allow turning off secure ciphers (#10038)

this PR to allow legacy support for big-data
applications which run older Java versions
which do not support the secure ciphers
currently defaulted in MinIO. This option
allows optionally to turn them off such
that client and server can negotiate the
best ciphers themselves.

This env is purposefully not documented,
meant as a last resort when client
application cannot be changed easily.
This commit is contained in:
Harshavardhana 2020-07-13 14:20:21 -07:00 committed by GitHub
parent 8d8f28eae4
commit a2616b8227
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -29,7 +29,9 @@ import (
humanize "github.com/dustin/go-humanize" humanize "github.com/dustin/go-humanize"
"github.com/minio/minio-go/v6/pkg/set" "github.com/minio/minio-go/v6/pkg/set"
"github.com/minio/minio/cmd/config"
"github.com/minio/minio/pkg/certs" "github.com/minio/minio/pkg/certs"
"github.com/minio/minio/pkg/env"
) )
const ( const (
@ -163,7 +165,7 @@ func (srv *Server) Shutdown() error {
// (CBC-SHA ciphers can be enabled again if required) // (CBC-SHA ciphers can be enabled again if required)
// - RSA key exchange ciphers: Disabled because of dangerous PKCS1-v1.5 RSA // - RSA key exchange ciphers: Disabled because of dangerous PKCS1-v1.5 RSA
// padding scheme. See Bleichenbacher attacks. // padding scheme. See Bleichenbacher attacks.
var defaultCipherSuites = []uint16{ var secureCipherSuites = []uint16{
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
@ -175,15 +177,19 @@ var defaultCipherSuites = []uint16{
// Go only provides constant-time implementations of Curve25519 and NIST P-256 curve. // Go only provides constant-time implementations of Curve25519 and NIST P-256 curve.
var secureCurves = []tls.CurveID{tls.X25519, tls.CurveP256} var secureCurves = []tls.CurveID{tls.X25519, tls.CurveP256}
const (
enableSecureCiphersEnv = "MINIO_API_SECURE_CIPHERS"
)
// NewServer - creates new HTTP server using given arguments. // NewServer - creates new HTTP server using given arguments.
func NewServer(addrs []string, handler http.Handler, getCert certs.GetCertificateFunc) *Server { func NewServer(addrs []string, handler http.Handler, getCert certs.GetCertificateFunc) *Server {
secureCiphers := env.Get(enableSecureCiphersEnv, config.EnableOn) == config.EnableOn
var tlsConfig *tls.Config var tlsConfig *tls.Config
if getCert != nil { if getCert != nil {
tlsConfig = &tls.Config{ tlsConfig = &tls.Config{
// TLS hardening // TLS hardening
PreferServerCipherSuites: true, PreferServerCipherSuites: true,
CipherSuites: defaultCipherSuites,
CurvePreferences: secureCurves,
MinVersion: tls.VersionTLS12, MinVersion: tls.VersionTLS12,
// Do not edit the next line, protos priority is kept // Do not edit the next line, protos priority is kept
// on purpose in this manner for HTTP 2.0, we would // on purpose in this manner for HTTP 2.0, we would
@ -197,6 +203,11 @@ func NewServer(addrs []string, handler http.Handler, getCert certs.GetCertificat
tlsConfig.GetCertificate = getCert tlsConfig.GetCertificate = getCert
} }
if secureCiphers && tlsConfig != nil {
tlsConfig.CipherSuites = secureCipherSuites
tlsConfig.CurvePreferences = secureCurves
}
httpServer := &Server{ httpServer := &Server{
Addrs: addrs, Addrs: addrs,
ShutdownTimeout: DefaultShutdownTimeout, ShutdownTimeout: DefaultShutdownTimeout,