Skip to content

Commit

Permalink
add support for TLS 1.2
Browse files Browse the repository at this point in the history 
This commit adds support for TLS 1.2 in
addition to TLS 1.3.

Some legacy language versions (like Java 8)
do not support TLS 1.3, and therefore, fail
to connect to KES.

However, we want to support only PFS TLS connections.
Therefore, we limit the supported cipher suites to
ECDHE key exchange and AEAD ciphers.

Further, we have to drop ChaCha20-Poly1305 in case
of FIPS 140.
  • Loading branch information
@aead
aead committed Jun 18, 2021
1 parent 984966c commit 7cbf05b
Showing 1 changed file with 28 additions and 1 deletion.
29 changes: 28 additions & 1 deletion cmd/kes/server.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ import (
"github.com/fatih/color"
"github.com/minio/kes"
"github.com/minio/kes/internal/auth"
"github.com/minio/kes/internal/fips"
xhttp "github.com/minio/kes/internal/http"
xlog "github.com/minio/kes/internal/log"
"github.com/minio/kes/internal/metric"
Expand Down Expand Up @@ -269,13 +270,39 @@ func server(args []string) {
Addr: config.Addr,
Handler: mux,
TLSConfig: &tls.Config{
MinVersion: tls.VersionTLS13,
MinVersion: tls.VersionTLS12,
},
ErrorLog: errorLog.Log(),

ReadTimeout: 5 * time.Second,
WriteTimeout: 0 * time.Second, // explicitly set no write timeout - see timeout handler.
}

// Limit the supported cipher suites to the secure TLS 1.2/1.3 subset - i.e. only ECDHE key exchange and only AEAD ciphers.
if fips.Enabled {
server.TLSConfig.CipherSuites = []uint16{
tls.TLS_AES_128_GCM_SHA256, // TLS 1.3
tls.TLS_AES_256_GCM_SHA384,

tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, // TLS 1.2
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
}
} else {
server.TLSConfig.CipherSuites = []uint16{
tls.TLS_AES_128_GCM_SHA256, // TLS 1.3
tls.TLS_AES_256_GCM_SHA384,
tls.TLS_CHACHA20_POLY1305_SHA256,

tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, // TLS 1.2
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
}
}
switch strings.ToLower(mtlsAuthFlag) {
case "on":
server.TLSConfig.ClientAuth = tls.RequireAndVerifyClientCert
Expand Down

0 comments on commit 7cbf05b

Please sign in to comment.