hashicorp · hanshasselberg · Feb 19, 2020 · Feb 19, 2020 · Feb 19, 2020 · Feb 19, 2020
diff --git a/agent/config/runtime.go b/agent/config/runtime.go
@@ -1423,7 +1423,8 @@ type RuntimeConfig struct {
 	TLSCipherSuites []uint16
 
 	// TLSMinVersion is used to set the minimum TLS version used for TLS
-	// connections. Should be either "tls10", "tls11", or "tls12".
+	// connections. Should be either "tls10", "tls11", "tls12" or "tls13".
+	// Defaults to tls12.
 	//
 	// hcl: tls_min_version = string
 	TLSMinVersion string

diff --git a/tlsutil/config.go b/tlsutil/config.go
@@ -30,8 +30,12 @@ var TLSLookup = map[string]uint16{
 	"tls10": tls.VersionTLS10,
 	"tls11": tls.VersionTLS11,
 	"tls12": tls.VersionTLS12,
+	"tls13": tls.VersionTLS13,
 }
 
+// TLSVersions has all the keys from the map above, make sure to keep both in sync
+var TLSVersions = "tls10, tls11, tls12, tls13"
+
 // Config used to create tls.Config
 type Config struct {
 	// VerifyIncoming is used to verify the authenticity of incoming
@@ -323,7 +327,7 @@ func (c *Configurator) check(config Config, pool *x509.CertPool, cert *tls.Certi
 	// Check if a minimum TLS version was set
 	if config.TLSMinVersion != "" {
 		if _, ok := TLSLookup[config.TLSMinVersion]; !ok {
-			return fmt.Errorf("TLSMinVersion: value %s not supported, please specify one of [tls10,tls11,tls12]", config.TLSMinVersion)
+			return fmt.Errorf("TLSMinVersion: value %s not supported, please specify one of [%s]", config.TLSMinVersion, TLSVersions)
 		}
 	}
 

diff --git a/tlsutil/config_test.go b/tlsutil/config_test.go
@@ -389,6 +389,7 @@ func TestConfigurator_ErrorPropagation(t *testing.T) {
 		{Config{CertFile: "bogus", KeyFile: "bogus"}, true, true}, // 20
 		{Config{CAFile: "bogus"}, true, true},                     // 21
 		{Config{CAPath: "bogus"}, true, true},                     // 22
+		{Config{TLSMinVersion: "tls13"}, false, false},            // 23
 	}
 
 	c := Configurator{autoEncrypt: &autoEncrypt{}, manual: &manual{}}
@@ -590,7 +591,7 @@ func TestConfigurator_CommonTLSConfigTLSMinVersion(t *testing.T) {
 	require.NoError(t, err)
 	require.Equal(t, c.commonTLSConfig(false).MinVersion, TLSLookup["tls10"])
 
-	tlsVersions := []string{"tls10", "tls11", "tls12"}
+	tlsVersions := []string{"tls10", "tls11", "tls12", "tls13"}
 	for _, version := range tlsVersions {
 		require.NoError(t, c.Update(Config{TLSMinVersion: version}))
 		require.Equal(t, c.commonTLSConfig(false).MinVersion,

diff --git a/website/source/docs/agent/options.html.md b/website/source/docs/agent/options.html.md
@@ -1830,8 +1830,8 @@ to the old fragment -->
   facility messages are sent. By default, `LOCAL0` will be used.
 
 * <a name="tls_min_version"></a><a href="#tls_min_version">`tls_min_version`</a> Added in Consul
-  0.7.4, this specifies the minimum supported version of TLS. Accepted values are "tls10", "tls11"
-  or "tls12". This defaults to "tls12". WARNING: TLS 1.1 and lower are generally considered less
+  0.7.4, this specifies the minimum supported version of TLS. Accepted values are "tls10", "tls11",
+  "tls12", or "tls13". This defaults to "tls12". WARNING: TLS 1.1 and lower are generally considered less
   secure; avoid using these if possible.
 
 * <a name="tls_cipher_suites"></a><a href="#tls_cipher_suites">`tls_cipher_suites`</a> Added in Consul