Implement TLS server

$ ./minio --tls --cert <your_cert> --key <your_private_key> This patchset also provides crypto/x509 - which is a wrapper package to generate X509 certificates. This is necessary to provide certificates later through management console
2025-11-10 22:10:12 -05:00 · 2015-01-25 17:15:18 -08:00
parent 4b586a51cf
commit 063832baaf
23 changed files with 3435 additions and 10 deletions
--- a/pkg/httpserver/httpserver.go
+++ b/pkg/httpserver/httpserver.go
@@ -22,24 +22,39 @@ import (
 	"time"
 )

-func Start(handler http.Handler, address string) (chan<- string, <-chan error) {
+type HttpServer struct {
+	Address  string
+	TLS      bool
+	CertFile string
+	KeyFile  string
+}
+
+func Start(handler http.Handler, srv HttpServer) (chan<- string, <-chan error) {
 	ctrlChannel := make(chan string)
 	errorChannel := make(chan error)
-	go start(ctrlChannel, errorChannel, handler, address)
+	go start(ctrlChannel, errorChannel, handler, srv)
 	return ctrlChannel, errorChannel
 }

-func start(ctrlChannel <-chan string, errorChannel chan<- error, router http.Handler, address string) {
-	log.Println("Starting HTTP Server on " + address)
+func start(ctrlChannel <-chan string, errorChannel chan<- error, router http.Handler, srv HttpServer) {
+	var err error
+
 	// Minio server config
 	server := &http.Server{
-		Addr:           address,
+		Addr:           srv.Address,
 		Handler:        router,
 		ReadTimeout:    10 * time.Second,
 		WriteTimeout:   10 * time.Second,
 		MaxHeaderBytes: 1 << 20,
 	}
-	err := server.ListenAndServe()
+	log.Println("Starting HTTP Server on " + srv.Address)
+
+	if srv.TLS {
+		server.TLSConfig = getDefaultTLSConfig()
+		err = server.ListenAndServeTLS(srv.CertFile, srv.KeyFile)
+	} else {
+		err = server.ListenAndServe()
+	}
 	errorChannel <- err
 	close(errorChannel)
 }
--- a/pkg/httpserver/tlshelpers.go
+++ b/pkg/httpserver/tlshelpers.go
@@ -0,0 +1,29 @@
+package httpserver
+
+import "crypto/tls"
+
+func getDefaultTLSConfig() *tls.Config {
+	config := &tls.Config{}
+
+	//Use only modern ciphers
+	config.CipherSuites = []uint16{
+		tls.TLS_RSA_WITH_AES_128_CBC_SHA,
+		tls.TLS_RSA_WITH_AES_256_CBC_SHA,
+		tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+		tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+		tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+		tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+		tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+		tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+	}
+
+	//Use only TLS v1.2
+	config.MinVersion = tls.VersionTLS12
+
+	// Ignore client auth for now
+	config.ClientAuth = tls.NoClientCert
+
+	//Don't allow session resumption
+	config.SessionTicketsDisabled = true
+	return config
+}