Use TLS MinVersion, not MaxVersion, in documentation and code examples

andrewkroh · karmi · commit 35433b7fc191 · 2019-03-12T11:45:16.000+01:00
Let the examples pin the minimum supported TLS version, not the maximum. This will prevent connections to TLS 1.0. I removed InsecureSkipVerify from the examples so that users to don't inadvertently copy this insecure setup into their applications. Closes #26
diff --git a/README.md b/README.md
@@ -115,8 +115,8 @@ cfg := elasticsearch.Config{
     ResponseHeaderTimeout: time.Second,
     DialContext:           (&net.Dialer{Timeout: time.Second}).DialContext,
     TLSClientConfig: &tls.Config{
-      MaxVersion:         tls.VersionTLS11,
-      InsecureSkipVerify: true,
+      MinVersion: tls.VersionTLS11,
+      // ...
     },
   },
 }
diff --git a/_examples/configuration.go b/_examples/configuration.go
@@ -27,8 +27,8 @@ func main() {
 			ResponseHeaderTimeout: time.Millisecond,
 			DialContext:           (&net.Dialer{Timeout: time.Nanosecond}).DialContext,
 			TLSClientConfig: &tls.Config{
-				MaxVersion:         tls.VersionTLS11,
-				InsecureSkipVerify: true,
+				MinVersion: tls.VersionTLS11,
+				// ...
 			},
 		},
 	}
@@ -38,5 +38,6 @@ func main() {
 		log.Printf("Error creating the client: %s", err)
 	} else {
 		log.Println(es.Info())
+		// => dial tcp: i/o timeout
 	}
 }
diff --git a/doc.go b/doc.go
@@ -20,8 +20,7 @@ To configure the client, pass a Config object to the NewClient function:
 		    ResponseHeaderTimeout: time.Second,
 		    DialContext:           (&net.Dialer{Timeout: time.Second}).DialContext,
 		    TLSClientConfig: &tls.Config{
-		      MaxVersion:         tls.VersionTLS11,
-		      InsecureSkipVerify: true,
+		      MinVersion:         tls.VersionTLS11,
 		    },
 		  },
 		}
diff --git a/elasticsearch_example_test.go b/elasticsearch_example_test.go
@@ -42,8 +42,7 @@ func ExampleNewClient() {
 			ResponseHeaderTimeout: time.Second,
 			DialContext:           (&net.Dialer{Timeout: time.Second}).DialContext,
 			TLSClientConfig: &tls.Config{
-				MaxVersion:         tls.VersionTLS11,
-				InsecureSkipVerify: true,
+				MinVersion:         tls.VersionTLS11,
 			},
 		},
 	}
diff --git a/elasticsearch_integration_test.go b/elasticsearch_integration_test.go
@@ -125,7 +125,7 @@ func TestClientTransport(t *testing.T) {
 				ResponseHeaderTimeout: time.Second,
 				DialContext:           (&net.Dialer{Timeout: time.Nanosecond}).DialContext,
 				TLSClientConfig: &tls.Config{
-					MaxVersion:         tls.VersionTLS11,
+					MinVersion:         tls.VersionTLS11,
 					InsecureSkipVerify: true,
 				},
 			},

Original file line number	Diff line number	Diff line change
`@@ -27,8 +27,8 @@ func main() {`
`27`	`27`	`ResponseHeaderTimeout: time.Millisecond,`
`28`	`28`	`DialContext: (&net.Dialer{Timeout: time.Nanosecond}).DialContext,`
`29`	`29`	`TLSClientConfig: &tls.Config{`
`30`		`- MaxVersion: tls.VersionTLS11,`
`31`		`- InsecureSkipVerify: true,`
	`30`	`+ MinVersion: tls.VersionTLS11,`
	`31`	`+ // ...`
`32`	`32`	`},`
`33`	`33`	`},`
`34`	`34`	`}`
`@@ -38,5 +38,6 @@ func main() {`
`38`	`38`	`log.Printf("Error creating the client: %s", err)`
`39`	`39`	`} else {`
`40`	`40`	`log.Println(es.Info())`
	`41`	`+ // => dial tcp: i/o timeout`
`41`	`42`	`}`
`42`	`43`	`}`