fix: for FTP server driver allow implicit trust of TLS (#17541)

fixes #17535
2024-10-02 22:24:00 +00:00 · 2023-06-30 08:04:13 -07:00 · 2023-06-30 08:04:13 -07:00 · 7f782983ca
parent 9d628346eb
commit 7f782983ca
6 changed files with 12 additions and 12 deletions
--- a/cmd/ftp-server-driver.go
+++ b/cmd/ftp-server-driver.go
@ -322,7 +322,7 @@ func (driver *ftpDriver) getMinIOClient(ctx *ftp.Context) (*minio.Client, error)
 		return minio.New(driver.endpoint, &minio.Options{
 			Creds:     credentials.NewStaticV4(cred.AccessKey, cred.SecretKey, cred.SessionToken),
 			Secure:    globalIsTLS,
-			Transport: globalRemoteTargetTransport,
+			Transport: globalRemoteFTPClientTransport,
 		})
 	}

@ -336,7 +336,7 @@ func (driver *ftpDriver) getMinIOClient(ctx *ftp.Context) (*minio.Client, error)
 	return minio.New(driver.endpoint, &minio.Options{
 		Creds:     credentials.NewStaticV4(ui.Credentials.AccessKey, ui.Credentials.SecretKey, ""),
 		Secure:    globalIsTLS,
-		Transport: globalRemoteTargetTransport,
+		Transport: globalRemoteFTPClientTransport,
 	})
 }

--- a/cmd/ftp-server.go
+++ b/cmd/ftp-server.go
@ -34,6 +34,8 @@ import (
 	"golang.org/x/crypto/ssh"
 )

+var globalRemoteFTPClientTransport = NewRemoteTargetHTTPTransport(true)()
+
 // minioLogger use an instance of this to log in a standard format
 type minioLogger struct{}

--- a/cmd/server-main.go
+++ b/cmd/server-main.go
@ -256,7 +256,7 @@ func serverHandleCmdArgs(ctx *cli.Context) {
 	globalProxyTransport = NewCustomHTTPProxyTransport()()
 	globalProxyEndpoints = GetProxyEndpoints(globalEndpoints)
 	globalInternodeTransport = NewInternodeHTTPTransport()()
-	globalRemoteTargetTransport = NewRemoteTargetHTTPTransport()()
+	globalRemoteTargetTransport = NewRemoteTargetHTTPTransport(false)()

 	globalForwarder = handlers.NewForwarder(&handlers.Forwarder{
 		PassHost:     true,
--- a/cmd/sftp-server-driver.go
+++ b/cmd/sftp-server-driver.go
@ -143,7 +143,7 @@ func (f *sftpDriver) getMinIOClient() (*minio.Client, error) {
 		return minio.New(f.endpoint, &minio.Options{
 			Creds:     credentials.NewStaticV4(cred.AccessKey, cred.SecretKey, cred.SessionToken),
 			Secure:    globalIsTLS,
-			Transport: globalRemoteTargetTransport,
+			Transport: globalRemoteFTPClientTransport,
 		})
 	}

@ -157,7 +157,7 @@ func (f *sftpDriver) getMinIOClient() (*minio.Client, error) {
 	return minio.New(f.endpoint, &minio.Options{
 		Creds:     credentials.NewStaticV4(ui.Credentials.AccessKey, ui.Credentials.SecretKey, ""),
 		Secure:    globalIsTLS,
-		Transport: globalRemoteTargetTransport,
+		Transport: globalRemoteFTPClientTransport,
 	})
 }

--- a/cmd/utils.go
+++ b/cmd/utils.go
@ -664,14 +664,14 @@ func newCustomDialContext() dialContext {

 // NewRemoteTargetHTTPTransport returns a new http configuration
 // used while communicating with the remote replication targets.
-func NewRemoteTargetHTTPTransport() func() *http.Transport {
+func NewRemoteTargetHTTPTransport(insecure bool) func() *http.Transport {
 	return xhttp.ConnSettings{
 		DialContext: newCustomDialContext(),
 		DNSCache:    globalDNSCache,
 		RootCAs:     globalRootCAs,
 		TCPOptions:  globalTCPOptions,
 		EnableHTTP2: false,
-	}.NewRemoteTargetHTTPTransport()
+	}.NewRemoteTargetHTTPTransport(insecure)
 }

 // Load the json (typically from disk file).
--- a/internal/http/transports.go
+++ b/internal/http/transports.go
@ -78,7 +78,6 @@ func (s ConnSettings) getDefaultTransport() *http.Transport {
 		IdleConnTimeout:       15 * time.Second,
 		ResponseHeaderTimeout: 15 * time.Minute, // Conservative timeout is the default (for MinIO internode)
 		TLSHandshakeTimeout:   10 * time.Second,
-		ExpectContinueTimeout: 10 * time.Second,
 		TLSClientConfig:       &tlsClientConfig,
 		ForceAttemptHTTP2:     s.EnableHTTP2,
 		// Go net/http automatically unzip if content-type is
@ -117,7 +116,6 @@ func (s ConnSettings) NewInternodeHTTPTransport() func() http.RoundTripper {

 	// Settings specific to internode requests.
 	tr.TLSHandshakeTimeout = 15 * time.Second
-	tr.ExpectContinueTimeout = 15 * time.Second

 	return func() http.RoundTripper {
 		return tr
@ -167,12 +165,12 @@ func (s ConnSettings) NewHTTPTransportWithClientCerts(ctx context.Context, clien

 // NewRemoteTargetHTTPTransport returns a new http configuration
 // used while communicating with the remote replication targets.
-func (s ConnSettings) NewRemoteTargetHTTPTransport() func() *http.Transport {
+func (s ConnSettings) NewRemoteTargetHTTPTransport(insecure bool) func() *http.Transport {
 	tr := s.getDefaultTransport()

-	tr.TLSHandshakeTimeout = 5 * time.Second
-	tr.ExpectContinueTimeout = 5 * time.Second
+	tr.TLSHandshakeTimeout = 10 * time.Second
 	tr.ResponseHeaderTimeout = 0
+	tr.TLSClientConfig.InsecureSkipVerify = insecure

 	return func() *http.Transport {
 		return tr