ldap: use custom TLS cipher suites (#20221)

This commit replaces the LDAP client TLS config and adds a custom list of TLS cipher suites which support RSA key exchange (RSA kex). Some LDAP server connections experience a significant slowdown when these cipher suites are not available. The Go TLS stack disables them by default. (Can be enabled via GODEBUG=tlsrsakex=1). fixes https://github.com/minio/minio/issues/20214 With a custom list of TLS ciphers, Go can pick the TLS RSA key-exchange cipher. Ref: ``` if c.CipherSuites != nil { return c.CipherSuites } if tlsrsakex.Value() == "1" { return defaultCipherSuitesWithRSAKex } ``` Ref: https://cs.opensource.google/go/go/+/refs/tags/go1.22.5:src/crypto/tls/common.go;l=1017 Signed-off-by: Andreas Auernhammer <github@aead.dev>
2025-11-07 04:42:56 -05:00 · 2024-08-07 14:59:47 +02:00
parent 2681219039
commit 14876a4df1
4 changed files with 15 additions and 7 deletions
--- a/go.sum
+++ b/go.sum
@@ -470,8 +470,8 @@ github.com/minio/mux v1.9.0 h1:dWafQFyEfGhJvK6AwLOt83bIG5bxKxKJnKMCi0XAaoA=
 github.com/minio/mux v1.9.0/go.mod h1:1pAare17ZRL5GpmNL+9YmqHoWnLmMZF9C/ioUCfy0BQ=
 github.com/minio/pkg/v2 v2.0.19 h1:r187/k/oVH9H0DDwvLY5WipkJaZ4CLd4KI3KgIUExR0=
 github.com/minio/pkg/v2 v2.0.19/go.mod h1:luK9LAhQlAPzSuF6F326XSCKjMc1G3Tbh+a9JYwqh8M=
-github.com/minio/pkg/v3 v3.0.10 h1:pYcMsmwlMyYRo+XX+7vlLSp+5PqjwBk0SyFAeFlS81E=
-github.com/minio/pkg/v3 v3.0.10/go.mod h1:QfWcz9jh3Qu0Xg1mVBKhBzIKj7hKB7vz61/9pR4ZZ9Q=
+github.com/minio/pkg/v3 v3.0.11-0.20240806150526-672ab5e3b458 h1:fi2tFSnHgi5nH7+Kyj4Ymh5E4cFgWk5eFiqe5wap2MM=
+github.com/minio/pkg/v3 v3.0.11-0.20240806150526-672ab5e3b458/go.mod h1:QfWcz9jh3Qu0Xg1mVBKhBzIKj7hKB7vz61/9pR4ZZ9Q=
 github.com/minio/selfupdate v0.6.0 h1:i76PgT0K5xO9+hjzKcacQtO7+MjJ4JKA8Ak8XQ9DDwU=
 github.com/minio/selfupdate v0.6.0/go.mod h1:bO02GTIPCMQFTEvE5h4DjYB58bCoZ35XLeBf0buTDdM=
 github.com/minio/sha256-simd v0.1.1/go.mod h1:B5e1o+1/KgNmWrSQK08Y6Z1Vb5pwIktudl0J58iy0KM=