From e1f9718e173d3ab77822889c4861b0a1f63f0830 Mon Sep 17 00:00:00 2001
From: James Elliott <james-d-elliott@users.noreply.github.com>
Date: Thu, 24 Nov 2022 20:32:57 +1100
Subject: [PATCH] fix(configuration): max tls ver not correctly derived (#4428)

This fixes an issue where the maximum version if unset is derived from the minimum version erroneously.

Fixes #4425
---
 internal/utils/crypto.go | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/internal/utils/crypto.go b/internal/utils/crypto.go
index 2e2dbab2d..6d74fc8ea 100644
--- a/internal/utils/crypto.go
+++ b/internal/utils/crypto.go
@@ -235,10 +235,10 @@ func IsX509PrivateKey(i any) bool {
 }
 
 // NewTLSConfig generates a tls.Config from a schema.TLSConfig and a x509.CertPool.
-func NewTLSConfig(config *schema.TLSConfig, caCertPool *x509.CertPool) (tlsConfig *tls.Config) {
+func NewTLSConfig(config *schema.TLSConfig, rootCAs *x509.CertPool) (tlsConfig *tls.Config) {
 	var certificates []tls.Certificate
 
-	if config.CertificateChain.HasCertificates() && config.PrivateKey != nil {
+	if config.PrivateKey != nil && config.CertificateChain.HasCertificates() {
 		certificates = []tls.Certificate{
 			{
 				Certificate: config.CertificateChain.CertificatesRaw(),
@@ -252,8 +252,8 @@ func NewTLSConfig(config *schema.TLSConfig, caCertPool *x509.CertPool) (tlsConfi
 		ServerName:         config.ServerName,
 		InsecureSkipVerify: config.SkipVerify, //nolint:gosec // Informed choice by user. Off by default.
 		MinVersion:         config.MinimumVersion.MinVersion(),
-		MaxVersion:         config.MinimumVersion.MaxVersion(),
-		RootCAs:            caCertPool,
+		MaxVersion:         config.MaximumVersion.MaxVersion(),
+		RootCAs:            rootCAs,
 		Certificates:       certificates,
 	}
 }