Configuration option or disable vulnerable TLS versions

[josephpippin]

The issue we are experiencing is when a security scan is issued against our docker hosts, they are found vulnerable to TLS version 1.0 and 1.1 on port 2376. We are using a self signed certificate.

Perhaps a daemon configuration option could be added to disable/enable TLS versions or just remove support for the vulnerable versions of TLS for the daemon.

_openssl sclient -connect dockerhost01:2376 -tls1

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
**Secure Renegotiation IS supported**
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
~~~~ output omitted ~~~~

_openssl s_client -connect dockerhost01:2376 -tls1_1_
~~~~ output omitted ~~~~
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
**Secure Renegotiation IS supported**
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.1
~~~~ output omitted ~~~~

[adshmh]

I think go-connections already has the ability to accept minimum TLS versions: #31 However, a PR to allow the same on docker daemon was not approved due to security concerns. At the time, the suggestion seemed to be hard-coding the minimum accepted TLS version in the daemon.

[thaJeztah]

This was changed recently in https://github.com/docker/go-connections/pull/50, and https://github.com/docker/go-connections/pull/49. Also see https://github.com/docker/go-connections/pull/45, which allow passing configuration options