Validate ciphers offered by Minio server

[nitisht]

The issue minio/minio#5244 reported that Minio offers some of the known vulnerable ciphers like ECDHE-RSA-DES-CBC3-SHA and DES-CBC3-SHA.

The issue was fixed by minio/minio#5245, but we should add tests to Mint to validate the ciphers and make sure none of the vulnerable ciphers are exposed again.

[aead]

@nitisht Since TLS config is not really a functional requirement - it's a compliance requirement - should we add this to minio-go functional tests or should we start non-functional tests?

[harshavardhana]

Since we support ENABLE_HTTPS we could turn this test off during non tls run and enable this conditionally.

[aead]

@harshavardhana Sure, my question was just about organization - Should we separate functional from non-functional tests? Like functional_tests.go and non-functional_tests.go (or arbitrary other name) or should we mix both. We can later reorganize of course but if we already know that we have several non-functional requirements which should be tested than we should separate...

[nitisht]

@aead can we create a separate test directory called testssl and use https://github.com/drwetter/testssl.sh directly in Mint? I think that is better compared to writing our own program

[aead]

@nitisht In general correct. The issue here has two separate parts:

• General TLS configuration: Like does the server reject SSL2/3, TLS1.0 and TLS1.1, does the server implement countermeasure against ROBOT, does the server support PFS and so on. That should be checked by testssl.sh
• The specific issues of minio/minio#5244: The Go TLS stack does not implement all things other TLS libraries (Open/Boring/LibreSSL ...) do. For example no SHA256 timing countermeasures, P384 and P521 constant time implementations and so on. For those cases we cannot rely on testssl.sh because I don't seen a way to use testssl.sh to do such implementation specific testing.

EDIT: As far as I can see there is no way to use testssl.sh to just allow a specific subset of ciphers...

[nitisht]

As far as I can see there is no way to use testssl.sh to just allow a specific subset of ciphers.

In that case, IMO we can have a separate directory with just these tests. As you indicated, it is not a good idea to have these tests added to minio-go functional tests.