internal/controlplane: set minimum tls version (#854)

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>

internal/controlplane/xds_listeners.go

@@ -361,6 +361,9 @@ func buildDownstreamTLSContext(options *config.Options, domain string) *envoy_ex
 	envoyCert := envoyTLSCertificateFromGoTLSCertificate(cert)
 	return &envoy_extensions_transport_sockets_tls_v3.DownstreamTlsContext{
 		CommonTlsContext: &envoy_extensions_transport_sockets_tls_v3.CommonTlsContext{
+			TlsParams: &envoy_extensions_transport_sockets_tls_v3.TlsParameters{
+				TlsMinimumProtocolVersion: envoy_extensions_transport_sockets_tls_v3.TlsParameters_TLSv1_2,
+			},
 			TlsCertificates:       []*envoy_extensions_transport_sockets_tls_v3.TlsCertificate{envoyCert},
 			AlpnProtocols:         []string{"h2", "http/1.1"},
 			ValidationContextType: validationContext,

internal/controlplane/xds_listeners_test.go

@@ -303,6 +303,9 @@ func Test_buildDownstreamTLSContext(t *testing.T) {
 
 	testutil.AssertProtoJSONEqual(t, `{
 		"commonTlsContext": {
+			"tlsParams": {
+				"tlsMinimumProtocolVersion": "TLSv1_2"
+			},
 			"alpnProtocols": ["h2", "http/1.1"],
 			"tlsCertificates": [
 				{