From 5bd7d320e8c44eaa221c55748c646a0b74a04c7e Mon Sep 17 00:00:00 2001
From: Nassim 'Nass' Eddequiouaq <eddequiouaq.nassim@gmail.com>
Date: Tue, 30 Jan 2018 15:35:17 -0800
Subject: [PATCH 1/2] Allow the config api consumer to modify the server and
 client default configs

Signed-off-by: Nassim 'Nass' Eddequiouaq <eddequiouaq.nassim@gmail.com>
---
 tlsconfig/config.go | 22 +++++++++++++++++-----
 1 file changed, 17 insertions(+), 5 deletions(-)

diff --git a/tlsconfig/config.go b/tlsconfig/config.go
index 1b31bbb8b..f11f166a4 100644
--- a/tlsconfig/config.go
+++ b/tlsconfig/config.go
@@ -65,22 +65,34 @@ var allTLSVersions = map[uint16]struct{}{
 }
 
 // ServerDefault returns a secure-enough TLS configuration for the server TLS configuration.
-func ServerDefault() *tls.Config {
-	return &tls.Config{
-		// Avoid fallback to SSL protocols < TLS1.0
+func ServerDefault(ops ...func(*tls.Config)) *tls.Config {
+	tlsconfig := &tls.Config{
+		// Avoid fallback by default to SSL protocols < TLS1.0
 		MinVersion:               tls.VersionTLS10,
 		PreferServerCipherSuites: true,
 		CipherSuites:             DefaultServerAcceptedCiphers,
 	}
+
+	for _, op := range ops {
+		op(tlsconfig)
+	}
+
+	return tlsconfig
 }
 
 // ClientDefault returns a secure-enough TLS configuration for the client TLS configuration.
-func ClientDefault() *tls.Config {
-	return &tls.Config{
+func ClientDefault(ops ...func(*tls.Config)) *tls.Config {
+	tlsconfig := &tls.Config{
 		// Prefer TLS1.2 as the client minimum
 		MinVersion:   tls.VersionTLS12,
 		CipherSuites: clientCipherSuites,
 	}
+
+	for _, op := range ops {
+		op(tlsconfig)
+	}
+
+	return tlsconfig
 }
 
 // certPool returns an X.509 certificate pool from `caFile`, the certificate file.

From 088c24278568ef3aade5a0d7af7e7e53d9711830 Mon Sep 17 00:00:00 2001
From: Nassim 'Nass' Eddequiouaq <eddequiouaq.nassim@gmail.com>
Date: Tue, 30 Jan 2018 16:14:37 -0800
Subject: [PATCH 2/2] Add unit tests for default client&server TLS config
 generator modifiers

Signed-off-by: Nassim 'Nass' Eddequiouaq <eddequiouaq.nassim@gmail.com>
---
 tlsconfig/config_test.go | 38 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)

diff --git a/tlsconfig/config_test.go b/tlsconfig/config_test.go
index 02131d6b8..71e8ce5fc 100644
--- a/tlsconfig/config_test.go
+++ b/tlsconfig/config_test.go
@@ -287,6 +287,44 @@ func TestConfigServerExclusiveRootPools(t *testing.T) {
 	}
 }
 
+// If we provide a modifier to the server's default TLS configuration generator, it
+// should be applied accordingly
+func TestConfigServerDefaultWithTLSMinimumModifier(t *testing.T) {
+	tlsVersions := []uint16{
+		tls.VersionTLS11,
+		tls.VersionTLS12,
+	}
+
+	for _, tlsVersion := range tlsVersions {
+		servDefault := ServerDefault(func(c *tls.Config) {
+			c.MinVersion = tlsVersion
+		})
+
+		if servDefault.MinVersion != tlsVersion {
+			t.Fatalf("Unexpected min TLS version for default server TLS config: ", servDefault.MinVersion)
+		}
+	}
+}
+
+// If we provide a modifier to the client's default TLS configuration generator, it
+// should be applied accordingly
+func TestConfigClientDefaultWithTLSMinimumModifier(t *testing.T) {
+	tlsVersions := []uint16{
+		tls.VersionTLS11,
+		tls.VersionTLS12,
+	}
+
+	for _, tlsVersion := range tlsVersions {
+		clientDefault := ClientDefault(func(c *tls.Config) {
+			c.MinVersion = tlsVersion
+		})
+
+		if clientDefault.MinVersion != tlsVersion {
+			t.Fatalf("Unexpected min TLS version for default client TLS config: ", clientDefault.MinVersion)
+		}
+	}
+}
+
 // If a valid minimum version is specified in the options, the server's
 // minimum version should be set accordingly
 func TestConfigServerTLSMinVersionIsSetBasedOnOptions(t *testing.T) {