@@ -215,14 +215,26 @@ type ClientOptions struct {
215215 // It could be nil if such checks are not needed.
216216 RevocationOptions * RevocationOptions
217217 // MinVersion contains the minimum TLS version that is acceptable.
218- // By default, TLS 1.2 is currently used as the minimum when acting as a
219- // client, and TLS 1.0 when acting as a server. TLS 1.0 is the minimum
220- // supported by this package, both as a client and as a server.
218+ //
219+ // Deprecated: use MinTLSVersion instead.
221220 MinVersion uint16
222221 // MaxVersion contains the maximum TLS version that is acceptable.
223- // By default, the maximum version supported by this package is used,
224- // which is currently TLS 1.3 .
222+ //
223+ // Deprecated: use MaxTLSVersion instead .
225224 MaxVersion uint16
225+ // MinTLSVersion contains the minimum TLS version that is acceptable.
226+ // The value should be set using tls.VersionTLSxx from https://pkg.go.dev/crypto/tls
227+ // By default, TLS 1.2 is currently used as the minimum when acting as a
228+ // client, and TLS 1.0 when acting as a server. TLS 1.0 is the minimum
229+ // supported by this package, both as a client and as a server. This
230+ // default may be changed over time affecting backwards compatibility.
231+ MinTLSVersion uint16
232+ // MaxTLSVersion contains the maximum TLS version that is acceptable.
233+ // The value should be set using tls.VersionTLSxx from https://pkg.go.dev/crypto/tls
234+ // By default, the maximum version supported by this package is used,
235+ // which is currently TLS 1.3. This default may be changed over time
236+ // affecting backwards compatibility.
237+ MaxTLSVersion uint16
226238 // serverNameOverride is for testing only. If set to a non-empty string, it
227239 // will override the virtual host name of authority (e.g. :authority header
228240 // field) in requests and the target hostname used during server cert
@@ -263,14 +275,26 @@ type ServerOptions struct {
263275 // It could be nil if such checks are not needed.
264276 RevocationOptions * RevocationOptions
265277 // MinVersion contains the minimum TLS version that is acceptable.
266- // By default, TLS 1.2 is currently used as the minimum when acting as a
267- // client, and TLS 1.0 when acting as a server. TLS 1.0 is the minimum
268- // supported by this package, both as a client and as a server.
278+ //
279+ // Deprecated: use MinTLSVersion instead.
269280 MinVersion uint16
270281 // MaxVersion contains the maximum TLS version that is acceptable.
271- // By default, the maximum version supported by this package is used,
272- // which is currently TLS 1.3 .
282+ //
283+ // Deprecated: use MaxTLSVersion instead .
273284 MaxVersion uint16
285+ // MinTLSVersion contains the minimum TLS version that is acceptable.
286+ // The value should be set using tls.VersionTLSxx from https://pkg.go.dev/crypto/tls
287+ // By default, TLS 1.2 is currently used as the minimum when acting as a
288+ // client, and TLS 1.0 when acting as a server. TLS 1.0 is the minimum
289+ // supported by this package, both as a client and as a server. This
290+ // default may be changed over time affecting backwards compatibility.
291+ MinTLSVersion uint16
292+ // MaxTLSVersion contains the maximum TLS version that is acceptable.
293+ // The value should be set using tls.VersionTLSxx from https://pkg.go.dev/crypto/tls
294+ // By default, the maximum version supported by this package is used,
295+ // which is currently TLS 1.3. This default may be changed over time
296+ // affecting backwards compatibility.
297+ MaxTLSVersion uint16
274298}
275299
276300func (o * ClientOptions ) config () (* tls.Config , error ) {
@@ -285,6 +309,15 @@ func (o *ClientOptions) config() (*tls.Config, error) {
285309 if o .VType != CertAndHostVerification {
286310 o .VerificationType = o .VType
287311 }
312+ // TODO(gtcooke94) MinVersion and MaxVersion are deprected, eventually
313+ // remove this block. This is a temporary fallback to ensure that if the
314+ // refactored names aren't set we use the old names.
315+ if o .MinTLSVersion == 0 {
316+ o .MinTLSVersion = o .MinVersion
317+ }
318+ if o .MaxTLSVersion == 0 {
319+ o .MaxTLSVersion = o .MaxVersion
320+ }
288321 if o .VerificationType == SkipVerification && o .AdditionalPeerVerification == nil {
289322 return nil , fmt .Errorf ("client needs to provide custom verification mechanism if choose to skip default verification" )
290323 }
@@ -299,16 +332,24 @@ func (o *ClientOptions) config() (*tls.Config, error) {
299332 if o .IdentityOptions .GetIdentityCertificatesForServer != nil {
300333 return nil , fmt .Errorf ("GetIdentityCertificatesForServer cannot be specified on the client side" )
301334 }
302- if o .MinVersion > o .MaxVersion {
335+ if o .MinTLSVersion > o .MaxTLSVersion {
303336 return nil , fmt .Errorf ("the minimum TLS version is larger than the maximum TLS version" )
304337 }
338+ // If the MinTLSVersion isn't set, default to 1.2
339+ if o .MinTLSVersion == 0 {
340+ o .MinTLSVersion = tls .VersionTLS12
341+ }
342+ // If the MaxTLSVersion isn't set, default to 1.3
343+ if o .MaxTLSVersion == 0 {
344+ o .MaxTLSVersion = tls .VersionTLS13
345+ }
305346 config := & tls.Config {
306347 ServerName : o .serverNameOverride ,
307348 // We have to set InsecureSkipVerify to true to skip the default checks and
308349 // use the verification function we built from buildVerifyFunc.
309350 InsecureSkipVerify : true ,
310- MinVersion : o .MinVersion ,
311- MaxVersion : o .MaxVersion ,
351+ MinVersion : o .MinTLSVersion ,
352+ MaxVersion : o .MaxTLSVersion ,
312353 }
313354 // Propagate root-certificate-related fields in tls.Config.
314355 switch {
@@ -372,6 +413,15 @@ func (o *ServerOptions) config() (*tls.Config, error) {
372413 if o .VType != CertAndHostVerification {
373414 o .VerificationType = o .VType
374415 }
416+ // TODO(gtcooke94) MinVersion and MaxVersion are deprected, eventually
417+ // remove this block. This is a temporary fallback to ensure that if the
418+ // refactored names aren't set we use the old names.
419+ if o .MinTLSVersion == 0 {
420+ o .MinTLSVersion = o .MinVersion
421+ }
422+ if o .MaxTLSVersion == 0 {
423+ o .MaxTLSVersion = o .MaxVersion
424+ }
375425 if o .RequireClientCert && o .VerificationType == SkipVerification && o .AdditionalPeerVerification == nil {
376426 return nil , fmt .Errorf ("server needs to provide custom verification mechanism if choose to skip default verification, but require client certificate(s)" )
377427 }
@@ -386,7 +436,7 @@ func (o *ServerOptions) config() (*tls.Config, error) {
386436 if o .IdentityOptions .GetIdentityCertificatesForClient != nil {
387437 return nil , fmt .Errorf ("GetIdentityCertificatesForClient cannot be specified on the server side" )
388438 }
389- if o .MinVersion > o .MaxVersion {
439+ if o .MinTLSVersion > o .MaxTLSVersion {
390440 return nil , fmt .Errorf ("the minimum TLS version is larger than the maximum TLS version" )
391441 }
392442 clientAuth := tls .NoClientCert
@@ -396,10 +446,18 @@ func (o *ServerOptions) config() (*tls.Config, error) {
396446 // buildVerifyFunc.
397447 clientAuth = tls .RequireAnyClientCert
398448 }
449+ // If the MinTLSVersion isn't set, default to 1.2
450+ if o .MinTLSVersion == 0 {
451+ o .MinTLSVersion = tls .VersionTLS12
452+ }
453+ // If the MaxTLSVersion isn't set, default to 1.3
454+ if o .MaxTLSVersion == 0 {
455+ o .MaxTLSVersion = tls .VersionTLS13
456+ }
399457 config := & tls.Config {
400458 ClientAuth : clientAuth ,
401- MinVersion : o .MinVersion ,
402- MaxVersion : o .MaxVersion ,
459+ MinVersion : o .MinTLSVersion ,
460+ MaxVersion : o .MaxTLSVersion ,
403461 }
404462 // Propagate root-certificate-related fields in tls.Config.
405463 switch {
0 commit comments