MyFavMirrors
/
minio
mirror of https://github.com/minio/minio.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

ldap: use custom TLS cipher suites (#20221) 

This commit replaces the LDAP client TLS config and
adds a custom list of TLS cipher suites which support
RSA key exchange (RSA kex).

Some LDAP server connections experience a significant slowdown
when these cipher suites are not available. The Go TLS stack
disables them by default. (Can be enabled via GODEBUG=tlsrsakex=1).

fixes https://github.com/minio/minio/issues/20214

With a custom list of TLS ciphers, Go can pick the TLS RSA key-exchange
cipher. Ref:
```
	if c.CipherSuites != nil {
		return c.CipherSuites
	}
	if tlsrsakex.Value() == "1" {
		return defaultCipherSuitesWithRSAKex
	}
```
Ref: https://cs.opensource.google/go/go/+/refs/tags/go1.22.5:src/crypto/tls/common.go;l=1017

Signed-off-by: Andreas Auernhammer <github@aead.dev>
This commit is contained in:
Andreas Auernhammer 2024-08-07 14:59:47 +02:00 committed by GitHub
parent 2681219039
commit 14876a4df1
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 15 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
docs/sts/ldap.go
View File

@ -80,7 +80,7 @@ func main() {
if sessionPolicyFile != "" { if sessionPolicyFile != "" {
var policy string var policy string
if f, err := os.Open(sessionPolicyFile); err != nil { if f, err := os.Open(sessionPolicyFile); err != nil {
log.Fatalf("Unable to open session policy file: %v", sessionPolicyFile, err) log.Fatalf("Unable to open session policy file %s: %v", sessionPolicyFile, err)
} else { } else {
bs, err := io.ReadAll(f) bs, err := io.ReadAll(f)
if err != nil { if err != nil {
@ -124,7 +124,7 @@ func main() {
// Use generated credentials to authenticate with MinIO server // Use generated credentials to authenticate with MinIO server
minioClient, err := minio.New(stsEndpointURL.Host, opts) minioClient, err := minio.New(stsEndpointURL.Host, opts)
if err != nil { if err != nil {
log.Fatalf("Error initializing client: ", err) log.Fatalf("Error initializing client: %v", err)
} }
// Use minIO Client object normally like the regular client. // Use minIO Client object normally like the regular client.

2
go.mod
View File

@ -54,7 +54,7 @@ require (
github.com/minio/madmin-go/v3 v3.0.59-0.20240725120704-3cfbffc45f08 github.com/minio/madmin-go/v3 v3.0.59-0.20240725120704-3cfbffc45f08
github.com/minio/minio-go/v7 v7.0.73 github.com/minio/minio-go/v7 v7.0.73
github.com/minio/mux v1.9.0 github.com/minio/mux v1.9.0
github.com/minio/pkg/v3 v3.0.10 github.com/minio/pkg/v3 v3.0.11-0.20240806150526-672ab5e3b458
github.com/minio/selfupdate v0.6.0 github.com/minio/selfupdate v0.6.0
github.com/minio/simdjson-go v0.4.5 github.com/minio/simdjson-go v0.4.5
github.com/minio/sio v0.4.0 github.com/minio/sio v0.4.0

4
go.sum
View File

@ -470,8 +470,8 @@ github.com/minio/mux v1.9.0 h1:dWafQFyEfGhJvK6AwLOt83bIG5bxKxKJnKMCi0XAaoA=
github.com/minio/mux v1.9.0/go.mod h1:1pAare17ZRL5GpmNL+9YmqHoWnLmMZF9C/ioUCfy0BQ= github.com/minio/mux v1.9.0/go.mod h1:1pAare17ZRL5GpmNL+9YmqHoWnLmMZF9C/ioUCfy0BQ=
github.com/minio/pkg/v2 v2.0.19 h1:r187/k/oVH9H0DDwvLY5WipkJaZ4CLd4KI3KgIUExR0= github.com/minio/pkg/v2 v2.0.19 h1:r187/k/oVH9H0DDwvLY5WipkJaZ4CLd4KI3KgIUExR0=
github.com/minio/pkg/v2 v2.0.19/go.mod h1:luK9LAhQlAPzSuF6F326XSCKjMc1G3Tbh+a9JYwqh8M= github.com/minio/pkg/v2 v2.0.19/go.mod h1:luK9LAhQlAPzSuF6F326XSCKjMc1G3Tbh+a9JYwqh8M=
github.com/minio/pkg/v3 v3.0.10 h1:pYcMsmwlMyYRo+XX+7vlLSp+5PqjwBk0SyFAeFlS81E= github.com/minio/pkg/v3 v3.0.11-0.20240806150526-672ab5e3b458 h1:fi2tFSnHgi5nH7+Kyj4Ymh5E4cFgWk5eFiqe5wap2MM=
github.com/minio/pkg/v3 v3.0.10/go.mod h1:QfWcz9jh3Qu0Xg1mVBKhBzIKj7hKB7vz61/9pR4ZZ9Q= github.com/minio/pkg/v3 v3.0.11-0.20240806150526-672ab5e3b458/go.mod h1:QfWcz9jh3Qu0Xg1mVBKhBzIKj7hKB7vz61/9pR4ZZ9Q=
github.com/minio/selfupdate v0.6.0 h1:i76PgT0K5xO9+hjzKcacQtO7+MjJ4JKA8Ak8XQ9DDwU= github.com/minio/selfupdate v0.6.0 h1:i76PgT0K5xO9+hjzKcacQtO7+MjJ4JKA8Ak8XQ9DDwU=
github.com/minio/selfupdate v0.6.0/go.mod h1:bO02GTIPCMQFTEvE5h4DjYB58bCoZ35XLeBf0buTDdM= github.com/minio/selfupdate v0.6.0/go.mod h1:bO02GTIPCMQFTEvE5h4DjYB58bCoZ35XLeBf0buTDdM=
github.com/minio/sha256-simd v0.1.1/go.mod h1:B5e1o+1/KgNmWrSQK08Y6Z1Vb5pwIktudl0J58iy0KM= github.com/minio/sha256-simd v0.1.1/go.mod h1:B5e1o+1/KgNmWrSQK08Y6Z1Vb5pwIktudl0J58iy0KM=

12
internal/config/identity/ldap/config.go
View File

@ -18,6 +18,7 @@
package ldap package ldap
import ( import (
"crypto/tls"
"crypto/x509" "crypto/x509"
"errors" "errors"
"sort" "sort"
@ -25,6 +26,7 @@ import (
"github.com/minio/madmin-go/v3" "github.com/minio/madmin-go/v3"
"github.com/minio/minio/internal/config" "github.com/minio/minio/internal/config"
"github.com/minio/minio/internal/fips"
"github.com/minio/pkg/v3/ldap" "github.com/minio/pkg/v3/ldap"
) )
@ -189,9 +191,15 @@ func Lookup(s config.Config, rootCAs *x509.CertPool) (l Config, err error) {
return l, nil return l, nil
} }
l.LDAP = ldap.Config{ l.LDAP = ldap.Config{
RootCAs: rootCAs,
ServerAddr: ldapServer, ServerAddr: ldapServer,
SRVRecordName: getCfgVal(SRVRecordName), SRVRecordName: getCfgVal(SRVRecordName),
TLS: &tls.Config{
MinVersion: tls.VersionTLS12,
NextProtos: []string{"h2", "http/1.1"},
ClientSessionCache: tls.NewLRUClientSessionCache(100),
CipherSuites: fips.TLSCiphersBackwardCompatible(), // Contains RSA key exchange
RootCAs: rootCAs,
},
} }
// Parse explicitly set enable=on/off flag. // Parse explicitly set enable=on/off flag.
@ -220,7 +228,7 @@ func Lookup(s config.Config, rootCAs *x509.CertPool) (l Config, err error) {
} }
} }
if v := getCfgVal(TLSSkipVerify); v != "" { if v := getCfgVal(TLSSkipVerify); v != "" {
l.LDAP.TLSSkipVerify, err = config.ParseBool(v) l.LDAP.TLS.InsecureSkipVerify, err = config.ParseBool(v)
if err != nil { if err != nil {
return l, err return l, err
} }