add option to disable SSL sessiontickets globally for older systems, fixes #784

Signed-off-by: Michael Kaufmann <d00p@froxlor.org>
2019-12-31 12:27:35 +01:00
parent 37c434d4fc
commit 3eb1718fe0
8 changed files with 36 additions and 6 deletions
--- a/actions/admin/settings/131.ssl.php
+++ b/actions/admin/settings/131.ssl.php
@@ -62,7 +62,7 @@ return array(
 					'string_emptyallowed' => true,
 					'default' => '',
 					'visible' => \Froxlor\Settings::Get('system.webserver') == "apache2" && \Froxlor\Settings::Get('system.apache24') == 1,
-					'save_method' => 'storeSettingField',
+					'save_method' => 'storeSettingField'
 				),
 				'system_ssl_cert_file' => array(
 					'label' => $lng['serversettings']['ssl']['ssl_cert_file'],
@@ -115,6 +115,18 @@ return array(
 					'visible' => \Froxlor\Settings::Get('system.webserver') == "apache2" && \Froxlor\Settings::Get('system.apache24') == 1,
 					'save_method' => 'storeSettingField'
 				),
+				'system_sessionticketsenabled' => array(
+					'label' => $lng['admin']['domain_sessionticketsenabled'],
+					'settinggroup' => 'system',
+					'varname' => 'sessionticketsenabled',
+					'type' => 'bool',
+					'default' => true,
+					'save_method' => 'storeSettingField',
+					'visible' => \Froxlor\Settings::Get('system.use_ssl') && (\Froxlor\Settings::Get('system.webserver') == "nginx" || (\Froxlor\Settings::Get('system.webserver') == "apache2" && \Froxlor\Settings::Get('system.apache24') == 1)) && call_user_func(array(
+						'\Froxlor\Settings\FroxlorVhostSettings',
+						'hasVhostContainerEnabled'
+					), true)
+				),
 				'system_leenabled' => array(
 					'label' => $lng['serversettings']['leenabled'],
 					'settinggroup' => 'system',
--- a/install/froxlor.sql
+++ b/install/froxlor.sql
@@ -657,6 +657,7 @@ opcache.interned_strings_buffer'),
 	('system', 'tlsv13_cipher_list', ''),
 	('system', 'honorcipherorder', '0'),
 	('system', 'sessiontickets', '1'),
+	('system', 'sessionticketsenabled', '1'),
 	('system', 'logfiles_format', ''),
 	('system', 'logfiles_type', '1'),
 	('system', 'logfiles_piped', '0'),
@@ -702,7 +703,7 @@ opcache.interned_strings_buffer'),
 	('panel', 'customer_hide_options', ''),
 	('panel', 'is_configured', '0'),
 	('panel', 'version', '0.10.10'),
-	('panel', 'db_version', '201912100');
+	('panel', 'db_version', '201912310');


 DROP TABLE IF EXISTS `panel_tasks`;
--- a/install/updates/froxlor/0.10/update_0.10.inc.php
+++ b/install/updates/froxlor/0.10/update_0.10.inc.php
@@ -523,3 +523,10 @@ if (\Froxlor\Froxlor::isFroxlorVersion('0.10.9')) {
 	showUpdateStep("Updating from 0.10.9 to 0.10.10", false);
 	\Froxlor\Froxlor::updateToVersion('0.10.10');
 }
+
+if (\Froxlor\Froxlor::isDatabaseVersion('201912100')) {
+	showUpdateStep("Adding option to disable SSL sessiontickets for older systems");
+	Settings::AddNew("system.sessionticketsenabled", '1');
+	lastStepStatus(0);
+	\Froxlor\Froxlor::updateToDbVersion('201912310');
+}
--- a/lib/Froxlor/Cron/Http/Apache.php
+++ b/lib/Froxlor/Cron/Http/Apache.php
@@ -480,8 +480,10 @@ class Apache extends HttpConfigBase
 									$this->virtualhosts_data[$vhosts_filename] .= ' SSLOpenSSLConfCmd DHParameters "' . $dhparams . '"' . "\n";
 								}
 								$this->virtualhosts_data[$vhosts_filename] .= ' SSLCompression Off' . "\n";
+								if (Settings::Get('system.sessionticketsenabled') == '1') {
 									$this->virtualhosts_data[$vhosts_filename] .= ' SSLSessionTickets ' .  ($domain['ssl_sessiontickets'] == '1' ? 'on' : 'off') . "\n";
 								}
+							}

 							$this->virtualhosts_data[$vhosts_filename] .= ' SSLHonorCipherOrder ' .  ($domain['ssl_honorcipherorder'] == '1' ? 'on' : 'off') . "\n";
 							$this->virtualhosts_data[$vhosts_filename] .= ' SSLCipherSuite ' . Settings::Get('system.ssl_cipher_list') . "\n";
@@ -989,8 +991,10 @@ class Apache extends HttpConfigBase
 						$vhost_content .= '  SSLOpenSSLConfCmd DHParameters "' . $dhparams . '"' . "\n";
 					}
 					$vhost_content .= '  SSLCompression Off' . "\n";
+					if (Settings::Get('system.sessionticketsenabled') == '1') {
 						$vhost_content .= '  SSLSessionTickets ' .  ($domain['ssl_sessiontickets'] == '1' ? 'on' : 'off') . "\n";
 					}
+				}
 				$vhost_content .= '  SSLHonorCipherOrder ' .  ($domain['ssl_honorcipherorder'] == '1' ? 'on' : 'off') . "\n";
 				$vhost_content .= '  SSLCipherSuite ' . $ssl_cipher_list . "\n";
 				$protocols = array_map('trim', explode(",", $ssl_protocols));
--- a/lib/Froxlor/Cron/Http/Nginx.php
+++ b/lib/Froxlor/Cron/Http/Nginx.php
@@ -703,7 +703,9 @@ class Nginx extends HttpConfigBase
 				// see https://github.com/Froxlor/Froxlor/issues/652
 				// $sslsettings .= "\t" . 'ssl_ecdh_curve secp384r1;' . "\n";
 				$sslsettings .= "\t" . 'ssl_prefer_server_ciphers ' .  (isset($domain_or_ip['ssl_honorcipherorder']) && $domain_or_ip['ssl_honorcipherorder'] == '1' ? 'on' : 'off') . ';' . "\n";
+				if (Settings::Get('system.sessionticketsenabled') == '1') {
 					$sslsettings .= "\t" . 'ssl_session_tickets ' .  (isset($domain_or_ip['ssl_sessiontickets']) && $domain_or_ip['ssl_sessiontickets'] == '1' ? 'on' : 'off') . ';' . "\n";
+				}
 				$sslsettings .= "\t" . 'ssl_session_cache shared:SSL:10m;' . "\n";
 				$sslsettings .= "\t" . 'ssl_certificate ' . \Froxlor\FileDir::makeCorrectFile($domain_or_ip['ssl_cert_file']) . ';' . "\n";

--- a/lib/Froxlor/Froxlor.php
+++ b/lib/Froxlor/Froxlor.php
@@ -10,7 +10,7 @@ final class Froxlor
 	const VERSION = '0.10.10';

 	// Database version (YYYYMMDDC where C is a daily counter)
-	const DBVERSION = '201912100';
+	const DBVERSION = '201912310';

 	// Distribution branding-tag (used for Debian etc.)
 	const BRANDING = '';
--- a/lng/english.lng.php
+++ b/lng/english.lng.php
@@ -2085,3 +2085,5 @@ $lng['serversettings']['apply_phpconfigs_default']['title'] = 'Default value for
 $lng['admin']['domain_sslenabled'] = 'Enable usage of SSL';
 $lng['admin']['domain_honorcipherorder'] = 'Honor the (server) cipher order, default <strong>no</strong>';
 $lng['admin']['domain_sessiontickets'] = 'Enable TLS sessiontickets (RFC 5077), default <strong>yes</strong>';
+$lng['admin']['domain_sessionticketsenabled']['title'] = 'Enable usage of TLS sessiontickets globally';
+$lng['admin']['domain_sessionticketsenabled']['description'] = 'Default <strong>yes</strong><br>Requires apache-2.4.11+ or nginx-1.5.9+';
--- a/lng/german.lng.php
+++ b/lng/german.lng.php
@@ -1732,3 +1732,5 @@ $lng['serversettings']['apply_phpconfigs_default']['title'] = 'Standardwert für
 $lng['admin']['domain_sslenabled'] = 'Aktiviere Nutzung von SSL';
 $lng['admin']['domain_honorcipherorder'] = 'Bevorzuge die serverseitige Cipher Reihenfolge, Standardwert <strong>nein</strong>';
 $lng['admin']['domain_sessiontickets'] = 'Aktiviere TLS Sessiontickets (RFC 5077), Standardwert <strong>ja</strong>';
+$lng['admin']['domain_sessionticketsenabled']['title'] = 'Aktiviere Nutzung von TLS Sessiontickets systemweit';
+$lng['admin']['domain_sessionticketsenabled']['description'] = 'Standardwert <strong>yes</strong><br>Erfordert apache-2.4.11+ oder nginx-1.5.9+';