increase minimum version vor HTTPS to TLS 1.0 (POODLE, fixes #730)

diff --git a/cmd/web.go b/cmd/web.go
index ba999dbf98a90f8c648c99b2e7c370636158ffd1..30a2cd991df90643854948da89707aa8eca0de10 100644 (file)
--- a/cmd/web.go
+++ b/cmd/web.go
@@ -5,6 +5,7 @@
 package cmd
 
 import (
+       "crypto/tls"
        "fmt"
        "html/template"
        "io/ioutil"
@@ -453,7 +454,9 @@ func runWeb(*cli.Context) {
        case setting.HTTP:
                err = http.ListenAndServe(listenAddr, m)
        case setting.HTTPS:
-               err = http.ListenAndServeTLS(listenAddr, setting.CertFile, setting.KeyFile, m)
+               cfg := &tls.Config{MinVersion: tls.VersionTLS10}
+               server := &http.Server{Addr: listenAddr, TLSConfig: cfg, Handler: m}
+               err = server.ListenAndServeTLS(setting.CertFile, setting.KeyFile)
        case setting.FCGI:
                err = fcgi.Serve(nil, m)
        default: