mirror of
https://github.com/minio/minio.git
synced 2024-12-24 06:05:55 -05:00
disable elliptic curves P-384 and P-521 for TLS. (#5845)
This change disables the non-constant-time implementations of P-384 and P-521. As a consequence a client using just these curves cannot connect to the server. This should be no real issues because (all) clients at least support P-256. Further this change also rejects ECDSA private keys of P-384 and P-521. While non-constant-time implementations for the ECDHE exchange don't expose an obvious vulnerability, using P-384 or P-521 keys for the ECDSA signature may allow pratical timing attacks. Fixes #5844
This commit is contained in:
parent
c733fe87ce
commit
21a3c0f482
12
cmd/certs.go
12
cmd/certs.go
@ -17,6 +17,8 @@
|
|||||||
package cmd
|
package cmd
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"crypto"
|
||||||
|
"crypto/ecdsa"
|
||||||
"crypto/tls"
|
"crypto/tls"
|
||||||
"crypto/x509"
|
"crypto/x509"
|
||||||
"encoding/pem"
|
"encoding/pem"
|
||||||
@ -142,6 +144,16 @@ func getSSLConfig() (x509Certs []*x509.Certificate, rootCAs *x509.CertPool, tlsC
|
|||||||
if cert, err = loadX509KeyPair(getPublicCertFile(), getPrivateKeyFile()); err != nil {
|
if cert, err = loadX509KeyPair(getPublicCertFile(), getPrivateKeyFile()); err != nil {
|
||||||
return nil, nil, nil, false, err
|
return nil, nil, nil, false, err
|
||||||
}
|
}
|
||||||
|
// Ensure that the private key is not a P-384 or P-521 EC key.
|
||||||
|
// The Go TLS stack does not provide constant-time implementations of P-384 and P-521.
|
||||||
|
if priv, ok := cert.PrivateKey.(crypto.Signer); ok {
|
||||||
|
if pub, ok := priv.Public().(*ecdsa.PublicKey); ok {
|
||||||
|
if name := pub.Params().Name; name == "P-384" || name == "P-521" { // unfortunately there is no cleaner way to check
|
||||||
|
return nil, nil, nil, false, fmt.Errorf("TLS: the ECDSA curve '%s' is not supported", name)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
tlsCert = &cert
|
tlsCert = &cert
|
||||||
|
|
||||||
|
@ -172,6 +172,9 @@ var defaultCipherSuites = []uint16{
|
|||||||
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Go only provides constant-time implementations of Curve25519 and NIST P-256 curve.
|
||||||
|
var secureCurves = []tls.CurveID{tls.X25519, tls.CurveP256}
|
||||||
|
|
||||||
// NewServer - creates new HTTP server using given arguments.
|
// NewServer - creates new HTTP server using given arguments.
|
||||||
func NewServer(addrs []string, handler http.Handler, certificate *tls.Certificate) *Server {
|
func NewServer(addrs []string, handler http.Handler, certificate *tls.Certificate) *Server {
|
||||||
var tlsConfig *tls.Config
|
var tlsConfig *tls.Config
|
||||||
@ -179,6 +182,7 @@ func NewServer(addrs []string, handler http.Handler, certificate *tls.Certificat
|
|||||||
tlsConfig = &tls.Config{
|
tlsConfig = &tls.Config{
|
||||||
PreferServerCipherSuites: true,
|
PreferServerCipherSuites: true,
|
||||||
CipherSuites: defaultCipherSuites,
|
CipherSuites: defaultCipherSuites,
|
||||||
|
CurvePreferences: secureCurves,
|
||||||
MinVersion: tls.VersionTLS12,
|
MinVersion: tls.VersionTLS12,
|
||||||
NextProtos: []string{"http/1.1", "h2"},
|
NextProtos: []string{"http/1.1", "h2"},
|
||||||
}
|
}
|
||||||
|
@ -43,6 +43,9 @@ or protect the private key additionally with a password:
|
|||||||
```sh
|
```sh
|
||||||
openssl ecparam -genkey -name prime256v1 | openssl ec -aes256 -out private.key -passout pass:PASSWORD
|
openssl ecparam -genkey -name prime256v1 | openssl ec -aes256 -out private.key -passout pass:PASSWORD
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Notice that the NIST curves P-384 and P-521 are not supported yet.
|
||||||
|
|
||||||
2. **RSA:**
|
2. **RSA:**
|
||||||
```sh
|
```sh
|
||||||
openssl genrsa -out private.key 2048
|
openssl genrsa -out private.key 2048
|
||||||
|
Loading…
Reference in New Issue
Block a user