Add option to specify the tls-min-version for the server

pkg/http/server.go

@@ -91,7 +91,7 @@ func (s *server) setupTLSListener(opts Opts) error {
 	}
 
 	config := &tls.Config{
-		MinVersion: tls.VersionTLS12,
+		MinVersion: tls.VersionTLS12, // default, override below
 		MaxVersion: tls.VersionTLS13,
 		NextProtos: []string{"http/1.1"},
 	}
@@ -104,6 +104,17 @@ func (s *server) setupTLSListener(opts Opts) error {
 	}
 	config.Certificates = []tls.Certificate{cert}
 
+	if len(opts.TLS.MinVersion) > 0 {
+		switch opts.TLS.MinVersion {
+		case "TLS1.2":
+			config.MinVersion = tls.VersionTLS12
+		case "TLS1.3":
+			config.MinVersion = tls.VersionTLS13
+		default:
+			return errors.New("unknown TLS MinVersion config provided")
+		}
+	}
+
 	listenAddr := getListenAddress(opts.SecureBindAddress)
 
 	listener, err := net.Listen("tcp", listenAddr)

pkg/http/server_test.go

@@ -233,6 +233,34 @@ var _ = Describe("Server", func() {
 				expectHTTPListener: false,
 				expectTLSListener:  true,
 			}),
+			Entry("with a valid https bind address, and valid TLS config with MinVersion", &newServerTableInput{
+				opts: Opts{
+					Handler:           handler,
+					SecureBindAddress: "127.0.0.1:0",
+					TLS: &options.TLS{
+						Key:        &keyDataSource,
+						Cert:       &certDataSource,
+						MinVersion: "TLS1.3",
+					},
+				},
+				expectedErr:        nil,
+				expectHTTPListener: false,
+				expectTLSListener:  true,
+			}),
+			Entry("with a valid https bind address, and invalid TLS config with unknown MinVersion", &newServerTableInput{
+				opts: Opts{
+					Handler:           handler,
+					SecureBindAddress: "127.0.0.1:0",
+					TLS: &options.TLS{
+						Key:        &keyDataSource,
+						Cert:       &certDataSource,
+						MinVersion: "TLS1.42",
+					},
+				},
+				expectedErr:        errors.New("error setting up TLS listener: unknown TLS MinVersion config provided"),
+				expectHTTPListener: false,
+				expectTLSListener:  true,
+			}),
 		)
 	})