MinVersion is missing from this TLS configuration GO-S1020MinVersion is missing from this TLS configuration: tls.Config108 // Set TLSConfig to provide custom TLS configuration. For example,
109 // to skip TLS verification (useful for testing):
110 if config.Insecure {
111 server.TLSConfig = &tls.Config{InsecureSkipVerify: true} // skipcq: GSC-G402112 }
113
114 // SMTP client
Description
MinVersion is missing from this TLS configuration. As the default value is
TLS 1.0, which is considered insecure, it is recommended to explicitly set the
MinVersion to a secure version of TLS, such as VersionTLS13.
Bad practice
client := &http.Client{
Transport: &http.Transport{
TLSClientConfig: &tls.Config{
KeyLogWriter: w,
Rand: rand{},
InsecureSkipVerify: true,
},
},
}
Recommended
client := &http.Client{
Transport: &http.Transport{
TLSClientConfig: &tls.Config{
KeyLogWriter: w,
MinVersion: tls.VersionTLS13, // min version set
Rand: rand{},
InsecureSkipVerify: true,
},
},
}