[FAB-4251] Only support TLS >= 1.2 to Kafka

Luis Sanchez · Luis Sanchez · commit 2b8c0aa96465 · 2017-06-01T23:55:18.000Z
Change-Id: Ib9fd3573e12e5f5916e58d7e96792c95af496ceb
Signed-off-by: Luis Sanchez &lt;sanchezl@us.ibm.com&gt;
diff --git a/orderer/kafka/util.go b/orderer/kafka/util.go
@@ -48,7 +48,7 @@ func newBrokerConfig(kafkaVersion sarama.KafkaVersion, chosenStaticPartition int
 		brokerConfig.Net.TLS.Config = &tls.Config{
 			Certificates: []tls.Certificate{keyPair},
 			RootCAs:      rootCAs,
-			MinVersion:   0, // TLS 1.0 (no SSL support)
+			MinVersion:   tls.VersionTLS12,
 			MaxVersion:   0, // Latest supported TLS version
 		}
 	}
diff --git a/orderer/kafka/util_test.go b/orderer/kafka/util_test.go
@@ -17,6 +17,7 @@ limitations under the License.
 package kafka
 
 import (
+	"crypto/tls"
 	"testing"
 
 	"github.com/Shopify/sarama"
@@ -132,7 +133,7 @@ func TestTLSConfigEnabled(t *testing.T) {
 	assert.Len(t, config.Net.TLS.Config.Certificates, 1)
 	assert.Len(t, config.Net.TLS.Config.RootCAs.Subjects(), 1)
 	assert.Equal(t, uint16(0), config.Net.TLS.Config.MaxVersion)
-	assert.Equal(t, uint16(0), config.Net.TLS.Config.MinVersion)
+	assert.Equal(t, uint16(tls.VersionTLS12), config.Net.TLS.Config.MinVersion)
 }
 
 func TestTLSConfigDisabled(t *testing.T) {

Original file line number	Diff line number	Diff line change
`@@ -48,7 +48,7 @@ func newBrokerConfig(kafkaVersion sarama.KafkaVersion, chosenStaticPartition int`
`48`	`48`	`brokerConfig.Net.TLS.Config = &tls.Config{`
`49`	`49`	`Certificates: []tls.Certificate{keyPair},`
`50`	`50`	`RootCAs: rootCAs,`
`51`		`- MinVersion: 0, // TLS 1.0 (no SSL support)`
	`51`	`+ MinVersion: tls.VersionTLS12,`
`52`	`52`	`MaxVersion: 0, // Latest supported TLS version`
`53`	`53`	`}`
`54`	`54`	`}`