diff --git a/cmd/http/server.go b/cmd/http/server.go index 850f675bc..fd8da768b 100644 --- a/cmd/http/server.go +++ b/cmd/http/server.go @@ -29,7 +29,9 @@ import ( humanize "github.com/dustin/go-humanize" "github.com/minio/minio-go/v6/pkg/set" + "github.com/minio/minio/cmd/config" "github.com/minio/minio/pkg/certs" + "github.com/minio/minio/pkg/env" ) const ( @@ -163,7 +165,7 @@ func (srv *Server) Shutdown() error { // (CBC-SHA ciphers can be enabled again if required) // - RSA key exchange ciphers: Disabled because of dangerous PKCS1-v1.5 RSA // padding scheme. See Bleichenbacher attacks. -var defaultCipherSuites = []uint16{ +var secureCipherSuites = []uint16{ tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, @@ -175,15 +177,19 @@ var defaultCipherSuites = []uint16{ // Go only provides constant-time implementations of Curve25519 and NIST P-256 curve. var secureCurves = []tls.CurveID{tls.X25519, tls.CurveP256} +const ( + enableSecureCiphersEnv = "MINIO_API_SECURE_CIPHERS" +) + // NewServer - creates new HTTP server using given arguments. func NewServer(addrs []string, handler http.Handler, getCert certs.GetCertificateFunc) *Server { + secureCiphers := env.Get(enableSecureCiphersEnv, config.EnableOn) == config.EnableOn + var tlsConfig *tls.Config if getCert != nil { tlsConfig = &tls.Config{ // TLS hardening PreferServerCipherSuites: true, - CipherSuites: defaultCipherSuites, - CurvePreferences: secureCurves, MinVersion: tls.VersionTLS12, // Do not edit the next line, protos priority is kept // on purpose in this manner for HTTP 2.0, we would @@ -197,6 +203,11 @@ func NewServer(addrs []string, handler http.Handler, getCert certs.GetCertificat tlsConfig.GetCertificate = getCert } + if secureCiphers && tlsConfig != nil { + tlsConfig.CipherSuites = secureCipherSuites + tlsConfig.CurvePreferences = secureCurves + } + httpServer := &Server{ Addrs: addrs, ShutdownTimeout: DefaultShutdownTimeout,