@ -29,7 +29,9 @@ import (
humanize "github.com/dustin/go-humanize"
"github.com/minio/minio-go/v6/pkg/set"
"github.com/minio/minio/cmd/config"
"github.com/minio/minio/pkg/certs"
"github.com/minio/minio/pkg/env"
)
const (
@ -163,7 +165,7 @@ func (srv *Server) Shutdown() error {
// (CBC-SHA ciphers can be enabled again if required)
// - RSA key exchange ciphers: Disabled because of dangerous PKCS1-v1.5 RSA
// padding scheme. See Bleichenbacher attacks.
var default CipherSuites = [ ] uint16 {
var secure CipherSuites = [ ] uint16 {
tls . TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 ,
tls . TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 ,
tls . TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ,
@ -175,15 +177,19 @@ var defaultCipherSuites = []uint16{
// Go only provides constant-time implementations of Curve25519 and NIST P-256 curve.
var secureCurves = [ ] tls . CurveID { tls . X25519 , tls . CurveP256 }
const (
enableSecureCiphersEnv = "MINIO_API_SECURE_CIPHERS"
)
// NewServer - creates new HTTP server using given arguments.
func NewServer ( addrs [ ] string , handler http . Handler , getCert certs . GetCertificateFunc ) * Server {
secureCiphers := env . Get ( enableSecureCiphersEnv , config . EnableOn ) == config . EnableOn
var tlsConfig * tls . Config
if getCert != nil {
tlsConfig = & tls . Config {
// TLS hardening
PreferServerCipherSuites : true ,
CipherSuites : defaultCipherSuites ,
CurvePreferences : secureCurves ,
MinVersion : tls . VersionTLS12 ,
// Do not edit the next line, protos priority is kept
// on purpose in this manner for HTTP 2.0, we would
@ -197,6 +203,11 @@ func NewServer(addrs []string, handler http.Handler, getCert certs.GetCertificat
tlsConfig . GetCertificate = getCert
}
if secureCiphers && tlsConfig != nil {
tlsConfig . CipherSuites = secureCipherSuites
tlsConfig . CurvePreferences = secureCurves
}
httpServer := & Server {
Addrs : addrs ,
ShutdownTimeout : DefaultShutdownTimeout ,