🔥 feat: Add support for configuring TLS Min Version

docs/whats_new.md

@@ -130,6 +130,14 @@ In this example, a custom context `CustomCtx` is created with an additional meth
 
 </details>
 
+### Configurable TLS Minimum Version
+
+We have added support for configuring the TLS minimum version. This field allows you to set the TLS minimum version for TLSAutoCert and the server listener.
+
+```go
+app.Listen(":444", fiber.ListenConfig{TLSMinVersion: tls.VersionTLS12})
+```
+
 #### TLS AutoCert support (ACME / Let's Encrypt)
 
 We have added native support for automatic certificates management from Let's Encrypt and any other ACME-based providers.

listen.go

@@ -108,6 +108,12 @@
 	// Default: 10 * time.Second
 	ShutdownTimeout time.Duration `json:"shutdown_timeout"`
 
+	// TLSMinVersion allows to set tls minimum version.
+	//
+	// Default: VersionTLS12
+	// WARNING: TLS1.0 and TLS1.1 versions are not supported.
+	TLSMinVersion uint16 `json:"tls_min_version"`
+
 	// When set to true, it will not print out the «Fiber» ASCII art and listening address.
 	//
 	// Default: false
@@ -128,6 +134,7 @@
 func listenConfigDefault(config ...ListenConfig) ListenConfig {
 	if len(config) < 1 {
 		return ListenConfig{
+			TLSMinVersion:   tls.VersionTLS12,
 			ListenerNetwork: NetworkTCP4,
 			OnShutdownError: func(err error) {
 				log.Fatalf("shutdown: %v", err) //nolint:revive // It's an option
@@ -147,6 +154,14 @@
 		}
 	}
 
+	if cfg.TLSMinVersion == 0 {
+		cfg.TLSMinVersion = tls.VersionTLS12
+	}
+
+	if cfg.TLSMinVersion != tls.VersionTLS12 && cfg.TLSMinVersion != tls.VersionTLS13 {
+		panic("unsupported TLS version, please use tls.VersionTLS12 or tls.VersionTLS13")
+	}
+
 	return cfg
 }
 
@@ -168,8 +183,8 @@
 		}
 
 		tlsHandler := &TLSHandler{}
-		tlsConfig = &tls.Config{
-			MinVersion: tls.VersionTLS12,
+		tlsConfig = &tls.Config{ //nolint:gosec // This is a user input
+			MinVersion: cfg.TLSMinVersion,
 			Certificates: []tls.Certificate{
 				cert,
 			},
@@ -192,8 +207,8 @@
 		// Attach the tlsHandler to the config
 		app.SetTLSHandler(tlsHandler)
 	} else if cfg.AutoCertManager != nil {
-		tlsConfig = &tls.Config{
-			MinVersion:     tls.VersionTLS12,
+		tlsConfig = &tls.Config{ //nolint:gosec // This is a user input
+			MinVersion:     cfg.TLSMinVersion,
 			GetCertificate: cfg.AutoCertManager.GetCertificate,
 			NextProtos:     []string{"http/1.1", "acme-tls/1"},
 		}

listen_test.go

@@ -233,6 +233,26 @@ func Test_Listen_Prefork(t *testing.T) {
 
 	app := New()
 
+	require.Panics(t, func() {
+		_ = app.Listen(":443", ListenConfig{TLSMinVersion: tls.VersionTLS10}) //nolint:errcheck // ignore error
+	})
+	require.Panics(t, func() {
+		_ = app.Listen(":443", ListenConfig{TLSMinVersion: tls.VersionTLS11}) //nolint:errcheck // ignore error
+	})
+
+	require.Panics(t, func() {
+		_ = app.Listen(":443", ListenConfig{DisableStartupMessage: true, EnablePrefork: true, TLSMinVersion: tls.VersionTLS10}) //nolint:errcheck // ignore error
+	})
+	require.Panics(t, func() {
+		_ = app.Listen(":443", ListenConfig{DisableStartupMessage: true, EnablePrefork: true, TLSMinVersion: tls.VersionTLS11}) //nolint:errcheck // ignore error
+	})
+}
+
+// go test -run Test_Listen_TLSMinVersion
+func Test_Listen_TLSMinVersion(t *testing.T) {
+	testPreforkMaster = true
+
+	app := New()
 	require.NoError(t, app.Listen(":99999", ListenConfig{DisableStartupMessage: true, EnablePrefork: true}))
 }