From 2ce1815e9dad7e3bc5ae1be21321fc3fd735af50 Mon Sep 17 00:00:00 2001
From: TermBot <bot@term.com>
Date: Sun, 1 Mar 2026 00:15:30 +0100
Subject: [PATCH 1/2] feat: enforce TLS 1.2 as minimum for shell HTTP client

- Added MinVersion: tls.VersionTLS12 to TLSClientConfig in newHttpClient
- Protects against downgrade attacks and vulnerabilities in TLS 1.0/1.1
- Maintains backward compatibility with secure TLS 1.2+ connections
- Does not affect InsecureSkipVerify flag behavior

Fixes #21004
---
 core/cmd/shell.go | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/core/cmd/shell.go b/core/cmd/shell.go
index 5ae9f29b360..46f5c69bb8e 100644
--- a/core/cmd/shell.go
+++ b/core/cmd/shell.go
@@ -543,7 +543,10 @@ func newHttpClient(lggr logger.Logger, insecureSkipVerify bool) *http.Client {
 	tr := &http.Transport{
 		// User enables this at their own risk!
 		// #nosec G402
-		TLSClientConfig: &tls.Config{InsecureSkipVerify: insecureSkipVerify},
+		TLSClientConfig: &tls.Config{
+			InsecureSkipVerify: insecureSkipVerify,
+			MinVersion:         tls.VersionTLS12, // Enforce TLS 1.2 minimum for security
+		},
 	}
 	if insecureSkipVerify {
 		lggr.Warn("InsecureSkipVerify is on, skipping SSL certificate verification.")

From 7cd5daa04a46180a8504ea159f57cf56e97bd1bc Mon Sep 17 00:00:00 2001
From: TermBot <bot@term.com>
Date: Sun, 1 Mar 2026 10:00:17 +0100
Subject: [PATCH 2/2] fix(security): condition TLS 1.2 enforcement on secure
 environments

---
 core/cmd/shell.go | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/core/cmd/shell.go b/core/cmd/shell.go
index 46f5c69bb8e..05400112668 100644
--- a/core/cmd/shell.go
+++ b/core/cmd/shell.go
@@ -540,13 +540,15 @@ func NewAuthenticatedHTTPClient(lggr logger.Logger, clientOpts ClientOpts, cooki
 }
 
 func newHttpClient(lggr logger.Logger, insecureSkipVerify bool) *http.Client {
+	tlsConfig := &tls.Config{InsecureSkipVerify: insecureSkipVerify}
+	if !insecureSkipVerify {
+		tlsConfig.MinVersion = tls.VersionTLS12 // Enforce TLS 1.2 minimum for production security
+	}
+
 	tr := &http.Transport{
 		// User enables this at their own risk!
 		// #nosec G402
-		TLSClientConfig: &tls.Config{
-			InsecureSkipVerify: insecureSkipVerify,
-			MinVersion:         tls.VersionTLS12, // Enforce TLS 1.2 minimum for security
-		},
+		TLSClientConfig: tlsConfig,
 	}
 	if insecureSkipVerify {
 		lggr.Warn("InsecureSkipVerify is on, skipping SSL certificate verification.")