From b9eb0293df782c251eee12118b780aa709ad84bf Mon Sep 17 00:00:00 2001
From: Krishna Iyer <krishna@thethingsindustries.com>
Date: Tue, 19 Nov 2024 16:30:17 +0100
Subject: [PATCH 1/2] cli: Pass custom CA to grpc dial option

---
 cmd/ttn-lw-cli/commands/root.go     |  3 +++
 cmd/ttn-lw-cli/internal/api/grpc.go | 17 +++++++++++++++++
 2 files changed, 20 insertions(+)

diff --git a/cmd/ttn-lw-cli/commands/root.go b/cmd/ttn-lw-cli/commands/root.go
index 861430638a..7af165876e 100644
--- a/cmd/ttn-lw-cli/commands/root.go
+++ b/cmd/ttn-lw-cli/commands/root.go
@@ -233,6 +233,9 @@ func preRun(tasks ...func() error) func(cmd *cobra.Command, args []string) error
 			}
 			rootCAs.AppendCertsFromPEM(pemBytes)
 			http.DefaultTransport.(*http.Transport).TLSClientConfig.RootCAs = rootCAs
+			if err = api.AddCA(pemBytes); err != nil {
+				return err
+			}
 		}
 
 		// OAuth
diff --git a/cmd/ttn-lw-cli/internal/api/grpc.go b/cmd/ttn-lw-cli/internal/api/grpc.go
index ad28e3e4f5..0b929df7c6 100644
--- a/cmd/ttn-lw-cli/internal/api/grpc.go
+++ b/cmd/ttn-lw-cli/internal/api/grpc.go
@@ -17,6 +17,7 @@ package api
 import (
 	"context"
 	"crypto/tls"
+	"crypto/x509"
 	"sync"
 	"time"
 
@@ -134,6 +135,22 @@ var (
 	conns  = make(map[string]*grpc.ClientConn)
 )
 
+// AddCA adds the CA certificate file.
+func AddCA(pemBytes []byte) (err error) {
+	if tlsConfig == nil {
+		tlsConfig = &tls.Config{}
+	}
+	rootCAs := tlsConfig.RootCAs
+	if rootCAs == nil {
+		if rootCAs, err = x509.SystemCertPool(); err != nil {
+			rootCAs = x509.NewCertPool()
+		}
+	}
+	rootCAs.AppendCertsFromPEM(pemBytes)
+	tlsConfig.RootCAs = rootCAs
+	return nil
+}
+
 // Dial dials a gRPC connection to the target.
 func Dial(ctx context.Context, target string) (*grpc.ClientConn, error) {
 	connMu.Lock()

From 51670f6c5a80f42d15fc6f26c6df5751d979a4cb Mon Sep 17 00:00:00 2001
From: Krishna Iyer <krishna@thethingsindustries.com>
Date: Tue, 19 Nov 2024 17:27:32 +0100
Subject: [PATCH 2/2] cli: Define minimum TLS version (gosec)

---
 cmd/ttn-lw-cli/internal/api/grpc.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/cmd/ttn-lw-cli/internal/api/grpc.go b/cmd/ttn-lw-cli/internal/api/grpc.go
index 0b929df7c6..d59f700cc3 100644
--- a/cmd/ttn-lw-cli/internal/api/grpc.go
+++ b/cmd/ttn-lw-cli/internal/api/grpc.go
@@ -138,7 +138,9 @@ var (
 // AddCA adds the CA certificate file.
 func AddCA(pemBytes []byte) (err error) {
 	if tlsConfig == nil {
-		tlsConfig = &tls.Config{}
+		tlsConfig = &tls.Config{
+			MinVersion: tls.VersionTLS12,
+		}
 	}
 	rootCAs := tlsConfig.RootCAs
 	if rootCAs == nil {