinVersion                    string      `hcl:"tls_min_version"`
+	TLSMaxVersion                    string      `hcl:"tls_max_version"`
 	TLSCipherSuites                  []uint16    `hcl:"-"`
 	TLSCipherSuitesRaw               string      `hcl:"tls_cipher_suites"`
 	TLSPreferServerCipherSuites      bool        `hcl:"-"`

diff --git a/internalshared/listenerutil/listener.go b/internalshared/listenerutil/listener.go
@@ -111,12 +111,25 @@ PASSPHRASECORRECT:
 		l.TLSMinVersion = "tls12"
 	}
 
+	if l.TLSMaxVersion == "" {
+		l.TLSMaxVersion = "tls13"
+	}
+
 	var ok bool
 	tlsConf.MinVersion, ok = tlsutil.TLSLookup[l.TLSMinVersion]
 	if !ok {
 		return nil, nil, fmt.Errorf("'tls_min_version' value %q not supported, please specify one of [tls10,tls11,tls12,tls13]", l.TLSMinVersion)
 	}
 
+	tlsConf.MaxVersion, ok = tlsutil.TLSLookup[l.TLSMaxVersion]
+	if !ok {
+		return nil, nil, fmt.Errorf("'tls_max_version' value %q not supported, please specify one of [tls10,tls11,tls12,tls13]", l.TLSMaxVersion)
+	}
+
+	if tlsConf.MaxVersion < tlsConf.MinVersion {
+		return nil, nil, fmt.Errorf("'tls_max_version' must be greater than or equal to 'tls_min_version'")
+	}
+
 	if len(l.TLSCipherSuites) > 0 {
 		// HTTP/2 with TLS 1.2 blacklists several cipher suites.
 		// https://tools.ietf.org/html/rfc7540#appendix-A