traefik · traefiker · Oct 29, 2019 · Oct 13, 2019 · Oct 13, 2019 · Oct 14, 2019
diff --git a/docs/content/https/tls.md b/docs/content/https/tls.md
@@ -181,6 +181,53 @@ spec:
   minVersion: VersionTLS13
 ```
 
+### Maximum TLS Version
+
+```toml tab="File (TOML)"
+# Dynamic configuration
+
+[tls.options]
+
+  [tls.options.default]
+    maxVersion = "VersionTLS13"
+
+  [tls.options.maxtls12]
+    maxVersion = "VersionTLS12"
+```
+
+```yaml tab="File (YAML)"
+# Dynamic configuration
+
+tls:
+  options:
+    default:
+      maxVersion: VersionTLS13
+
+    maxtls12:
+      maxVersion: VersionTLS12
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: TLSOption
+metadata:
+  name: default
+  namespace: default
+
+spec:
+  maxVersion: VersionTLS13
+
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: TLSOption
+metadata:
+  name: maxtls12
+  namespace: default
+
+spec:
+  maxVersion: VersionTLS12
+```
+
 ### Cipher Suites
 
 See [cipherSuites](https://godoc.org/crypto/tls#pkg-constants) for more information.

diff --git a/docs/content/migration/v1-to-v2.md b/docs/content/migration/v1-to-v2.md
@@ -238,9 +238,11 @@ Then, a [router's TLS field](../routing/routers/index.md#tls) can refer to one o
     [tls.options]
       [tls.options.default]
         minVersion = "VersionTLS12"
+        maxVersion = "VersionTLS12"
 
       [tls.options.myTLSOptions]
         minVersion = "VersionTLS13"
+        maxVersion = "VersionTLS13"
         cipherSuites = [
             "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
             "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",

diff --git a/docs/content/reference/dynamic-configuration/file.toml b/docs/content/reference/dynamic-configuration/file.toml
@@ -318,13 +318,15 @@
   [tls.options]
     [tls.options.Options0]
       minVersion = "foobar"
+      maxVersion = "foobar"
       cipherSuites = ["foobar", "foobar"]
       sniStrict = true
       [tls.options.Options0.clientAuth]
         caFiles = ["foobar", "foobar"]
         clientAuthType = "foobar"
     [tls.options.Options1]
       minVersion = "foobar"
+      maxVersion = "foobar"
       cipherSuites = ["foobar", "foobar"]
       sniStrict = true
       [tls.options.Options1.clientAuth]

diff --git a/docs/content/reference/dynamic-configuration/file.yaml b/docs/content/reference/dynamic-configuration/file.yaml
@@ -349,6 +349,7 @@ tls:
   options:
     Options0:
       minVersion: foobar
+      maxVersion: foobar
       cipherSuites:
         - foobar
         - foobar
@@ -360,6 +361,7 @@ tls:
       sniStrict: true
     Options1:
       minVersion: foobar
+      maxVersion: foobar
       cipherSuites:
         - foobar
         - foobar

diff --git a/pkg/tls/certificate.go b/pkg/tls/certificate.go
@@ -22,6 +22,14 @@ var (
 		`VersionTLS13`: tls.VersionTLS13,
 	}
 
+	// MaxVersion Map of allowed TLS minimum versions
+	MaxVersion = map[string]uint16{
+		`VersionTLS10`: tls.VersionTLS10,
+		`VersionTLS11`: tls.VersionTLS11,
+		`VersionTLS12`: tls.VersionTLS12,
+		`VersionTLS13`: tls.VersionTLS13,
+	}
+
 	// CipherSuites Map of TLS CipherSuites from crypto/tls
 	// Available CipherSuites defined at https://golang.org/pkg/crypto/tls/#pkg-constants
 	CipherSuites = map[string]uint16{

diff --git a/pkg/tls/tls.go b/pkg/tls/tls.go
@@ -17,6 +17,7 @@ type ClientAuth struct {
 // Options configures TLS for an entry point
 type Options struct {
 	MinVersion   string     `json:"minVersion,omitempty" toml:"minVersion,omitempty" yaml:"minVersion,omitempty" export:"true"`
+	MaxVersion   string     `json:"maxVersion,omitempty" toml:"maxVersion,omitempty" yaml:"maxVersion,omitempty" export:"true"`
 	CipherSuites []string   `json:"cipherSuites,omitempty" toml:"cipherSuites,omitempty" yaml:"cipherSuites,omitempty"`
 	ClientAuth   ClientAuth `json:"clientAuth,omitempty" toml:"clientAuth,omitempty" yaml:"clientAuth,omitempty"`
 	SniStrict    bool       `json:"sniStrict,omitempty" toml:"sniStrict,omitempty" yaml:"sniStrict,omitempty" export:"true"`

diff --git a/pkg/tls/tlsmanager.go b/pkg/tls/tlsmanager.go
@@ -217,6 +217,12 @@ func buildTLSConfig(tlsOption Options) (*tls.Config, error) {
 		conf.MinVersion = minConst
 	}
 
+	// Set the maximum TLS version if set in the config TOML
+	if maxConst, exists := MaxVersion[tlsOption.MaxVersion]; exists {
+		conf.PreferServerCipherSuites = true
+		conf.MaxVersion = maxConst
+	}
+
 	// Set the list of CipherSuites if set in the config TOML
 	if tlsOption.CipherSuites != nil {
 		// if our list of CipherSuites is defined in the entryPoint config, we can re-initialize the suites list as empty