diff --git a/client/pd_service_discovery_test.go b/client/pd_service_discovery_test.go index 794b03cc4aa..c128a6302a2 100644 --- a/client/pd_service_discovery_test.go +++ b/client/pd_service_discovery_test.go @@ -314,17 +314,17 @@ func TestServiceClientScheme(t *testing.T) { re.Equal("http://127.0.0.1:2379", cli.GetURL()) cli = newPDServiceClient(modifyURLScheme("http://127.0.0.1:2379", nil), modifyURLScheme("127.0.0.1:2379", nil), nil, false) re.Equal("http://127.0.0.1:2379", cli.GetURL()) - cli = newPDServiceClient(modifyURLScheme("127.0.0.1:2379", &tls.Config{}), modifyURLScheme("127.0.0.1:2379", &tls.Config{}), nil, false) + cli = newPDServiceClient(modifyURLScheme("127.0.0.1:2379", &tls.Config{MinVersion: tls.VersionTLS12}), modifyURLScheme("127.0.0.1:2379", &tls.Config{MinVersion: tls.VersionTLS12}), nil, false) re.Equal("https://127.0.0.1:2379", cli.GetURL()) - cli = newPDServiceClient(modifyURLScheme("https://127.0.0.1:2379", &tls.Config{}), modifyURLScheme("127.0.0.1:2379", &tls.Config{}), nil, false) + cli = newPDServiceClient(modifyURLScheme("https://127.0.0.1:2379", &tls.Config{MinVersion: tls.VersionTLS12}), modifyURLScheme("127.0.0.1:2379", &tls.Config{MinVersion: tls.VersionTLS12}), nil, false) re.Equal("https://127.0.0.1:2379", cli.GetURL()) - cli = newPDServiceClient(modifyURLScheme("http://127.0.0.1:2379", &tls.Config{}), modifyURLScheme("127.0.0.1:2379", &tls.Config{}), nil, false) + cli = newPDServiceClient(modifyURLScheme("http://127.0.0.1:2379", &tls.Config{MinVersion: tls.VersionTLS12}), modifyURLScheme("127.0.0.1:2379", &tls.Config{MinVersion: tls.VersionTLS12}), nil, false) re.Equal("https://127.0.0.1:2379", cli.GetURL()) } func TestSchemeFunction(t *testing.T) { re := require.New(t) - tlsCfg := &tls.Config{} + tlsCfg := &tls.Config{MinVersion: tls.VersionTLS12} endpoints1 := []string{ "http://tc-pd:2379", diff --git a/client/tlsutil/tlsconfig.go b/client/tlsutil/tlsconfig.go index 88d797d3b3a..73c8d66dd69 100644 --- a/client/tlsutil/tlsconfig.go +++ b/client/tlsutil/tlsconfig.go @@ -79,7 +79,7 @@ func (info tlsInfo) clientConfig() (*tls.Config, error) { return nil, err } } else { - cfg = &tls.Config{ServerName: info.serverName} + cfg = &tls.Config{ServerName: info.serverName, MinVersion: tls.VersionTLS12} } cfg.InsecureSkipVerify = info.insecureSkipVerify @@ -190,6 +190,7 @@ func (s TLSConfig) ToTLSConfig() (*tls.Config, error) { Certificates: certificates, RootCAs: certPool, NextProtos: []string{"h2", "http/1.1"}, // specify `h2` to let Go use HTTP/2. + MinVersion: tls.VersionTLS12, }, nil } diff --git a/pkg/utils/grpcutil/grpcutil.go b/pkg/utils/grpcutil/grpcutil.go index 1d1e6478036..fbea5fa9bbb 100644 --- a/pkg/utils/grpcutil/grpcutil.go +++ b/pkg/utils/grpcutil/grpcutil.go @@ -92,6 +92,7 @@ func (s TLSConfig) ToTLSConfig() (*tls.Config, error) { Certificates: certificates, RootCAs: certPool, NextProtos: []string{"h2", "http/1.1"}, // specify `h2` to let Go use HTTP/2. + MinVersion: tls.VersionTLS12, }, nil } diff --git a/pkg/utils/netutil/address_test.go b/pkg/utils/netutil/address_test.go index 127c9a6d0f7..e66139ab5c6 100644 --- a/pkg/utils/netutil/address_test.go +++ b/pkg/utils/netutil/address_test.go @@ -51,7 +51,7 @@ func TestIsEnableHttps(t *testing.T) { httpClient = &http.Client{ Transport: &http.Transport{ DisableKeepAlives: true, - TLSClientConfig: &tls.Config{}, + TLSClientConfig: &tls.Config{MinVersion: tls.VersionTLS12}, }, } re.False(IsEnableHTTPS(httpClient))