maketank/Froxlor
2
0
Fork 0
Code Pull Requests Releases Activity

add option to disable SSL sessiontickets globally for older systems, fixes #784

Browse Source 
Signed-off-by: Michael Kaufmann <d00p@froxlor.org>
This commit is contained in:
Michael Kaufmann
2019-12-31 12:27:35 +01:00
parent 37c434d4fc
commit 3eb1718fe0
8 changed files with 36 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
actions/admin/settings/131.ssl.php
View File

@@ -62,7 +62,7 @@ return array(
'string_emptyallowed' => true, 'string_emptyallowed' => true,
'default' => '', 'default' => '',
'visible' => \Froxlor\Settings::Get('system.webserver') == "apache2" && \Froxlor\Settings::Get('system.apache24') == 1, 'visible' => \Froxlor\Settings::Get('system.webserver') == "apache2" && \Froxlor\Settings::Get('system.apache24') == 1,
'save_method' => 'storeSettingField', 'save_method' => 'storeSettingField'
), ),
'system_ssl_cert_file' => array( 'system_ssl_cert_file' => array(
'label' => $lng['serversettings']['ssl']['ssl_cert_file'], 'label' => $lng['serversettings']['ssl']['ssl_cert_file'],
@@ -115,6 +115,18 @@ return array(
'visible' => \Froxlor\Settings::Get('system.webserver') == "apache2" && \Froxlor\Settings::Get('system.apache24') == 1, 'visible' => \Froxlor\Settings::Get('system.webserver') == "apache2" && \Froxlor\Settings::Get('system.apache24') == 1,
'save_method' => 'storeSettingField' 'save_method' => 'storeSettingField'
), ),
'system_sessionticketsenabled' => array(
'label' => $lng['admin']['domain_sessionticketsenabled'],
'settinggroup' => 'system',
'varname' => 'sessionticketsenabled',
'type' => 'bool',
'default' => true,
'save_method' => 'storeSettingField',
'visible' => \Froxlor\Settings::Get('system.use_ssl') && (\Froxlor\Settings::Get('system.webserver') == "nginx" || (\Froxlor\Settings::Get('system.webserver') == "apache2" && \Froxlor\Settings::Get('system.apache24') == 1)) && call_user_func(array(
'\Froxlor\Settings\FroxlorVhostSettings',
'hasVhostContainerEnabled'
), true)
),
'system_leenabled' => array( 'system_leenabled' => array(
'label' => $lng['serversettings']['leenabled'], 'label' => $lng['serversettings']['leenabled'],
'settinggroup' => 'system', 'settinggroup' => 'system',

3
install/froxlor.sql
View File

@@ -657,6 +657,7 @@ opcache.interned_strings_buffer'),
('system', 'tlsv13_cipher_list', ''), ('system', 'tlsv13_cipher_list', ''),
('system', 'honorcipherorder', '0'), ('system', 'honorcipherorder', '0'),
('system', 'sessiontickets', '1'), ('system', 'sessiontickets', '1'),
('system', 'sessionticketsenabled', '1'),
('system', 'logfiles_format', ''), ('system', 'logfiles_format', ''),
('system', 'logfiles_type', '1'), ('system', 'logfiles_type', '1'),
('system', 'logfiles_piped', '0'), ('system', 'logfiles_piped', '0'),
@@ -702,7 +703,7 @@ opcache.interned_strings_buffer'),
('panel', 'customer_hide_options', ''), ('panel', 'customer_hide_options', ''),
('panel', 'is_configured', '0'), ('panel', 'is_configured', '0'),
('panel', 'version', '0.10.10'), ('panel', 'version', '0.10.10'),
('panel', 'db_version', '201912100'); ('panel', 'db_version', '201912310');
DROP TABLE IF EXISTS `panel_tasks`; DROP TABLE IF EXISTS `panel_tasks`;

7
install/updates/froxlor/0.10/update_0.10.inc.php
View File

@@ -523,3 +523,10 @@ if (\Froxlor\Froxlor::isFroxlorVersion('0.10.9')) {
showUpdateStep("Updating from 0.10.9 to 0.10.10", false); showUpdateStep("Updating from 0.10.9 to 0.10.10", false);
\Froxlor\Froxlor::updateToVersion('0.10.10'); \Froxlor\Froxlor::updateToVersion('0.10.10');
} }
if (\Froxlor\Froxlor::isDatabaseVersion('201912100')) {
showUpdateStep("Adding option to disable SSL sessiontickets for older systems");
Settings::AddNew("system.sessionticketsenabled", '1');
lastStepStatus(0);
\Froxlor\Froxlor::updateToDbVersion('201912310');
}

8
lib/Froxlor/Cron/Http/Apache.php
View File

@@ -480,7 +480,9 @@ class Apache extends HttpConfigBase
$this->virtualhosts_data[$vhosts_filename] .= ' SSLOpenSSLConfCmd DHParameters "' . $dhparams . '"' . "\n"; $this->virtualhosts_data[$vhosts_filename] .= ' SSLOpenSSLConfCmd DHParameters "' . $dhparams . '"' . "\n";
} }
$this->virtualhosts_data[$vhosts_filename] .= ' SSLCompression Off' . "\n"; $this->virtualhosts_data[$vhosts_filename] .= ' SSLCompression Off' . "\n";
$this->virtualhosts_data[$vhosts_filename] .= ' SSLSessionTickets ' . ($domain['ssl_sessiontickets'] == '1' ? 'on' : 'off') . "\n"; if (Settings::Get('system.sessionticketsenabled') == '1') {
$this->virtualhosts_data[$vhosts_filename] .= ' SSLSessionTickets ' . ($domain['ssl_sessiontickets'] == '1' ? 'on' : 'off') . "\n";
}
} }
$this->virtualhosts_data[$vhosts_filename] .= ' SSLHonorCipherOrder ' . ($domain['ssl_honorcipherorder'] == '1' ? 'on' : 'off') . "\n"; $this->virtualhosts_data[$vhosts_filename] .= ' SSLHonorCipherOrder ' . ($domain['ssl_honorcipherorder'] == '1' ? 'on' : 'off') . "\n";
@@ -989,7 +991,9 @@ class Apache extends HttpConfigBase
$vhost_content .= ' SSLOpenSSLConfCmd DHParameters "' . $dhparams . '"' . "\n"; $vhost_content .= ' SSLOpenSSLConfCmd DHParameters "' . $dhparams . '"' . "\n";
} }
$vhost_content .= ' SSLCompression Off' . "\n"; $vhost_content .= ' SSLCompression Off' . "\n";
$vhost_content .= ' SSLSessionTickets ' . ($domain['ssl_sessiontickets'] == '1' ? 'on' : 'off') . "\n"; if (Settings::Get('system.sessionticketsenabled') == '1') {
$vhost_content .= ' SSLSessionTickets ' . ($domain['ssl_sessiontickets'] == '1' ? 'on' : 'off') . "\n";
}
} }
$vhost_content .= ' SSLHonorCipherOrder ' . ($domain['ssl_honorcipherorder'] == '1' ? 'on' : 'off') . "\n"; $vhost_content .= ' SSLHonorCipherOrder ' . ($domain['ssl_honorcipherorder'] == '1' ? 'on' : 'off') . "\n";
$vhost_content .= ' SSLCipherSuite ' . $ssl_cipher_list . "\n"; $vhost_content .= ' SSLCipherSuite ' . $ssl_cipher_list . "\n";

4
lib/Froxlor/Cron/Http/Nginx.php
View File

@@ -703,7 +703,9 @@ class Nginx extends HttpConfigBase
// see https://github.com/Froxlor/Froxlor/issues/652 // see https://github.com/Froxlor/Froxlor/issues/652
// $sslsettings .= "\t" . 'ssl_ecdh_curve secp384r1;' . "\n"; // $sslsettings .= "\t" . 'ssl_ecdh_curve secp384r1;' . "\n";
$sslsettings .= "\t" . 'ssl_prefer_server_ciphers ' . (isset($domain_or_ip['ssl_honorcipherorder']) && $domain_or_ip['ssl_honorcipherorder'] == '1' ? 'on' : 'off') . ';' . "\n"; $sslsettings .= "\t" . 'ssl_prefer_server_ciphers ' . (isset($domain_or_ip['ssl_honorcipherorder']) && $domain_or_ip['ssl_honorcipherorder'] == '1' ? 'on' : 'off') . ';' . "\n";
$sslsettings .= "\t" . 'ssl_session_tickets ' . (isset($domain_or_ip['ssl_sessiontickets']) && $domain_or_ip['ssl_sessiontickets'] == '1' ? 'on' : 'off') . ';' . "\n"; if (Settings::Get('system.sessionticketsenabled') == '1') {
$sslsettings .= "\t" . 'ssl_session_tickets ' . (isset($domain_or_ip['ssl_sessiontickets']) && $domain_or_ip['ssl_sessiontickets'] == '1' ? 'on' : 'off') . ';' . "\n";
}
$sslsettings .= "\t" . 'ssl_session_cache shared:SSL:10m;' . "\n"; $sslsettings .= "\t" . 'ssl_session_cache shared:SSL:10m;' . "\n";
$sslsettings .= "\t" . 'ssl_certificate ' . \Froxlor\FileDir::makeCorrectFile($domain_or_ip['ssl_cert_file']) . ';' . "\n"; $sslsettings .= "\t" . 'ssl_certificate ' . \Froxlor\FileDir::makeCorrectFile($domain_or_ip['ssl_cert_file']) . ';' . "\n";

2
lib/Froxlor/Froxlor.php
View File

@@ -10,7 +10,7 @@ final class Froxlor
const VERSION = '0.10.10'; const VERSION = '0.10.10';
// Database version (YYYYMMDDC where C is a daily counter) // Database version (YYYYMMDDC where C is a daily counter)
const DBVERSION = '201912100'; const DBVERSION = '201912310';
// Distribution branding-tag (used for Debian etc.) // Distribution branding-tag (used for Debian etc.)
const BRANDING = ''; const BRANDING = '';

2
lng/english.lng.php
View File

@@ -2085,3 +2085,5 @@ $lng['serversettings']['apply_phpconfigs_default']['title'] = 'Default value for
$lng['admin']['domain_sslenabled'] = 'Enable usage of SSL'; $lng['admin']['domain_sslenabled'] = 'Enable usage of SSL';
$lng['admin']['domain_honorcipherorder'] = 'Honor the (server) cipher order, default <strong>no</strong>'; $lng['admin']['domain_honorcipherorder'] = 'Honor the (server) cipher order, default <strong>no</strong>';
$lng['admin']['domain_sessiontickets'] = 'Enable TLS sessiontickets (RFC 5077), default <strong>yes</strong>'; $lng['admin']['domain_sessiontickets'] = 'Enable TLS sessiontickets (RFC 5077), default <strong>yes</strong>';
$lng['admin']['domain_sessionticketsenabled']['title'] = 'Enable usage of TLS sessiontickets globally';
$lng['admin']['domain_sessionticketsenabled']['description'] = 'Default <strong>yes</strong><br>Requires apache-2.4.11+ or nginx-1.5.9+';

2
lng/german.lng.php
View File

@@ -1732,3 +1732,5 @@ $lng['serversettings']['apply_phpconfigs_default']['title'] = 'Standardwert für
$lng['admin']['domain_sslenabled'] = 'Aktiviere Nutzung von SSL'; $lng['admin']['domain_sslenabled'] = 'Aktiviere Nutzung von SSL';
$lng['admin']['domain_honorcipherorder'] = 'Bevorzuge die serverseitige Cipher Reihenfolge, Standardwert <strong>nein</strong>'; $lng['admin']['domain_honorcipherorder'] = 'Bevorzuge die serverseitige Cipher Reihenfolge, Standardwert <strong>nein</strong>';
$lng['admin']['domain_sessiontickets'] = 'Aktiviere TLS Sessiontickets (RFC 5077), Standardwert <strong>ja</strong>'; $lng['admin']['domain_sessiontickets'] = 'Aktiviere TLS Sessiontickets (RFC 5077), Standardwert <strong>ja</strong>';
$lng['admin']['domain_sessionticketsenabled']['title'] = 'Aktiviere Nutzung von TLS Sessiontickets systemweit';
$lng['admin']['domain_sessionticketsenabled']['description'] = 'Standardwert <strong>yes</strong><br>Erfordert apache-2.4.11+ oder nginx-1.5.9+';