From f5ec916214e21bc0af0bdb7d48041d02e7703288 Mon Sep 17 00:00:00 2001
From: David Anderson <danderson@tailscale.com>
Date: Thu, 27 Jan 2022 16:51:30 -0800
Subject: [PATCH] cmd/derper: disable TLS 1.0 and 1.1.

Updates tailscale/corp#3568

Signed-off-by: David Anderson <danderson@tailscale.com>
---
 cmd/derper/derper.go | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/cmd/derper/derper.go b/cmd/derper/derper.go
index c316d4870..c117504d6 100644
--- a/cmd/derper/derper.go
+++ b/cmd/derper/derper.go
@@ -241,6 +241,8 @@ func main() {
 			cert.Certificate = append(cert.Certificate, s.MetaCert())
 			return cert, nil
 		}
+		// Disable TLS 1.0 and 1.1, which are obsolete and have security issues.
+		httpsrv.TLSConfig.MinVersion = tls.VersionTLS12
 		httpsrv.Handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			if r.TLS != nil {
 				label := "unknown"