MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-11-20 18:06:10 -05:00
Code Issues Packages Projects Releases Wiki Activity

fips: simplify TLS configuration (#15127)

Browse Source 
This commit simplifies the TLS configuration.
It inlines the FIPS / non-FIPS code.

Signed-off-by: Andreas Auernhammer <hi@aead.dev>
This commit is contained in:
Andreas Auernhammer
2022-06-21 16:54:48 +02:00
committed by GitHub
parent b3eda248a3
commit cd7a0a9757
12 changed files with 121 additions and 94 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
cmd/utils.go
View File

@@ -1067,17 +1067,12 @@ func newTLSConfig(getCert certs.GetCertificateFunc) *tls.Config {
tlsConfig.ClientAuth = tls.RequestClientCert
}
secureCiphers := env.Get(api.EnvAPISecureCiphers, config.EnableOn) == config.EnableOn
if secureCiphers || fips.Enabled {
// Hardened ciphers
tlsConfig.CipherSuites = fips.CipherSuitesTLS()
tlsConfig.CurvePreferences = fips.EllipticCurvesTLS()
if secureCiphers := env.Get(api.EnvAPISecureCiphers, config.EnableOn) == config.EnableOn; secureCiphers {
tlsConfig.CipherSuites = fips.TLSCiphers()
} else {
// Default ciphers while excluding those with security issues
for _, cipher := range tls.CipherSuites() {
tlsConfig.CipherSuites = append(tlsConfig.CipherSuites, cipher.ID)
}
tlsConfig.CipherSuites = fips.TLSCiphersBackwardCompatible()
}
tlsConfig.CurvePreferences = fips.TLSCurveIDs()
return tlsConfig
}