journal-upload: require TLS 1.2 as the minimum version

RFC 8996 says:
> This document formally deprecates Transport Layer Security (TLS)
> versions 1.0 (RFC 2246) and 1.1 (RFC 4346). Accordingly, those
> documents have been moved to Historic status. These versions lack
> support for current and recommended cryptographic algorithms and
> mechanisms, and various government and industry profiles of
> applications using TLS now mandate avoiding these old TLS versions.
> TLS version 1.2 became the recommended version for IETF protocols in
> 2008 (subsequently being obsoleted by TLS version 1.3 in 2018),
> providing sufficient time to transition away from older versions.
> Removing support for older versions from implementations reduces the
> attack surface, reduces opportunity for misconfiguration, and
> streamlines library and product maintenance.

This code probably only talks to our own receiver which uses
libmicrohttpd. That in turn delegates to GnuTLS, which supports
1.2, 1.3, 3.0, etc.

diff --git a/src/journal-remote/journal-upload.c b/src/journal-remote/journal-upload.c
index 88f5cf713985a550546057240b0293f6762ae254..99de0fc93f57f18c5ca947a0c1c80bf6eb3de48e 100644 (file)
--- a/src/journal-remote/journal-upload.c
+++ b/src/journal-remote/journal-upload.c
@@ -302,8 +302,8 @@ int start_upload(Uploader *u,
                                 return -EXFULL;
                 }
 
-                if (arg_key || arg_trust)
-                        (void) easy_setopt(curl, LOG_WARNING, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1);
+                if (startswith(u->url, "https://"))
+                        (void) easy_setopt(curl, LOG_WARNING, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);
 
                 u->easy = TAKE_PTR(curl);
         } else {