From a2616b8227b5b888b2ded7b875b2d969b879d550 Mon Sep 17 00:00:00 2001
From: Harshavardhana <harsha@minio.io>
Date: Mon, 13 Jul 2020 14:20:21 -0700
Subject: [PATCH] allow turning off secure ciphers (#10038)

this PR to allow legacy support for big-data
applications which run older Java versions
which do not support the secure ciphers
currently defaulted in MinIO. This option
allows optionally to turn them off such
that client and server can negotiate the
best ciphers themselves.

This env is purposefully not documented,
meant as a last resort when client
application cannot be changed easily.
---
 cmd/http/server.go | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/cmd/http/server.go b/cmd/http/server.go
index 850f675bc..fd8da768b 100644
--- a/cmd/http/server.go
+++ b/cmd/http/server.go
@@ -29,7 +29,9 @@ import (
 	humanize "github.com/dustin/go-humanize"
 
 	"github.com/minio/minio-go/v6/pkg/set"
+	"github.com/minio/minio/cmd/config"
 	"github.com/minio/minio/pkg/certs"
+	"github.com/minio/minio/pkg/env"
 )
 
 const (
@@ -163,7 +165,7 @@ func (srv *Server) Shutdown() error {
 //                              (CBC-SHA ciphers can be enabled again if required)
 //  - RSA key exchange ciphers: Disabled because of dangerous PKCS1-v1.5 RSA
 //                              padding scheme. See Bleichenbacher attacks.
-var defaultCipherSuites = []uint16{
+var secureCipherSuites = []uint16{
 	tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
 	tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
 	tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
@@ -175,15 +177,19 @@ var defaultCipherSuites = []uint16{
 // Go only provides constant-time implementations of Curve25519 and NIST P-256 curve.
 var secureCurves = []tls.CurveID{tls.X25519, tls.CurveP256}
 
+const (
+	enableSecureCiphersEnv = "MINIO_API_SECURE_CIPHERS"
+)
+
 // NewServer - creates new HTTP server using given arguments.
 func NewServer(addrs []string, handler http.Handler, getCert certs.GetCertificateFunc) *Server {
+	secureCiphers := env.Get(enableSecureCiphersEnv, config.EnableOn) == config.EnableOn
+
 	var tlsConfig *tls.Config
 	if getCert != nil {
 		tlsConfig = &tls.Config{
 			// TLS hardening
 			PreferServerCipherSuites: true,
-			CipherSuites:             defaultCipherSuites,
-			CurvePreferences:         secureCurves,
 			MinVersion:               tls.VersionTLS12,
 			// Do not edit the next line, protos priority is kept
 			// on purpose in this manner for HTTP 2.0, we would
@@ -197,6 +203,11 @@ func NewServer(addrs []string, handler http.Handler, getCert certs.GetCertificat
 		tlsConfig.GetCertificate = getCert
 	}
 
+	if secureCiphers && tlsConfig != nil {
+		tlsConfig.CipherSuites = secureCipherSuites
+		tlsConfig.CurvePreferences = secureCurves
+	}
+
 	httpServer := &Server{
 		Addrs:           addrs,
 		ShutdownTimeout: DefaultShutdownTimeout,