From 2475123d3c2a81ab344740b34b6d2f8313f759d4 Mon Sep 17 00:00:00 2001
From: Jordan Liggitt <jliggitt@redhat.com>
Date: Wed, 10 Dec 2014 09:13:15 -0500
Subject: [PATCH] Bump minimum TLS version from SSLv3 to TLSv1.0

---
 cmd/kube-apiserver/apiserver.go | 2 ++
 pkg/client/transport.go         | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/cmd/kube-apiserver/apiserver.go b/cmd/kube-apiserver/apiserver.go
index d774d41f389..6fc8562442c 100644
--- a/cmd/kube-apiserver/apiserver.go
+++ b/cmd/kube-apiserver/apiserver.go
@@ -224,6 +224,8 @@ func main() {
 			WriteTimeout:   5 * time.Minute,
 			MaxHeaderBytes: 1 << 20,
 			TLSConfig: &tls.Config{
+				// Change default from SSLv3 to TLSv1.0 (because of POODLE vulnerability)
+				MinVersion: tls.VersionTLS10,
 				// Populate PeerCertificates in requests, but don't reject connections without certificates
 				// This allows certificates to be validated by authenticators, while still allowing other auth types
 				ClientAuth: tls.RequestClientCert,
diff --git a/pkg/client/transport.go b/pkg/client/transport.go
index ca9706e5c44..d8d82ec9df6 100644
--- a/pkg/client/transport.go
+++ b/pkg/client/transport.go
@@ -68,6 +68,8 @@ func NewClientCertTLSTransport(certFile, keyFile, caFile string) (*http.Transpor
 	certPool.AppendCertsFromPEM(data)
 	return &http.Transport{
 		TLSClientConfig: &tls.Config{
+			// Change default from SSLv3 to TLSv1.0 (because of POODLE vulnerability)
+			MinVersion: tls.VersionTLS10,
 			Certificates: []tls.Certificate{
 				cert,
 			},