allow setting the minimum TLS version

[slingamn]

Go supports the following versions:

    VersionTLS10 = 0x0301
    VersionTLS11 = 0x0302
    VersionTLS12 = 0x0303
    VersionTLS13 = 0x0304

(tls.Config).MinVersion can be used to set the minimum version, which defaults to 1.0. Operators may want to increase this.

[DanielOaks]

I'll say that I hate allowing configuration of security things like this, but so long as it's for letting admins kill old versions of TLS it'd be fine I guess. So long as we don't bundle any other sort of configuration of ciphers or preferred cipher order or other esoteric specifics in with this - way too many projects expose every weird security detail and give the user the ability to screw up the config and shoot themselves in the foot.

[ChrisTX]

I wouldn't suggest making ciphers configurable, and TLS 1.3 uses completely different cipher names than 1.2 and earlier. There is a point that OpenSSL and with that nginx don't directly expose them because there are no insecure ciphers in 1.3. It shouldn't need configuration.
However, the reason I brought this up is that gotls enables 1.0/1.1, which are to some extend insecure (they use CBC modes only and HMAC-SHA1 and so on) by default and disabling this is quite valid, and should maybe even be the default.

As for ciphers with 1.2, gotls enables AES-CBC with 1.2, which is considered rather poor. Mozilla for example recommends even for their intermediate configuration to turn them off. In my opinion - feel free to disagree - that configuration should be roughly the default nowadays.

[slingamn]

Here's upstream's plan for this: golang/go#45428