archive-gh-me/gopass
1
0
Fork 0
mirror of https://github.com/gopasspw/gopass.git synced 2025-12-08 19:24:54 +00:00
Code Issues Projects Releases Wiki Activity

Enforce TLSv1.3 for outgoing HTTPS connections (#2085)

Browse Source 
RELEASE_NOTES=[ENHANCEMENT] Enforce TLSv1.3
This commit is contained in:
Dominik Schulz 2022-01-03 20:31:47 +01:00 committed by GitHub
parent c4b54ad310
commit 9c3e8ffa7c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 28 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
internal/cache/ghssh/github.go vendored
View File

@ -3,6 +3,7 @@ package ghssh
import (
"bufio"
"context"
"crypto/tls"
"fmt"
"net/http"
"strings"
@ -11,6 +12,17 @@ import (
"github.com/gopasspw/gopass/pkg/debug"
)
var (
httpClient = &http.Client{
Transport: &http.Transport{
TLSClientConfig: &tls.Config{
// enforce TLS 1.3
MinVersion: tls.VersionTLS13,
},
},
}
)
// ListKeys returns the public keys for a github user. It will
// cache results up the a configurable amount of time (default: 6h).
func (c *Cache) ListKeys(ctx context.Context, user string) ([]string, error) {
@ -44,7 +56,7 @@ func (c *Cache) fetchKeys(ctx context.Context, user string) ([]string, error) {
if err != nil {
return nil, err
}
resp, err := http.DefaultClient.Do(req)
resp, err := httpClient.Do(req)
if err != nil {
return nil, err
}

17
internal/updater/download.go
View File

@ -3,6 +3,7 @@ package updater
import (
"bytes"
"context"
"crypto/tls"
"fmt"
"io"
"net/http"
@ -15,8 +16,18 @@ import (
"golang.org/x/net/context/ctxhttp"
)
// DownloadTimeout is the overall timeout for the download, including all retries.
var DownloadTimeout = time.Minute * 5
var (
// DownloadTimeout is the overall timeout for the download, including all retries.
DownloadTimeout = time.Minute * 5
httpClient = &http.Client{
Transport: &http.Transport{
TLSClientConfig: &tls.Config{
// enforce TLS 1.3
MinVersion: tls.VersionTLS13,
},
},
}
)
func tryDownload(ctx context.Context, url string) ([]byte, error) {
ctx, cancel := context.WithTimeout(ctx, DownloadTimeout)
@ -51,7 +62,7 @@ func download(ctx context.Context, url string) ([]byte, error) {
req.Header.Set("Accept", "application/octet-stream")
t0 := time.Now()
resp, err := ctxhttp.Do(ctx, http.DefaultClient, req)
resp, err := ctxhttp.Do(ctx, httpClient, req)
if err != nil {
return nil, err
}

2
internal/updater/github.go
View File

@ -83,7 +83,7 @@ func FetchLatestRelease(ctx context.Context) (Release, error) {
// pin to API version 3 to avoid breaking our structs
req.Header.Set("Accept", "application/vnd.github.v3+json")
resp, err := ctxhttp.Do(ctx, http.DefaultClient, req)
resp, err := ctxhttp.Do(ctx, httpClient, req)
if err != nil {
return Release{}, err
}