ldap: use custom TLS cipher suites (#20221)

This commit replaces the LDAP client TLS config and adds a custom list of TLS cipher suites which support RSA key exchange (RSA kex). Some LDAP server connections experience a significant slowdown when these cipher suites are not available. The Go TLS stack disables them by default. (Can be enabled via GODEBUG=tlsrsakex=1). fixes https://github.com/minio/minio/issues/20214 With a custom list of TLS ciphers, Go can pick the TLS RSA key-exchange cipher. Ref: ``` if c.CipherSuites != nil { return c.CipherSuites } if tlsrsakex.Value() == "1" { return defaultCipherSuitesWithRSAKex } ``` Ref: https://cs.opensource.google/go/go/+/refs/tags/go1.22.5:src/crypto/tls/common.go;l=1017 Signed-off-by: Andreas Auernhammer <github@aead.dev>
2025-11-07 12:52:58 -05:00 · 2024-08-07 14:59:47 +02:00
parent 2681219039
commit 14876a4df1
4 changed files with 15 additions and 7 deletions
--- a/docs/sts/ldap.go
+++ b/docs/sts/ldap.go
@@ -80,7 +80,7 @@ func main() {
 	if sessionPolicyFile != "" {
 		var policy string
 		if f, err := os.Open(sessionPolicyFile); err != nil {
-			log.Fatalf("Unable to open session policy file: %v", sessionPolicyFile, err)
+			log.Fatalf("Unable to open session policy file %s: %v", sessionPolicyFile, err)
 		} else {
 			bs, err := io.ReadAll(f)
 			if err != nil {
@@ -124,7 +124,7 @@ func main() {
 	// Use generated credentials to authenticate with MinIO server
 	minioClient, err := minio.New(stsEndpointURL.Host, opts)
 	if err != nil {
-		log.Fatalf("Error initializing client: ", err)
+		log.Fatalf("Error initializing client: %v", err)
 	}

 	// Use minIO Client object normally like the regular client.