add flag for only TLSv1.3

closes #12

README.md

@@ -52,6 +52,10 @@ When a client requests the URL `gemini://example.com/foo/bar`, Agate will respon
 
 ## Configuration
 
+### TLS versions
+
+Agate by default supports TLSv1.2 and TLSv1.3. You can disable support for TLSv1.2 by using the flag `--only-tls13` (or its short version `-3`). This is *NOT RECOMMENDED* as it may break compatibility with some clients. The Gemini specification requires compatibility with TLSv1.2 "for now" because not all platforms have good support for TLSv1.3 (cf. §4.1 of the specification).
+
 ### Directory listing
 
 You can enable a basic directory listing for a directory by putting a file called `.directory-listing-ok` in that directory. This does not have an effect on subdirectories.

src/main.rs

@@ -74,6 +74,7 @@ struct Args {
     silent: bool,
     serve_secret: bool,
     log_ips: bool,
+    only_tls13: bool,
 }
 
 fn args() -> Result<Args> {
@@ -117,6 +118,7 @@ fn args() -> Result<Args> {
     );
     opts.optflag("s", "silent", "Disable logging output");
     opts.optflag("h", "help", "Print this help menu");
+    opts.optflag("3", "only-tls13", "Only use TLSv1.3 (default also allows TLSv1.2)");
     opts.optflag(
         "",
         "serve-secret",
@@ -153,6 +155,7 @@ fn args() -> Result<Args> {
         silent: matches.opt_present("s"),
         serve_secret: matches.opt_present("serve-secret"),
         log_ips: matches.opt_present("log-ip"),
+        only_tls13: matches.opt_present("only-tls13"),
     })
 }
 
@@ -175,6 +178,9 @@ fn acceptor() -> Result<TlsAcceptor> {
     let mut keys = pkcs8_private_keys(&mut BufReader::new(key_file)).or(Err("bad key"))?;
 
     let mut config = ServerConfig::new(NoClientAuth::new());
+    if ARGS.only_tls13 {
+        config.versions = vec![rustls::ProtocolVersion::TLSv1_3];
+    }
     config.set_single_cert(certs, keys.remove(0))?;
     Ok(TlsAcceptor::from(Arc::new(config)))
 }