[FAB-4251] Only support TLS >= 1.2 to Kafka

Change-Id: Ib9fd3573e12e5f5916e58d7e96792c95af496ceb Signed-off-by: Luis Sanchez <sanchezl@us.ibm.com>
hyperledger · Jun 1, 2017 · 2b8c0aa · 2b8c0aa
1 parent a01b2f9
commit 2b8c0aa
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 2 deletions.
diff --git a/orderer/kafka/util.go b/orderer/kafka/util.go
@@ -48,7 +48,7 @@ func newBrokerConfig(kafkaVersion sarama.KafkaVersion, chosenStaticPartition int
 		brokerConfig.Net.TLS.Config = &tls.Config{
 			Certificates: []tls.Certificate{keyPair},
 			RootCAs:      rootCAs,
-			MinVersion:   0, // TLS 1.0 (no SSL support)
+			MinVersion:   tls.VersionTLS12,
 			MaxVersion:   0, // Latest supported TLS version
 		}
 	}

diff --git a/orderer/kafka/util_test.go b/orderer/kafka/util_test.go
@@ -17,6 +17,7 @@ limitations under the License.
 package kafka
 
 import (
+	"crypto/tls"
 	"testing"
 
 	"github.com/Shopify/sarama"
@@ -132,7 +133,7 @@ func TestTLSConfigEnabled(t *testing.T) {
 	assert.Len(t, config.Net.TLS.Config.Certificates, 1)
 	assert.Len(t, config.Net.TLS.Config.RootCAs.Subjects(), 1)
 	assert.Equal(t, uint16(0), config.Net.TLS.Config.MaxVersion)
-	assert.Equal(t, uint16(0), config.Net.TLS.Config.MinVersion)
+	assert.Equal(t, uint16(tls.VersionTLS12), config.Net.TLS.Config.MinVersion)
 }
 
 func TestTLSConfigDisabled(t *testing.T) {