allow to configure the minimum version of TLS to be enabled

Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
2024-11-21 23:20:24 +00:00 · 2022-02-13 15:56:07 +01:00 · 2022-02-13 15:56:07 +01:00 · 1fccd05e9e
commit 1fccd05e9e
parent 66945c0a02
13 changed files with 96 additions and 7 deletions
--- a/common/common_test.go
+++ b/common/common_test.go
@ -1,6 +1,7 @@
 package common

 import (
+	"crypto/tls"
 	"encoding/json"
 	"fmt"
 	"net"
@ -869,6 +870,17 @@ func TestUserPerms(t *testing.T) {
 	assert.True(t, u.HasPermsRenameAll("/"))
 }

+func TestGetTLSVersion(t *testing.T) {
+	tlsVer := util.GetTLSVersion(0)
+	assert.Equal(t, uint16(tls.VersionTLS12), tlsVer)
+	tlsVer = util.GetTLSVersion(12)
+	assert.Equal(t, uint16(tls.VersionTLS12), tlsVer)
+	tlsVer = util.GetTLSVersion(2)
+	assert.Equal(t, uint16(tls.VersionTLS12), tlsVer)
+	tlsVer = util.GetTLSVersion(13)
+	assert.Equal(t, uint16(tls.VersionTLS13), tlsVer)
+}
+
 func BenchmarkBcryptHashing(b *testing.B) {
 	bcryptPassword := "bcryptpassword"
 	for i := 0; i < b.N; i++ {
--- a/config/config.go
+++ b/config/config.go
@ -52,6 +52,7 @@ var (
 		Port:                       0,
 		ApplyProxyConfig:           true,
 		TLSMode:                    0,
+		MinTLSVersion:              12,
 		ForcePassiveIP:             "",
 		PassiveIPOverrides:         nil,
 		ClientAuthType:             0,
@ -64,6 +65,7 @@ var (
 		Address:         "",
 		Port:            0,
 		EnableHTTPS:     false,
+		MinTLSVersion:   12,
 		ClientAuthType:  0,
 		TLSCipherSuites: nil,
 		Prefix:          "",
@ -75,6 +77,7 @@ var (
 		EnableWebAdmin:        true,
 		EnableWebClient:       true,
 		EnableHTTPS:           false,
+		MinTLSVersion:         12,
 		ClientAuthType:        0,
 		TLSCipherSuites:       nil,
 		ProxyAllowed:          nil,
@ -333,6 +336,7 @@ func Init() {
 			AuthUserFile:       "",
 			CertificateFile:    "",
 			CertificateKeyFile: "",
+			MinTLSVersion:      12,
 			TLSCipherSuites:    nil,
 		},
 		PluginsConfig: nil,
@ -916,14 +920,19 @@ func getFTPDPassiveIPOverridesFromEnv(idx int) []ftpd.PassiveIPOverride {
 	return overrides
 }

-func getFTPDBindingFromEnv(idx int) {
+func getDefaultFTPDBinding(idx int) ftpd.Binding {
 	binding := ftpd.Binding{
 		ApplyProxyConfig: true,
+		MinTLSVersion:    12,
 	}
 	if len(globalConf.FTPD.Bindings) > idx {
 		binding = globalConf.FTPD.Bindings[idx]
 	}
+	return binding
+}

+func getFTPDBindingFromEnv(idx int) {
+	binding := getDefaultFTPDBinding(idx)
 	isSet := false

 	port, ok := lookupIntFromEnv(fmt.Sprintf("SFTPGO_FTPD__BINDINGS__%v__PORT", idx))
@ -950,6 +959,12 @@ func getFTPDBindingFromEnv(idx int) {
 		isSet = true
 	}

+	tlsVer, ok := lookupIntFromEnv(fmt.Sprintf("SFTPGO_FTPD__BINDINGS__%v__MIN_TLS_VERSION", idx))
+	if ok {
+		binding.MinTLSVersion = int(tlsVer)
+		isSet = true
+	}
+
 	passiveIP, ok := os.LookupEnv(fmt.Sprintf("SFTPGO_FTPD__BINDINGS__%v__FORCE_PASSIVE_IP", idx))
 	if ok {
 		binding.ForcePassiveIP = passiveIP
@ -1002,7 +1017,9 @@ func getFTPDBindingFromEnv(idx int) {
 }

 func getWebDAVDBindingFromEnv(idx int) {
-	binding := webdavd.Binding{}
+	binding := webdavd.Binding{
+		MinTLSVersion: 12,
+	}
 	if len(globalConf.WebDAVD.Bindings) > idx {
 		binding = globalConf.WebDAVD.Bindings[idx]
 	}
@ -1027,6 +1044,12 @@ func getWebDAVDBindingFromEnv(idx int) {
 		isSet = true
 	}

+	tlsVer, ok := lookupIntFromEnv(fmt.Sprintf("SFTPGO_WEBDAVD__BINDINGS__%v__MIN_TLS_VERSION", idx))
+	if ok {
+		binding.MinTLSVersion = int(tlsVer)
+		isSet = true
+	}
+
 	clientAuthType, ok := lookupIntFromEnv(fmt.Sprintf("SFTPGO_WEBDAVD__BINDINGS__%v__CLIENT_AUTH_TYPE", idx))
 	if ok {
 		binding.ClientAuthType = int(clientAuthType)
@ -1133,6 +1156,7 @@ func getDefaultHTTPBinding(idx int) httpd.Binding {
 		EnableWebAdmin:  true,
 		EnableWebClient: true,
 		RenderOpenAPI:   true,
+		MinTLSVersion:   12,
 	}
 	if len(globalConf.HTTPDConfig.Bindings) > idx {
 		binding = globalConf.HTTPDConfig.Bindings[idx]
@ -1142,7 +1166,6 @@ func getDefaultHTTPBinding(idx int) httpd.Binding {

 func getHTTPDBindingFromEnv(idx int) {
 	binding := getDefaultHTTPBinding(idx)
-
 	isSet := false

 	port, ok := lookupIntFromEnv(fmt.Sprintf("SFTPGO_HTTPD__BINDINGS__%v__PORT", idx))
@ -1187,6 +1210,12 @@ func getHTTPDBindingFromEnv(idx int) {
 		isSet = true
 	}

+	tlsVer, ok := lookupIntFromEnv(fmt.Sprintf("SFTPGO_HTTPD__BINDINGS__%v__MIN_TLS_VERSION", idx))
+	if ok {
+		binding.MinTLSVersion = int(tlsVer)
+		isSet = true
+	}
+
 	clientAuthType, ok := lookupIntFromEnv(fmt.Sprintf("SFTPGO_HTTPD__BINDINGS__%v__CLIENT_AUTH_TYPE", idx))
 	if ok {
 		binding.ClientAuthType = int(clientAuthType)
@ -1217,6 +1246,10 @@ func getHTTPDBindingFromEnv(idx int) {
 		isSet = true
 	}

+	setHTTPDBinding(isSet, binding, idx)
+}
+
+func setHTTPDBinding(isSet bool, binding httpd.Binding, idx int) {
 	if isSet {
 		if len(globalConf.HTTPDConfig.Bindings) > idx {
 			globalConf.HTTPDConfig.Bindings[idx] = binding
@ -1417,6 +1450,7 @@ func setViperDefaults() {
 	viper.SetDefault("telemetry.auth_user_file", globalConf.TelemetryConfig.AuthUserFile)
 	viper.SetDefault("telemetry.certificate_file", globalConf.TelemetryConfig.CertificateFile)
 	viper.SetDefault("telemetry.certificate_key_file", globalConf.TelemetryConfig.CertificateKeyFile)
+	viper.SetDefault("telemetry.min_tls_version", globalConf.TelemetryConfig.MinTLSVersion)
 	viper.SetDefault("telemetry.tls_cipher_suites", globalConf.TelemetryConfig.TLSCipherSuites)
 	viper.SetDefault("smtp.host", globalConf.SMTPConfig.Host)
 	viper.SetDefault("smtp.port", globalConf.SMTPConfig.Port)
--- a/config/config_test.go
+++ b/config/config_test.go
@ -663,6 +663,7 @@ func TestFTPDBindingsFromEnv(t *testing.T) {
 	os.Setenv("SFTPGO_FTPD__BINDINGS__9__ADDRESS", "127.0.1.1")
 	os.Setenv("SFTPGO_FTPD__BINDINGS__9__PORT", "2203")
 	os.Setenv("SFTPGO_FTPD__BINDINGS__9__TLS_MODE", "1")
+	os.Setenv("SFTPGO_FTPD__BINDINGS__9__MIN_TLS_VERSION", "13")
 	os.Setenv("SFTPGO_FTPD__BINDINGS__9__FORCE_PASSIVE_IP", "127.0.1.1")
 	os.Setenv("SFTPGO_FTPD__BINDINGS__9__PASSIVE_IP_OVERRIDES__3__IP", "192.168.1.1")
 	os.Setenv("SFTPGO_FTPD__BINDINGS__9__PASSIVE_IP_OVERRIDES__3__NETWORKS", "192.168.1.0/24, 192.168.3.0/25")
@ -682,6 +683,7 @@ func TestFTPDBindingsFromEnv(t *testing.T) {
 		os.Unsetenv("SFTPGO_FTPD__BINDINGS__9__ADDRESS")
 		os.Unsetenv("SFTPGO_FTPD__BINDINGS__9__PORT")
 		os.Unsetenv("SFTPGO_FTPD__BINDINGS__9__TLS_MODE")
+		os.Unsetenv("SFTPGO_FTPD__BINDINGS__9__MIN_TLS_VERSION")
 		os.Unsetenv("SFTPGO_FTPD__BINDINGS__9__FORCE_PASSIVE_IP")
 		os.Unsetenv("SFTPGO_FTPD__BINDINGS__9__PASSIVE_IP_OVERRIDES__3__IP")
 		os.Unsetenv("SFTPGO_FTPD__BINDINGS__9__PASSIVE_IP_OVERRIDES__3__NETWORKS")
@ -699,6 +701,7 @@ func TestFTPDBindingsFromEnv(t *testing.T) {
 	require.Equal(t, "127.0.0.1", bindings[0].Address)
 	require.False(t, bindings[0].ApplyProxyConfig)
 	require.Equal(t, 2, bindings[0].TLSMode)
+	require.Equal(t, 12, bindings[0].MinTLSVersion)
 	require.Equal(t, "127.0.1.2", bindings[0].ForcePassiveIP)
 	require.Len(t, bindings[0].PassiveIPOverrides, 0)
 	require.Equal(t, 0, bindings[0].ClientAuthType)
@ -712,6 +715,7 @@ func TestFTPDBindingsFromEnv(t *testing.T) {
 	require.Equal(t, "127.0.1.1", bindings[1].Address)
 	require.True(t, bindings[1].ApplyProxyConfig) // default value
 	require.Equal(t, 1, bindings[1].TLSMode)
+	require.Equal(t, 13, bindings[1].MinTLSVersion)
 	require.Equal(t, "127.0.1.1", bindings[1].ForcePassiveIP)
 	require.Len(t, bindings[1].PassiveIPOverrides, 1)
 	require.Equal(t, "192.168.1.1", bindings[1].PassiveIPOverrides[0].IP)
@ -736,6 +740,7 @@ func TestWebDAVBindingsFromEnv(t *testing.T) {
 	os.Setenv("SFTPGO_WEBDAVD__BINDINGS__2__ADDRESS", "127.0.1.1")
 	os.Setenv("SFTPGO_WEBDAVD__BINDINGS__2__PORT", "9000")
 	os.Setenv("SFTPGO_WEBDAVD__BINDINGS__2__ENABLE_HTTPS", "1")
+	os.Setenv("SFTPGO_WEBDAVD__BINDINGS__2__MIN_TLS_VERSION", "13")
 	os.Setenv("SFTPGO_WEBDAVD__BINDINGS__2__CLIENT_AUTH_TYPE", "1")
 	os.Setenv("SFTPGO_WEBDAVD__BINDINGS__2__PREFIX", "/dav2")
 	t.Cleanup(func() {
@ -747,6 +752,7 @@ func TestWebDAVBindingsFromEnv(t *testing.T) {
 		os.Unsetenv("SFTPGO_WEBDAVD__BINDINGS__2__ADDRESS")
 		os.Unsetenv("SFTPGO_WEBDAVD__BINDINGS__2__PORT")
 		os.Unsetenv("SFTPGO_WEBDAVD__BINDINGS__2__ENABLE_HTTPS")
+		os.Unsetenv("SFTPGO_WEBDAVD__BINDINGS__2__MIN_TLS_VERSION")
 		os.Unsetenv("SFTPGO_WEBDAVD__BINDINGS__2__CLIENT_AUTH_TYPE")
 		os.Unsetenv("SFTPGO_WEBDAVD__BINDINGS__2__PREFIX")
 	})
@ -759,11 +765,13 @@ func TestWebDAVBindingsFromEnv(t *testing.T) {
 	require.Equal(t, 0, bindings[0].Port)
 	require.Empty(t, bindings[0].Address)
 	require.False(t, bindings[0].EnableHTTPS)
+	require.Equal(t, 12, bindings[0].MinTLSVersion)
 	require.Len(t, bindings[0].TLSCipherSuites, 0)
 	require.Empty(t, bindings[0].Prefix)
 	require.Equal(t, 8000, bindings[1].Port)
 	require.Equal(t, "127.0.0.1", bindings[1].Address)
 	require.False(t, bindings[1].EnableHTTPS)
+	require.Equal(t, 12, bindings[1].MinTLSVersion)
 	require.Equal(t, 0, bindings[1].ClientAuthType)
 	require.Len(t, bindings[1].TLSCipherSuites, 1)
 	require.Equal(t, "TLS_RSA_WITH_AES_128_CBC_SHA", bindings[1].TLSCipherSuites[0])
@ -772,6 +780,7 @@ func TestWebDAVBindingsFromEnv(t *testing.T) {
 	require.Equal(t, 9000, bindings[2].Port)
 	require.Equal(t, "127.0.1.1", bindings[2].Address)
 	require.True(t, bindings[2].EnableHTTPS)
+	require.Equal(t, 13, bindings[2].MinTLSVersion)
 	require.Equal(t, 1, bindings[2].ClientAuthType)
 	require.Nil(t, bindings[2].TLSCipherSuites)
 	require.Equal(t, "/dav2", bindings[2].Prefix)
@ -795,6 +804,7 @@ func TestHTTPDBindingsFromEnv(t *testing.T) {
 	os.Setenv("SFTPGO_HTTPD__BINDINGS__2__ENABLE_WEB_CLIENT", "0")
 	os.Setenv("SFTPGO_HTTPD__BINDINGS__2__RENDER_OPENAPI", "0")
 	os.Setenv("SFTPGO_HTTPD__BINDINGS__2__ENABLE_HTTPS", "1 ")
+	os.Setenv("SFTPGO_HTTPD__BINDINGS__2__MIN_TLS_VERSION", "13")
 	os.Setenv("SFTPGO_HTTPD__BINDINGS__2__CLIENT_AUTH_TYPE", "1")
 	os.Setenv("SFTPGO_HTTPD__BINDINGS__2__TLS_CIPHER_SUITES", " TLS_AES_256_GCM_SHA384 , TLS_CHACHA20_POLY1305_SHA256")
 	os.Setenv("SFTPGO_HTTPD__BINDINGS__2__PROXY_ALLOWED", " 192.168.9.1 , 172.16.25.0/24")
@ -820,6 +830,7 @@ func TestHTTPDBindingsFromEnv(t *testing.T) {
 		os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__ADDRESS")
 		os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__PORT")
 		os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__ENABLE_HTTPS")
+		os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__MIN_TLS_VERSION")
 		os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__ENABLE_WEB_ADMIN")
 		os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__ENABLE_WEB_CLIENT")
 		os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__RENDER_OPENAPI")
@ -847,6 +858,7 @@ func TestHTTPDBindingsFromEnv(t *testing.T) {
 	require.Equal(t, 0, bindings[0].Port)
 	require.Equal(t, sockPath, bindings[0].Address)
 	require.False(t, bindings[0].EnableHTTPS)
+	require.Equal(t, 12, bindings[0].MinTLSVersion)
 	require.True(t, bindings[0].EnableWebAdmin)
 	require.True(t, bindings[0].EnableWebClient)
 	require.True(t, bindings[0].RenderOpenAPI)
@ -857,6 +869,7 @@ func TestHTTPDBindingsFromEnv(t *testing.T) {
 	require.Equal(t, 8000, bindings[1].Port)
 	require.Equal(t, "127.0.0.1", bindings[1].Address)
 	require.False(t, bindings[1].EnableHTTPS)
+	require.Equal(t, 12, bindings[0].MinTLSVersion)
 	require.True(t, bindings[1].EnableWebAdmin)
 	require.True(t, bindings[1].EnableWebClient)
 	require.True(t, bindings[1].RenderOpenAPI)
@ -866,6 +879,7 @@ func TestHTTPDBindingsFromEnv(t *testing.T) {
 	require.Equal(t, 9000, bindings[2].Port)
 	require.Equal(t, "127.0.1.1", bindings[2].Address)
 	require.True(t, bindings[2].EnableHTTPS)
+	require.Equal(t, 13, bindings[2].MinTLSVersion)
 	require.False(t, bindings[2].EnableWebAdmin)
 	require.False(t, bindings[2].EnableWebClient)
 	require.False(t, bindings[2].RenderOpenAPI)
--- a/docs/full-configuration.md
+++ b/docs/full-configuration.md
@ -121,6 +121,7 @@ The configuration file contains the following sections:
    - `address`, string. Leave blank to listen on all available network interfaces. Default: "".
    - `apply_proxy_config`, boolean. If enabled the common proxy configuration, if any, will be applied. Please note that we expect the proxy header on control and data connections. Default `true`.
    - `tls_mode`, integer. 0 means accept both cleartext and encrypted sessions. 1 means TLS is required for both control and data connection. 2 means implicit TLS. Do not enable this blindly, please check that a proper TLS config is in place if you set `tls_mode` is different from 0.
+    - `min_tls_version`, integer. Defines the minimum version of TLS to be enabled. `12` means TLS 1.2 (and therefore TLS 1.2 and TLS 1.3 will be enabled),`13` means TLS 1.3. Default: `12`.
    - `force_passive_ip`, ip address. External IP address to expose for passive connections. Leavy empty to autodetect. If not empty, it must be a valid IPv4 address. Defaut: "".
    - `passive_ip_overrides`, list of struct that allows to return a different passive ip based on the client IP address. Each struct has the following fields:
      - `networks`, list of strings. Each string must define a network in CIDR notation, for example 192.168.1.0/24.
@ -147,6 +148,7 @@ The configuration file contains the following sections:
    - `port`, integer. The port used for serving WebDAV requests. 0 means disabled. Default: 0.
    - `address`, string. Leave blank to listen on all available network interfaces. Default: "".
    - `enable_https`, boolean. Set to `true` and provide both a certificate and a key file to enable HTTPS connection for this binding. Default `false`.
+    - `min_tls_version`, integer. Defines the minimum version of TLS to be enabled. `12` means TLS 1.2 (and therefore TLS 1.2 and TLS 1.3 will be enabled),`13` means TLS 1.3. Default: `12`.
    - `client_auth_type`, integer. Set to `1` to require a client certificate and verify it. Set to `2` to request a client certificate during the TLS handshake and verify it if given, in this mode the client is allowed not to send a certificate. At least one certification authority must be defined in order to verify client certificates. If no certification authority is defined, this setting is ignored. Default: 0.
    - `tls_cipher_suites`, list of strings. List of supported cipher suites for TLS version 1.2. If empty, a default list of secure cipher suites is used, with a preference order based on hardware performance. Note that TLS 1.3 ciphersuites are not configurable. The supported ciphersuites names are defined [here](https://github.com/golang/go/blob/master/src/crypto/tls/cipher_suites.go#L52). Any invalid name will be silently ignored. The order matters, the ciphers listed first will be the preferred ones. Default: empty.
    - `prefix`, string. Prefix for WebDAV resources, if empty WebDAV resources will be available at the `/` URI. If defined it must be an absolute URI, for example `/dav`. Default: "".
@ -225,6 +227,7 @@ The configuration file contains the following sections:
    - `enable_web_admin`, boolean. Set to `false` to disable the built-in web admin for this binding. You also need to define `templates_path` and `static_files_path` to use the built-in web admin interface. Default `true`.
    - `enable_web_client`, boolean. Set to `false` to disable the built-in web client for this binding. You also need to define `templates_path` and `static_files_path` to use the built-in web client interface. Default `true`.
    - `enable_https`, boolean. Set to `true` and provide both a certificate and a key file to enable HTTPS connection for this binding. Default `false`.
+    - `min_tls_version`, integer. Defines the minimum version of TLS to be enabled. `12` means TLS 1.2 (and therefore TLS 1.2 and TLS 1.3 will be enabled),`13` means TLS 1.3. Default: `12`.
    - `client_auth_type`, integer. Set to `1` to require client certificate authentication in addition to JWT/Web authentication. You need to define at least a certificate authority for this to work. Default: 0.
    - `tls_cipher_suites`, list of strings. List of supported cipher suites for TLS version 1.2. If empty, a default list of secure cipher suites is used, with a preference order based on hardware performance. Note that TLS 1.3 ciphersuites are not configurable. The supported ciphersuites names are defined [here](https://github.com/golang/go/blob/master/src/crypto/tls/cipher_suites.go#L52). Any invalid name will be silently ignored. The order matters, the ciphers listed first will be the preferred ones. Default: blank.
    - `proxy_allowed`, list of IP addresses and IP ranges allowed to set `X-Forwarded-For`, `X-Real-IP`, `X-Forwarded-Proto`, `CF-Connecting-IP`, `True-Client-IP` headers. Any of the indicated headers, if set on requests from a connection address not in this list, will be silently ignored. Default: blank.
@ -266,6 +269,7 @@ The configuration file contains the following sections:
  - `auth_user_file`, string. Path to a file used to store usernames and passwords for basic authentication. This can be an absolute path or a path relative to the config dir. We support HTTP basic authentication, and the file format must conform to the one generated using the Apache `htpasswd` tool. The supported password formats are bcrypt (`$2y$` prefix) and md5 crypt (`$apr1$` prefix). If empty, HTTP authentication is disabled. Authentication will be always disabled for the `/healthz` endpoint.
  - `certificate_file`, string. Certificate for HTTPS. This can be an absolute path or a path relative to the config dir.
  - `certificate_key_file`, string. Private key matching the above certificate. This can be an absolute path or a path relative to the config dir. If both the certificate and the private key are provided, the server will expect HTTPS connections. Certificate and key files can be reloaded on demand sending a `SIGHUP` signal on Unix based systems and a `paramchange` request to the running service on Windows.
+  - `min_tls_version`, integer. Defines the minimum version of TLS to be enabled. `12` means TLS 1.2 (and therefore TLS 1.2 and TLS 1.3 will be enabled),`13` means TLS 1.3. Default: `12`.
  - `tls_cipher_suites`, list of strings. List of supported cipher suites for TLS version 1.2. If empty, a default list of secure cipher suites is used, with a preference order based on hardware performance. Note that TLS 1.3 ciphersuites are not configurable. The supported ciphersuites names are defined [here](https://github.com/golang/go/blob/master/src/crypto/tls/cipher_suites.go#L52). Any invalid name will be silently ignored. The order matters, the ciphers listed first will be the preferred ones. Default: empty.
 - **"http"**, the configuration for HTTP clients. HTTP clients are used for executing hooks. Some hooks use a retryable HTTP client, for these hooks you can configure the time between retries and the number of retries. Please check the hook specific documentation to understand which hooks use a retryable HTTP client.
  - `timeout`, float. Timeout specifies a time limit, in seconds, for requests. For requests with retries this is the timeout for a single request
--- a/ftpd/ftpd.go
+++ b/ftpd/ftpd.go
@ -43,6 +43,8 @@ type Binding struct {
 	// Set to 1 to require TLS for both data and control connection.
 	// Set to 2 to enable implicit TLS
 	TLSMode int `json:"tls_mode" mapstructure:"tls_mode"`
+	// Defines the minimum TLS version. 13 means TLS 1.3, default is TLS 1.2
+	MinTLSVersion int `json:"min_tls_version" mapstructure:"min_tls_version"`
 	// External IP address to expose for passive connections.
 	ForcePassiveIP string `json:"force_passive_ip" mapstructure:"force_passive_ip"`
 	// PassiveIPOverrides allows to define different IP addresses to expose for passive connections
--- a/ftpd/server.go
+++ b/ftpd/server.go
@ -262,7 +262,7 @@ func (s *Server) buildTLSConfig() {
 	if certMgr != nil {
 		s.tlsConfig = &tls.Config{
 			GetCertificate:           certMgr.GetCertificateFunc(),
-			MinVersion:               tls.VersionTLS12,
+			MinVersion:               util.GetTLSVersion(s.binding.MinTLSVersion),
 			CipherSuites:             s.binding.ciphers,
 			PreferServerCipherSuites: true,
 		}
--- a/httpd/httpd.go
+++ b/httpd/httpd.go
@ -258,6 +258,8 @@ type Binding struct {
 	EnableWebClient bool `json:"enable_web_client" mapstructure:"enable_web_client"`
 	// you also need to provide a certificate for enabling HTTPS
 	EnableHTTPS bool `json:"enable_https" mapstructure:"enable_https"`
+	// Defines the minimum TLS version. 13 means TLS 1.3, default is TLS 1.2
+	MinTLSVersion int `json:"min_tls_version" mapstructure:"min_tls_version"`
 	// set to 1 to require client certificate authentication in addition to basic auth.
 	// You need to define at least a certificate authority for this to work
 	ClientAuthType int `json:"client_auth_type" mapstructure:"client_auth_type"`
--- a/httpd/server.go
+++ b/httpd/server.go
@ -80,7 +80,7 @@ func (s *httpdServer) listenAndServe() error {
 	if certMgr != nil && s.binding.EnableHTTPS {
 		config := &tls.Config{
 			GetCertificate:           certMgr.GetCertificateFunc(),
-			MinVersion:               tls.VersionTLS12,
+			MinVersion:               util.GetTLSVersion(s.binding.MinTLSVersion),
 			NextProtos:               []string{"http/1.1", "h2"},
 			CipherSuites:             util.GetTLSCiphersFromNames(s.binding.TLSCipherSuites),
 			PreferServerCipherSuites: true,
--- a/sftpgo.json
+++ b/sftpgo.json
@ -86,6 +86,7 @@
        "address": "",
        "apply_proxy_config": true,
        "tls_mode": 0,
+        "min_tls_version": 12,
        "force_passive_ip": "",
        "passive_ip_overrides": [],
        "client_auth_type": 0,
@ -117,6 +118,7 @@
        "port": 0,
        "address": "",
        "enable_https": false,
+        "min_tls_version": 12,
        "client_auth_type": 0,
        "tls_cipher_suites": [],
        "prefix": "",
@ -211,6 +213,7 @@
        "enable_web_admin": true,
        "enable_web_client": true,
        "enable_https": false,
+        "min_tls_version": 12,
        "client_auth_type": 0,
        "tls_cipher_suites": [],
        "proxy_allowed": [],
@ -255,6 +258,7 @@
    "auth_user_file": "",
    "certificate_file": "",
    "certificate_key_file": "",
+    "min_tls_version": 12,
    "tls_cipher_suites": []
  },
  "http": {
--- a/telemetry/telemetry.go
+++ b/telemetry/telemetry.go
@ -63,6 +63,8 @@ type Conf struct {
 	// any invalid name will be silently ignored.
 	// The order matters, the ciphers listed first will be the preferred ones.
 	TLSCipherSuites []string `json:"tls_cipher_suites" mapstructure:"tls_cipher_suites"`
+	// Defines the minimum TLS version. 13 means TLS 1.3, default is TLS 1.2
+	MinTLSVersion int `json:"min_tls_version" mapstructure:"min_tls_version"`
 }

 // ShouldBind returns true if there service must be started
@ -104,7 +106,7 @@ func (c Conf) Initialize(configDir string) error {
 		}
 		config := &tls.Config{
 			GetCertificate:           certMgr.GetCertificateFunc(),
-			MinVersion:               tls.VersionTLS12,
+			MinVersion:               util.GetTLSVersion(c.MinTLSVersion),
 			NextProtos:               []string{"http/1.1", "h2"},
 			CipherSuites:             util.GetTLSCiphersFromNames(c.TLSCipherSuites),
 			PreferServerCipherSuites: true,
--- a/util/util.go
+++ b/util/util.go
@ -563,3 +563,16 @@ func PrependFileInfo(files []os.FileInfo, info os.FileInfo) []os.FileInfo {
 	files[0] = info
 	return files
 }
+
+// GetTLSVersion returns the TLS version for integer:
+// - 12 means TLS 1.2
+// - 13 means TLS 1.3
+// default is TLS 1.2
+func GetTLSVersion(val int) uint16 {
+	switch val {
+	case 13:
+		return tls.VersionTLS13
+	default:
+		return tls.VersionTLS12
+	}
+}
--- a/webdavd/server.go
+++ b/webdavd/server.go
@ -58,7 +58,7 @@ func (s *webDavServer) listenAndServe(compressor *middleware.Compressor) error {
 		serviceStatus.Bindings = append(serviceStatus.Bindings, s.binding)
 		httpServer.TLSConfig = &tls.Config{
 			GetCertificate:           certMgr.GetCertificateFunc(),
-			MinVersion:               tls.VersionTLS12,
+			MinVersion:               util.GetTLSVersion(s.binding.MinTLSVersion),
 			NextProtos:               []string{"http/1.1", "h2"},
 			CipherSuites:             util.GetTLSCiphersFromNames(s.binding.TLSCipherSuites),
 			PreferServerCipherSuites: true,
--- a/webdavd/webdavd.go
+++ b/webdavd/webdavd.go
@ -74,6 +74,8 @@ type Binding struct {
 	Port int `json:"port" mapstructure:"port"`
 	// you also need to provide a certificate for enabling HTTPS
 	EnableHTTPS bool `json:"enable_https" mapstructure:"enable_https"`
+	// Defines the minimum TLS version. 13 means TLS 1.3, default is TLS 1.2
+	MinTLSVersion int `json:"min_tls_version" mapstructure:"min_tls_version"`
 	// set to 1 to require client certificate authentication in addition to basic auth.
 	// You need to define at least a certificate authority for this to work
 	ClientAuthType int `json:"client_auth_type" mapstructure:"client_auth_type"`