restrict TLS cipher suites of the server

This change restircts the supported cipher suites of the minio server. The server only supports AEAD ciphers (Chacha20Poly1305 and AES-GCM) The supported cipher suites are: - tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 - tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 - tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 Fixes minio#5244 Fixes minio#5291
aead · Dec 15, 2017 · 6afe07f · 6afe07f
1 parent 6923630
commit 6afe07f
Show file tree

Hide file tree

Showing 2 changed files with 86 additions and 1 deletion.
diff --git a/pkg/http/server.go b/pkg/http/server.go
@@ -64,7 +64,10 @@ type Server struct {
 // Start - start HTTP server
 func (srv *Server) Start() (err error) {
 	// Take a copy of server fields.
-	tlsConfig := srv.TLSConfig
+	var tlsConfig *tls.Config
+	if srv.TLSConfig != nil {
+		tlsConfig = srv.TLSConfig.Clone()
+	}
 	readTimeout := srv.ReadTimeout
 	writeTimeout := srv.WriteTimeout
 	handler := srv.Handler
@@ -149,12 +152,54 @@ func (srv *Server) Shutdown() error {
 	}
 }
 
+// Secure Go implementations of modern TLS ciphers
+// The following ciphers are excluded because:
+//  - RC4 ciphers:              RC4 is broken
+//  - 3DES ciphers:             Because of the 64 bit blocksize of DES (Sweet32)
+//  - CBC-SHA256 ciphers:       No countermeasures against Lucky13 timing attack
+//  - CBC-SHA ciphers:          Legacy ciphers (SHA-1) and non-constant time
+//                              implementation of CBC.
+//                              (CBC-SHA ciphers can be enabled again if required)
+//  - RSA key exchange ciphers: Disabled because of dangerous PKCS1-v1.5 RSA
+//                              padding scheme. See Bleichenbacher attacks.
+var defaultCipherSuites = []uint16{
+	tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+	tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+	tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+	tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+	tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+	tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+}
+
+var unsupportedCipherSuites = []uint16{
+	tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,    // Go stack contains (some) countermeasures against timing attacks (Lucky13)
+	tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, // No countermeasures against timing attacks
+	tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,    // Go stack contains (some) countermeasures against timing attacks (Lucky13)
+	tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,        // Broken cipher
+	tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,     // Sweet32
+	tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,      // Go stack contains (some) countermeasures against timing attacks (Lucky13)
+	tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,   // No countermeasures against timing attacks
+	tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,      // Go stack contains (some) countermeasures against timing attacks (Lucky13)
+	tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA,          // Broken cipher
+
+	// all RSA-PKCS1-v1.5 ciphers are disabled - danger of Bleichenbacher attack variants
+	tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,   // Sweet32
+	tls.TLS_RSA_WITH_AES_128_CBC_SHA,    // Go stack contains (some) countermeasures against timing attacks (Lucky13)
+	tls.TLS_RSA_WITH_AES_128_CBC_SHA256, // No countermeasures against timing attacks
+	tls.TLS_RSA_WITH_AES_256_CBC_SHA,    // Go stack contains (some) countermeasures against timing attacks (Lucky13)
+	tls.TLS_RSA_WITH_RC4_128_SHA,        // Broken cipher
+
+	tls.TLS_RSA_WITH_AES_128_GCM_SHA256, // Disabled because of RSA-PKCS1-v1.5 - AES-GCM is considered secure.
+	tls.TLS_RSA_WITH_AES_256_GCM_SHA384, // Disabled because of RSA-PKCS1-v1.5 - AES-GCM is considered secure.
+}
+
 // NewServer - creates new HTTP server using given arguments.
 func NewServer(addrs []string, handler http.Handler, certificate *tls.Certificate) *Server {
 	var tlsConfig *tls.Config
 	if certificate != nil {
 		tlsConfig = &tls.Config{
 			PreferServerCipherSuites: true,
+			CipherSuites:             defaultCipherSuites,
 			MinVersion:               tls.VersionTLS12,
 			NextProtos:               []string{"http/1.1", "h2"},
 		}

diff --git a/pkg/http/server_test.go b/pkg/http/server_test.go
@@ -97,3 +97,43 @@ func TestNewServer(t *testing.T) {
 		}
 	}
 }
+
+var tlsCipherSuitesTests = []struct {
+	ciphers    []uint16
+	shouldFail bool
+}{
+	{ciphers: nil, shouldFail: false},
+	{ciphers: defaultCipherSuites, shouldFail: false},
+	{ciphers: unsupportedCipherSuites, shouldFail: true},
+}
+
+func TestTLSCiphers(t *testing.T) {
+	certificate, err := getTLSCert()
+	if err != nil {
+		t.Fatalf("Unable to parse private/certificate data. %v\n", err)
+	}
+	port := getNextPort()
+	handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		fmt.Fprintf(w, "Hello, world")
+	})
+	server := NewServer([]string{"127.0.0.1:" + port}, handler, &certificate)
+	go func() { panic(server.Start()) }()
+	defer server.Shutdown()
+	for i, test := range tlsCipherSuitesTests {
+		client := http.Client{
+			Transport: &http.Transport{
+				TLSClientConfig: &tls.Config{
+					InsecureSkipVerify: true,
+					CipherSuites:       test.ciphers,
+				},
+			},
+		}
+		_, err := client.Get("https://127.0.0.1:" + port + "/")
+		if err != nil && !test.shouldFail {
+			t.Fatalf("Test %d: Failed to execute GET request: %s", i, err)
+		}
+		if err == nil && test.shouldFail {
+			t.Fatalf("Test %d: Successfully connected to server but expected connection failure", i)
+		}
+	}
+}