mirror of
https://github.com/minio/minio.git
synced 2025-01-11 23:13:23 -05:00
server/tls: Do not rely on a specific cipher suite (#4021)
Do not rely on a specific cipher suite instead let the go choose the type of cipher needed, if the connection is coming from clients which do not support forward secrecy let the go tls handle this automatically based on tls1.2 specifications. Fixes #4017
This commit is contained in:
parent
f1015a5096
commit
2040d32ef8
@ -401,23 +401,8 @@ func (m *ServerMux) ListenAndServe(certFile, keyFile string) (err error) {
|
|||||||
// Causes servers to use Go's default ciphersuite preferences,
|
// Causes servers to use Go's default ciphersuite preferences,
|
||||||
// which are tuned to avoid attacks. Does nothing on clients.
|
// which are tuned to avoid attacks. Does nothing on clients.
|
||||||
PreferServerCipherSuites: true,
|
PreferServerCipherSuites: true,
|
||||||
// Only use curves which have assembly implementations
|
|
||||||
CurvePreferences: []tls.CurveID{
|
|
||||||
tls.CurveP256,
|
|
||||||
},
|
|
||||||
// Set minimum version to TLS 1.2
|
// Set minimum version to TLS 1.2
|
||||||
MinVersion: tls.VersionTLS12,
|
MinVersion: tls.VersionTLS12,
|
||||||
CipherSuites: []uint16{
|
|
||||||
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
|
||||||
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
|
||||||
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
|
||||||
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
|
||||||
|
|
||||||
// Best disabled, as they don't provide Forward Secrecy,
|
|
||||||
// but might be necessary for some clients
|
|
||||||
// tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
|
|
||||||
// tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
|
|
||||||
},
|
|
||||||
} // Always instantiate.
|
} // Always instantiate.
|
||||||
|
|
||||||
if tlsEnabled {
|
if tlsEnabled {
|
||||||
|
Loading…
Reference in New Issue
Block a user