Merge pull request #16 from rchincha/tls

tls: harden TLS path

errors/errors.go

@@ -15,4 +15,5 @@ var (
 	ErrBadBlob          = errors.New("blob: bad blob")
 	ErrBadBlobDigest    = errors.New("blob: bad blob digest")
 	ErrUnknownCode      = errors.New("error: unknown error code")
+	ErrBadCACert        = errors.New("tls: invalid ca cert")
 )

pkg/api/controller.go

@@ -8,6 +8,7 @@ import (
 	"net"
 	"net/http"
 
+	"github.com/anuvu/zot/errors"
 	"github.com/anuvu/zot/pkg/storage"
 	"github.com/gorilla/mux"
 	"github.com/rs/zerolog"
@@ -56,11 +57,16 @@ func (c *Controller) Run() error {
 				panic(err)
 			}
 			caCertPool := x509.NewCertPool()
-			caCertPool.AppendCertsFromPEM(caCert)
+			if !caCertPool.AppendCertsFromPEM(caCert) {
+				panic(errors.ErrBadCACert)
+			}
 			server.TLSConfig = &tls.Config{
-				ClientAuth: clientAuth,
-				ClientCAs:  caCertPool,
+				ClientAuth:               clientAuth,
+				ClientCAs:                caCertPool,
+				PreferServerCipherSuites: true,
+				MinVersion:               tls.VersionTLS12,
 			}
+			server.TLSConfig.BuildNameToCertificate()
 		}
 
 		return server.ServeTLS(l, c.Config.HTTP.TLS.Cert, c.Config.HTTP.TLS.Key)