diff options
| author | jwijenbergh <jeroenwijenbergh@protonmail.com> | 2024-09-25 15:32:47 +0200 |
|---|---|---|
| committer | Jeroen Wijenbergh <46386452+jwijenbergh@users.noreply.github.com> | 2024-10-11 17:23:09 +0200 |
| commit | bca773c49f0c2e66b5c26a59b8bb772520afb9bd (patch) | |
| tree | e30c8d5ee9c617b4278d5f21c30906ff61476823 /internal/http/http.go | |
| parent | df9b57605b3d8078184e88ec8268102a2b3cc788 (diff) | |
HTTP + OAuth API: Enforce TLS >= 1.3
Diffstat (limited to 'internal/http/http.go')
| -rw-r--r-- | internal/http/http.go | 16 |
1 files changed, 15 insertions, 1 deletions
diff --git a/internal/http/http.go b/internal/http/http.go index 196998b..a7240e1 100644 --- a/internal/http/http.go +++ b/internal/http/http.go @@ -3,6 +3,7 @@ package http import ( "context" + "crypto/tls" "errors" "fmt" "io" @@ -146,12 +147,25 @@ type Client struct { Timeout time.Duration } +// TLS13Transport returns a http.Transport with the minimum TLS version set to 1.3 +func TLS13Transport() *http.Transport { + tr := http.DefaultTransport.(*http.Transport).Clone() + tr.TLSClientConfig = &tls.Config{MinVersion: tls.VersionTLS13} + return tr +} + // NewClient returns a HTTP client with some default settings func NewClient(client *http.Client) *Client { c := client if c == nil { - c = &http.Client{} + c = &http.Client{ + Transport: TLS13Transport(), + } } + // if a client is non-nil it uses its own transport + // for the OAuth client we also make sure TLS 1.3 is set + // TODO: Should we double verify that MinVersion is 1.3 or is that overkill? + // ReadLimit denotes the maximum amount of bytes that are read in HTTP responses // This is used to prevent servers from sending huge amounts of data // A limit of 16MB, although maybe much larger than needed, ensures that we do not run into problems |