From 58c6bc299190b782a4f641ef902529a915297d7e Mon Sep 17 00:00:00 2001
From: Andrea Gottardo <andrea@gottardo.me>
Date: Wed, 2 Oct 2024 11:20:49 -0700
Subject: [PATCH] logpolicy: force TLS 1.3 handshake

Updates tailscale/tailscale#3363

We know `log.tailscale.io` supports TLS 1.3, so we can enforce its usage in the client to shake some bytes off the TLS handshake each time a connection is opened to upload logs.

Signed-off-by: Andrea Gottardo <andrea@gottardo.me>
---
 logpolicy/logpolicy.go | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/logpolicy/logpolicy.go b/logpolicy/logpolicy.go
index ff0976cb2..0d2af77f2 100644
--- a/logpolicy/logpolicy.go
+++ b/logpolicy/logpolicy.go
@@ -813,6 +813,8 @@ func NewLogtailTransport(host string, netMon *netmon.Monitor, health *health.Tra
 	}
 
 	tr.TLSClientConfig = tlsdial.Config(host, health, tr.TLSClientConfig)
+	// Force TLS 1.3 since we know log.tailscale.io supports it.
+	tr.TLSClientConfig.MinVersion = tls.VersionTLS13
 
 	return tr
 }