diff --git a/actions/admin/settings/122.froxlorvhost.php b/actions/admin/settings/122.froxlorvhost.php
index d1948060..41c9136c 100644
--- a/actions/admin/settings/122.froxlorvhost.php
+++ b/actions/admin/settings/122.froxlorvhost.php
@@ -105,6 +105,30 @@ return array(
'hasVhostContainerEnabled'
), true)
),
+ 'system_honorcipherorder' => array(
+ 'label' => $lng['admin']['domain_honorcipherorder'],
+ 'settinggroup' => 'system',
+ 'varname' => 'honorcipherorder',
+ 'type' => 'bool',
+ 'default' => false,
+ 'save_method' => 'storeSettingField',
+ 'visible' => \Froxlor\Settings::Get('system.use_ssl') && call_user_func(array(
+ '\Froxlor\Settings\FroxlorVhostSettings',
+ 'hasVhostContainerEnabled'
+ ), true)
+ ),
+ 'system_sessiontickets' => array(
+ 'label' => $lng['admin']['domain_sessiontickets'],
+ 'settinggroup' => 'system',
+ 'varname' => 'sessiontickets',
+ 'type' => 'bool',
+ 'default' => true,
+ 'save_method' => 'storeSettingField',
+ 'visible' => \Froxlor\Settings::Get('system.use_ssl') && call_user_func(array(
+ '\Froxlor\Settings\FroxlorVhostSettings',
+ 'hasVhostContainerEnabled'
+ ), true)
+ ),
/**
* FCGID
*/
diff --git a/install/froxlor.sql b/install/froxlor.sql
index 1b29ac88..98d7875a 100644
--- a/install/froxlor.sql
+++ b/install/froxlor.sql
@@ -271,6 +271,9 @@ CREATE TABLE `panel_domains` (
`ssl_protocols` text,
`ssl_cipher_list` text,
`tlsv13_cipher_list` text,
+ `ssl_enabled` tinyint(1) DEFAULT '1',
+ `ssl_honorcipherorder` tinyint(1) DEFAULT '0',
+ `ssl_sessiontickets` tinyint(1) DEFAULT '1',
PRIMARY KEY (`id`),
KEY `customerid` (`customerid`),
KEY `parentdomain` (`parentdomainid`),
@@ -652,6 +655,8 @@ opcache.interned_strings_buffer'),
('system', 'disable_le_selfcheck', '0'),
('system', 'ssl_protocols', 'TLSv1,TLSv1.2'),
('system', 'tlsv13_cipher_list', ''),
+ ('system', 'honorcipherorder', '0'),
+ ('system', 'sessiontickets', '1'),
('system', 'logfiles_format', ''),
('system', 'logfiles_type', '1'),
('system', 'logfiles_piped', '0'),
@@ -697,7 +702,7 @@ opcache.interned_strings_buffer'),
('panel', 'customer_hide_options', ''),
('panel', 'is_configured', '0'),
('panel', 'version', '0.10.9'),
- ('panel', 'db_version', '201911220');
+ ('panel', 'db_version', '201912100');
DROP TABLE IF EXISTS `panel_tasks`;
diff --git a/install/updates/froxlor/0.10/update_0.10.inc.php b/install/updates/froxlor/0.10/update_0.10.inc.php
index bde02408..54a2bb78 100644
--- a/install/updates/froxlor/0.10/update_0.10.inc.php
+++ b/install/updates/froxlor/0.10/update_0.10.inc.php
@@ -505,3 +505,16 @@ if (\Froxlor\Froxlor::isFroxlorVersion('0.10.8')) {
showUpdateStep("Updating from 0.10.8 to 0.10.9", false);
\Froxlor\Froxlor::updateToVersion('0.10.9');
}
+
+if (\Froxlor\Froxlor::isDatabaseVersion('201911220')) {
+ showUpdateStep("Adding enhanced SSL control over domains");
+ // customer domains
+ Database::query("ALTER TABLE `" . TABLE_PANEL_DOMAINS . "` ADD `ssl_enabled` tinyint(1) DEFAULT '1';");
+ Database::query("ALTER TABLE `" . TABLE_PANEL_DOMAINS . "` ADD `ssl_honorcipherorder` tinyint(1) DEFAULT '0' AFTER `ssl_enabled`;");
+ Database::query("ALTER TABLE `" . TABLE_PANEL_DOMAINS . "` ADD `ssl_sessiontickets` tinyint(1) DEFAULT '1' AFTER `ssl_honorcipherorder`;");
+ // as setting for froxlor vhost
+ Settings::AddNew("system.honorcipherorder", '0');
+ Settings::AddNew("system.sessiontickets", '1');
+ lastStepStatus(0);
+ \Froxlor\Froxlor::updateToDbVersion('201912100');
+}
diff --git a/lib/Froxlor/Api/Commands/Domains.php b/lib/Froxlor/Api/Commands/Domains.php
index 9f98e2c6..5d983b5c 100644
--- a/lib/Froxlor/Api/Commands/Domains.php
+++ b/lib/Froxlor/Api/Commands/Domains.php
@@ -168,14 +168,15 @@ class Domains extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\ResourceEn
* get ips connected to given domain as array
*
* @param number $domain_id
+ * @param bool $ssl_only
+ * optional, return only ssl enabled ip's, default false
* @return array
*/
- private function getIpsForDomain($domain_id = 0)
+ private function getIpsForDomain($domain_id = 0, $ssl_only = false)
{
$resultips_stmt = Database::prepare("
SELECT `ips`.* FROM `" . TABLE_DOMAINTOIP . "` AS `dti`, `" . TABLE_PANEL_IPSANDPORTS . "` AS `ips`
- WHERE `dti`.`id_ipandports` = `ips`.`id` AND `dti`.`id_domain` = :domainid
- ");
+ WHERE `dti`.`id_ipandports` = `ips`.`id` AND `dti`.`id_domain` = :domainid " . ($ssl_only ? " AND `ips`.`ssl` = '1'" : ""));
Database::pexecute($resultips_stmt, array(
'domainid' => $domain_id
@@ -260,6 +261,8 @@ class Domains extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\ResourceEn
* optional, list of ssl-enabled ip/port id's to assign to this domain, default empty
* @param bool $dont_use_default_ssl_ipandport_if_empty
* optional, do NOT set the systems default ssl ip addresses if none are given via $ssl_ipandport parameter
+ * @param bool $sslenabled
+ * optional, whether or not SSL is enabled for this domain, regardless of the assigned ssl-ips, default 1 (true)
* @param bool $http2
* optional, whether to enable http/2 for this domain (requires to be enabled in the settings), default 0 (false)
* @param int $hsts_maxage
@@ -270,6 +273,10 @@ class Domains extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\ResourceEn
* optional whether or not to preload HSTS header value
* @param bool $ocsp_stapling
* optional whether to enable ocsp-stapling for this domain. default 0 (false), requires SSL
+ * @param bool $honorcipherorder
+ * optional whether to honor the (server) cipher order for this domain. default 0 (false), requires SSL
+ * @param bool $sessiontickets
+ * optional whether to enable or disable TLS sessiontickets (RFC 5077) for this domain. default 1 (true), requires SSL
* @param bool $override_tls
* optional whether or not to override system-tls settings like protocol, ssl-ciphers and if applicable tls-1.3 ciphers, requires change_serversettings flag for the admin, default false
* @param array $ssl_protocols
@@ -324,11 +331,14 @@ class Domains extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\ResourceEn
$letsencrypt = $this->getBoolParam('letsencrypt', true, 0);
$dont_use_default_ssl_ipandport_if_empty = $this->getBoolParam('dont_use_default_ssl_ipandport_if_empty', true, 0);
$p_ssl_ipandports = $this->getParam('ssl_ipandport', true, $dont_use_default_ssl_ipandport_if_empty ? array() : explode(',', Settings::Get('system.defaultsslip')));
+ $sslenabled = $this->getBoolParam('sslenabled', true, 1);
$http2 = $this->getBoolParam('http2', true, 0);
$hsts_maxage = $this->getParam('hsts_maxage', true, 0);
$hsts_sub = $this->getBoolParam('hsts_sub', true, 0);
$hsts_preload = $this->getBoolParam('hsts_preload', true, 0);
$ocsp_stapling = $this->getBoolParam('ocsp_stapling', true, 0);
+ $honorcipherorder = $this->getBoolParam('honorcipherorder', true, 0);
+ $sessiontickets = $this->getBoolParam('sessiontickets', true, 1);
$override_tls = $this->getBoolParam('override_tls', true, 0);
$p_ssl_protocols = array();
@@ -712,7 +722,10 @@ class Domains extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\ResourceEn
'override_tls' => $override_tls,
'ssl_protocols' => implode(",", $ssl_protocols),
'ssl_cipher_list' => $ssl_cipher_list,
- 'tlsv13_cipher_list' => $tlsv13_cipher_list
+ 'tlsv13_cipher_list' => $tlsv13_cipher_list,
+ 'sslenabled' => $sslenabled,
+ 'honorcipherorder' => $honorcipherorder,
+ 'sessiontickets' => $sessiontickets
);
$ins_stmt = Database::prepare("
@@ -760,7 +773,10 @@ class Domains extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\ResourceEn
`override_tls` = :override_tls,
`ssl_protocols` = :ssl_protocols,
`ssl_cipher_list` = :ssl_cipher_list,
- `tlsv13_cipher_list` = :tlsv13_cipher_list
+ `tlsv13_cipher_list` = :tlsv13_cipher_list,
+ `ssl_enabled` = :sslenabled,
+ `ssl_honorcipherorder` = :honorcipherorder,
+ `ssl_sessiontickets`= :sessiontickets
");
Database::pexecute($ins_stmt, $ins_data, true, true);
$domainid = Database::lastInsertId();
@@ -894,6 +910,8 @@ class Domains extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\ResourceEn
* optional, list of ssl-enabled ip/port id's to assign to this domain, if left empty, the current set value is being used, to remove all ssl ips use $remove_ssl_ipandport
* @param bool $remove_ssl_ipandport
* optional, if set to true and no $ssl_ipandport value is given, the ip's get removed, otherwise, the currently set value is used, default false
+ * @param bool $sslenabled
+ * optional, whether or not SSL is enabled for this domain, regardless of the assigned ssl-ips, default 1 (true)
* @param bool $http2
* optional, whether to enable http/2 for this domain (requires to be enabled in the settings), default 0 (false)
* @param int $hsts_maxage
@@ -904,6 +922,10 @@ class Domains extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\ResourceEn
* optional whether or not to preload HSTS header value
* @param bool $ocsp_stapling
* optional whether to enable ocsp-stapling for this domain. default 0 (false), requires SSL
+ * @param bool $honorcipherorder
+ * optional whether to honor the (server) cipher order for this domain. default 0 (false), requires SSL
+ * @param bool $sessiontickets
+ * optional whether to enable or disable TLS sessiontickets (RFC 5077) for this domain. default 1 (true), requires SSL
*
* @access admin
* @throws \Exception
@@ -964,11 +986,14 @@ class Domains extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\ResourceEn
$p_ssl_ipandports = $this->getParam('ssl_ipandport', true, $remove_ssl_ipandport ? array(
- 1
) : null);
+ $sslenabled = $this->getBoolParam('sslenabled', true, $result['ssl_enabled']);
$http2 = $this->getBoolParam('http2', true, $result['http2']);
$hsts_maxage = $this->getParam('hsts_maxage', true, $result['hsts']);
$hsts_sub = $this->getBoolParam('hsts_sub', true, $result['hsts_sub']);
$hsts_preload = $this->getBoolParam('hsts_preload', true, $result['hsts_preload']);
$ocsp_stapling = $this->getBoolParam('ocsp_stapling', true, $result['ocsp_stapling']);
+ $honorcipherorder = $this->getBoolParam('honorcipherorder', true, $result['ssl_honorcipherorder']);
+ $sessiontickets = $this->getBoolParam('sessiontickets', true, $result['ssl_sessiontickets']);
$override_tls = $this->getBoolParam('override_tls', true, $result['override_tls']);
@@ -1546,6 +1571,9 @@ class Domains extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\ResourceEn
$update_data['ssl_protocols'] = implode(",", $ssl_protocols);
$update_data['ssl_cipher_list'] = $ssl_cipher_list;
$update_data['tlsv13_cipher_list'] = $tlsv13_cipher_list;
+ $update_data['sslenabled'] = $sslenabled;
+ $update_data['honorcipherorder'] = $honorcipherorder;
+ $update_data['sessiontickets'] = $sessiontickets;
$update_data['id'] = $id;
$update_stmt = Database::prepare("
@@ -1588,7 +1616,10 @@ class Domains extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\ResourceEn
`override_tls` = :override_tls,
`ssl_protocols` = :ssl_protocols,
`ssl_cipher_list` = :ssl_cipher_list,
- `tlsv13_cipher_list` = :tlsv13_cipher_list
+ `tlsv13_cipher_list` = :tlsv13_cipher_list,
+ `ssl_enabled` = :sslenabled,
+ `ssl_honorcipherorder` = :honorcipherorder,
+ `ssl_sessiontickets` = :sessiontickets
WHERE `id` = :id
");
Database::pexecute($update_stmt, $update_data, true, true);
@@ -1603,6 +1634,8 @@ class Domains extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\ResourceEn
$_update_data['ssl_protocols'] = implode(",", $ssl_protocols);
$_update_data['ssl_cipher_list'] = $ssl_cipher_list;
$_update_data['tlsv13_cipher_list'] = $tlsv13_cipher_list;
+ $_update_data['honorcipherorder'] = $honorcipherorder;
+ $_update_data['sessiontickets'] = $sessiontickets;
$_update_data['parentdomainid'] = $id;
// if php config is to be set for all subdomains, check here
@@ -1630,7 +1663,9 @@ class Domains extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\ResourceEn
`override_tls` = :override_tls,
`ssl_protocols` = :ssl_protocols,
`ssl_cipher_list` = :ssl_cipher_list,
- `tlsv13_cipher_list` = :tlsv13_cipher_list
+ `tlsv13_cipher_list` = :tlsv13_cipher_list,
+ `ssl_honorcipherorder` = :honorcipherorder,
+ `ssl_sessiontickets` = :sessiontickets
" . $update_phpconfig . $upd_specialsettings . $updatechildren . $update_sslredirect . "
WHERE `parentdomainid` = :parentdomainid
");
diff --git a/lib/Froxlor/Api/Commands/SubDomains.php b/lib/Froxlor/Api/Commands/SubDomains.php
index 29e3d817..cd772bb8 100644
--- a/lib/Froxlor/Api/Commands/SubDomains.php
+++ b/lib/Froxlor/Api/Commands/SubDomains.php
@@ -41,6 +41,8 @@ class SubDomains extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\Resourc
* optional, php-settings-id, if empty the $domain value is used
* @param int $redirectcode
* optional, redirect-code-id from TABLE_PANEL_REDIRECTCODES
+ * @param bool $sslenabled
+ * optional, whether or not SSL is enabled for this domain, regardless of the assigned ssl-ips, default 1 (true)
* @param bool $ssl_redirect
* optional, whether to generate a https-redirect or not, default false; requires SSL to be enabled
* @param bool $letsencrypt
@@ -76,6 +78,7 @@ class SubDomains extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\Resourc
$redirectcode = $this->getParam('redirectcode', true, Settings::Get('customredirect.default'));
$isemaildomain = $this->getParam('isemaildomain', true, 0);
if (Settings::Get('system.use_ssl')) {
+ $sslenabled = $this->getBoolParam('sslenabled', true, 1);
$ssl_redirect = $this->getBoolParam('ssl_redirect', true, 0);
$letsencrypt = $this->getBoolParam('letsencrypt', true, 0);
$http2 = $this->getBoolParam('http2', true, 0);
@@ -83,6 +86,7 @@ class SubDomains extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\Resourc
$hsts_sub = $this->getBoolParam('hsts_sub', true, 0);
$hsts_preload = $this->getBoolParam('hsts_preload', true, 0);
} else {
+ $sslenabled = 0;
$ssl_redirect = 0;
$letsencrypt = 0;
$http2 = 0;
@@ -275,7 +279,8 @@ class SubDomains extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\Resourc
`override_tls` = :override_tls,
`ssl_protocols` = :ssl_protocols,
`ssl_cipher_list` = :ssl_cipher_list,
- `tlsv13_cipher_list` = :tlsv13_cipher_list
+ `tlsv13_cipher_list` = :tlsv13_cipher_list,
+ `ssl_enabled` = :sslenabled
");
$params = array(
"customerid" => $customer['customerid'],
@@ -305,7 +310,8 @@ class SubDomains extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\Resourc
"override_tls" => $domain_check['override_tls'],
"ssl_protocols" => $domain_check['ssl_protocols'],
"ssl_cipher_list" => $domain_check['ssl_cipher_list'],
- "tlsv13_cipher_list" => $domain_check['tlsv13_cipher_list']
+ "tlsv13_cipher_list" => $domain_check['tlsv13_cipher_list'],
+ "sslenabled" => $sslenabled
);
Database::pexecute($stmt, $params, true, true);
$subdomain_id = Database::lastInsertId();
@@ -446,6 +452,8 @@ class SubDomains extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\Resourc
* optional, php-settings-id, if empty the $domain value is used
* @param int $redirectcode
* optional, redirect-code-id from TABLE_PANEL_REDIRECTCODES
+ * @param bool $sslenabled
+ * optional, whether or not SSL is enabled for this domain, regardless of the assigned ssl-ips, default 1 (true)
* @param bool $ssl_redirect
* optional, whether to generate a https-redirect or not, default false; requires SSL to be enabled
* @param bool $letsencrypt
@@ -493,6 +501,7 @@ class SubDomains extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\Resourc
$phpsettingid = $this->getParam('phpsettingid', true, $result['phpsettingid']);
$redirectcode = $this->getParam('redirectcode', true, \Froxlor\Domain\Domain::getDomainRedirectId($id));
if (Settings::Get('system.use_ssl')) {
+ $sslenabled = $this->getBoolParam('sslenabled', true, $result['ssl_enabled']);
$ssl_redirect = $this->getBoolParam('ssl_redirect', true, $result['ssl_redirect']);
$letsencrypt = $this->getBoolParam('letsencrypt', true, $result['letsencrypt']);
$http2 = $this->getBoolParam('http2', true, $result['http2']);
@@ -500,6 +509,7 @@ class SubDomains extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\Resourc
$hsts_sub = $this->getBoolParam('hsts_sub', true, $result['hsts_sub']);
$hsts_preload = $this->getBoolParam('hsts_preload', true, $result['hsts_preload']);
} else {
+ $sslenabled = 0;
$ssl_redirect = 0;
$letsencrypt = 0;
$http2 = 0;
@@ -610,14 +620,15 @@ class SubDomains extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\Resourc
if ($path != $result['documentroot'] || $isemaildomain != $result['isemaildomain'] || $wwwserveralias != $result['wwwserveralias'] || $iswildcarddomain != $result['iswildcarddomain'] || $aliasdomain != $result['aliasdomain'] || $openbasedir_path != $result['openbasedir_path'] || $ssl_redirect != $result['ssl_redirect'] || $letsencrypt != $result['letsencrypt'] || $hsts_maxage != $result['hsts'] || $hsts_sub != $result['hsts_sub'] || $hsts_preload != $result['hsts_preload'] || $phpsettingid != $result['phpsettingid']) {
$stmt = Database::prepare("
UPDATE `" . TABLE_PANEL_DOMAINS . "` SET
- `documentroot`= :documentroot,
- `isemaildomain`= :isemaildomain,
- `wwwserveralias`= :wwwserveralias,
- `iswildcarddomain`= :iswildcarddomain,
- `aliasdomain`= :aliasdomain,
- `openbasedir_path`= :openbasedir_path,
- `ssl_redirect`= :ssl_redirect,
- `letsencrypt`= :letsencrypt,
+ `documentroot` = :documentroot,
+ `isemaildomain` = :isemaildomain,
+ `wwwserveralias` = :wwwserveralias,
+ `iswildcarddomain` = :iswildcarddomain,
+ `aliasdomain` = :aliasdomain,
+ `openbasedir_path` = :openbasedir_path,
+ `ssl_enabled` = :sslenabled,
+ `ssl_redirect` = :ssl_redirect,
+ `letsencrypt` = :letsencrypt,
`http2` = :http2,
`hsts` = :hsts,
`hsts_sub` = :hsts_sub,
@@ -632,6 +643,7 @@ class SubDomains extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\Resourc
"iswildcarddomain" => $iswildcarddomain,
"aliasdomain" => ($aliasdomain != 0 && $alias_check == 0) ? $aliasdomain : null,
"openbasedir_path" => $openbasedir_path,
+ "sslenabled" => $sslenabled,
"ssl_redirect" => $ssl_redirect,
"letsencrypt" => $letsencrypt,
"http2" => $http2,
diff --git a/lib/Froxlor/Cron/Http/Apache.php b/lib/Froxlor/Cron/Http/Apache.php
index 6fd05880..5cafbbfc 100644
--- a/lib/Froxlor/Cron/Http/Apache.php
+++ b/lib/Froxlor/Cron/Http/Apache.php
@@ -442,7 +442,9 @@ class Apache extends HttpConfigBase
'loginname' => 'froxlor.panel',
'documentroot' => $mypath,
'customerroot' => $mypath,
- 'parentdomainid' => 0
+ 'parentdomainid' => 0,
+ 'ssl_honorcipherorder' => Settings::Get('system.honorcipherorder'),
+ 'ssl_sessiontickets' => Settings::Get('system.sessiontickets')
);
// override corresponding array values
@@ -478,9 +480,10 @@ class Apache extends HttpConfigBase
$this->virtualhosts_data[$vhosts_filename] .= ' SSLOpenSSLConfCmd DHParameters "' . $dhparams . '"' . "\n";
}
$this->virtualhosts_data[$vhosts_filename] .= ' SSLCompression Off' . "\n";
+ $this->virtualhosts_data[$vhosts_filename] .= ' SSLSessionTickets ' . ($domain['ssl_sessiontickets'] == '1' ? 'on' : 'off') . "\n";
}
- // this makes it more secure, thx to Marcel (08/2013)
- $this->virtualhosts_data[$vhosts_filename] .= ' SSLHonorCipherOrder On' . "\n";
+
+ $this->virtualhosts_data[$vhosts_filename] .= ' SSLHonorCipherOrder ' . ($domain['ssl_honorcipherorder'] == '1' ? 'on' : 'off') . "\n";
$this->virtualhosts_data[$vhosts_filename] .= ' SSLCipherSuite ' . Settings::Get('system.ssl_cipher_list') . "\n";
$protocols = array_map('trim', explode(",", Settings::Get('system.ssl_protocols')));
if (in_array("TLSv1.3", $protocols) && ! empty(Settings::Get('system.tlsv13_cipher_list')) && Settings::Get('system.apache24') == 1) {
@@ -986,9 +989,9 @@ class Apache extends HttpConfigBase
$vhost_content .= ' SSLOpenSSLConfCmd DHParameters "' . $dhparams . '"' . "\n";
}
$vhost_content .= ' SSLCompression Off' . "\n";
+ $vhost_content .= ' SSLSessionTickets ' . ($domain['ssl_sessiontickets'] == '1' ? 'on' : 'off') . "\n";
}
- // this makes it more secure, thx to Marcel (08/2013)
- $vhost_content .= ' SSLHonorCipherOrder On' . "\n";
+ $vhost_content .= ' SSLHonorCipherOrder ' . ($domain['ssl_honorcipherorder'] == '1' ? 'on' : 'off') . "\n";
$vhost_content .= ' SSLCipherSuite ' . $ssl_cipher_list . "\n";
$protocols = array_map('trim', explode(",", $ssl_protocols));
if (in_array("TLSv1.3", $protocols) && ! empty($tlsv13_cipher_list) && Settings::Get('system.apache24') == 1) {
@@ -1114,7 +1117,7 @@ class Apache extends HttpConfigBase
// Create vhost without ssl
$this->virtualhosts_data[$vhosts_filename] .= $this->getVhostContent($domain, false);
- if ($domain['ssl'] == '1' || $domain['ssl_redirect'] == '1') {
+ if ($domain['ssl_enabled'] == '1' && ($domain['ssl'] == '1' || $domain['ssl_redirect'] == '1')) {
// Adding ssl stuff if enabled
$vhosts_filename_ssl = $this->getVhostFilename($domain, true);
$this->virtualhosts_data[$vhosts_filename_ssl] = '# Domain ID: ' . $domain['id'] . ' (SSL) - CustomerID: ' . $domain['customerid'] . ' - CustomerLogin: ' . $domain['loginname'] . "\n";
diff --git a/lib/Froxlor/Cron/Http/Lighttpd.php b/lib/Froxlor/Cron/Http/Lighttpd.php
index 4f94f0f8..513efb95 100644
--- a/lib/Froxlor/Cron/Http/Lighttpd.php
+++ b/lib/Froxlor/Cron/Http/Lighttpd.php
@@ -432,7 +432,7 @@ class Lighttpd extends HttpConfigBase
protected function getVhostContent($domain, $ssl_vhost = false, $ipid = 0)
{
- if ($ssl_vhost === true && $domain['ssl'] != '1' && $domain['ssl_redirect'] != '1') {
+ if ($ssl_vhost === true && $domain['ssl'] != '1' && $domain['ssl_enabled'] != '1' && $domain['ssl_redirect'] != '1') {
return '';
}
@@ -586,7 +586,7 @@ class Lighttpd extends HttpConfigBase
$ssl_settings .= 'ssl.use-sslv2 = "disable"' . "\n";
$ssl_settings .= 'ssl.use-sslv3 = "disable"' . "\n";
$ssl_settings .= 'ssl.cipher-list = "' . $ssl_cipher_list . '"' . "\n";
- $ssl_settings .= 'ssl.honor-cipher-order = "enable"' . "\n";
+ $ssl_settings .= 'ssl.honor-cipher-order = ' . ($domain['ssl_honorcipherorder'] == '1' ? '"enable"' : '"disable"') . "\n";
$ssl_settings .= 'ssl.pemfile = "' . \Froxlor\FileDir::makeCorrectFile($domain['ssl_cert_file']) . '"' . "\n";
if ($domain['ssl_ca_file'] != '') {
diff --git a/lib/Froxlor/Cron/Http/Nginx.php b/lib/Froxlor/Cron/Http/Nginx.php
index 7da25eac..3563e7e2 100644
--- a/lib/Froxlor/Cron/Http/Nginx.php
+++ b/lib/Froxlor/Cron/Http/Nginx.php
@@ -272,6 +272,8 @@ class Nginx extends HttpConfigBase
*/
if ($row_ipsandports['ssl'] == '1') {
$row_ipsandports['domain'] = Settings::Get('system.hostname');
+ $row_ipsandports['ssl_honorcipherorder'] = Settings::Get('system.honorcipherorder');
+ $row_ipsandports['ssl_sessiontickets'] = Settings::Get('system.sessiontickets');
$this->nginx_data[$vhost_filename] .= $this->composeSslSettings($row_ipsandports);
if ($row_ipsandports['ssl_specialsettings'] != '') {
$this->nginx_data[$vhost_filename] .= $this->processSpecialConfigTemplate($row_ipsandports['ssl_specialsettings'], array(
@@ -700,7 +702,8 @@ class Nginx extends HttpConfigBase
// When >1.11.0: Defaults to auto, using recommended curves provided by OpenSSL.
// see https://github.com/Froxlor/Froxlor/issues/652
// $sslsettings .= "\t" . 'ssl_ecdh_curve secp384r1;' . "\n";
- $sslsettings .= "\t" . 'ssl_prefer_server_ciphers on;' . "\n";
+ $sslsettings .= "\t" . 'ssl_prefer_server_ciphers ' . (isset($domain_or_ip['ssl_honorcipherorder']) && $domain_or_ip['ssl_honorcipherorder'] == '1' ? 'on' : 'off') . ';' . "\n";
+ $sslsettings .= "\t" . 'ssl_session_tickets ' . (isset($domain_or_ip['ssl_sessiontickets']) && $domain_or_ip['ssl_sessiontickets'] == '1' ? 'on' : 'off') . ';' . "\n";
$sslsettings .= "\t" . 'ssl_session_cache shared:SSL:10m;' . "\n";
$sslsettings .= "\t" . 'ssl_certificate ' . \Froxlor\FileDir::makeCorrectFile($domain_or_ip['ssl_cert_file']) . ';' . "\n";
diff --git a/lib/Froxlor/Froxlor.php b/lib/Froxlor/Froxlor.php
index 5b6aaa64..c21d47ae 100644
--- a/lib/Froxlor/Froxlor.php
+++ b/lib/Froxlor/Froxlor.php
@@ -10,7 +10,7 @@ final class Froxlor
const VERSION = '0.10.9';
// Database version (YYYYMMDDC where C is a daily counter)
- const DBVERSION = '201911220';
+ const DBVERSION = '201912100';
// Distribution branding-tag (used for Debian etc.)
const BRANDING = '';
diff --git a/lib/formfields/admin/domains/formfield.domains_add.php b/lib/formfields/admin/domains/formfield.domains_add.php
index 05b4e8f8..f5e99020 100644
--- a/lib/formfields/admin/domains/formfield.domains_add.php
+++ b/lib/formfields/admin/domains/formfield.domains_add.php
@@ -180,6 +180,20 @@ return array(
'image' => 'icons/domain_add.png',
'visible' => \Froxlor\Settings::Get('system.use_ssl') == '1' ? true : false,
'fields' => array(
+ 'sslenabled' => array(
+ 'visible' => ($ssl_ipsandports != '' ? true : false),
+ 'label' => $lng['admin']['domain_sslenabled'],
+ 'type' => 'checkbox',
+ 'values' => array(
+ array(
+ 'label' => $lng['panel']['yes'],
+ 'value' => '1'
+ )
+ ),
+ 'value' => array(
+ '1'
+ )
+ ),
'no_ssl_available_info' => array(
'visible' => ($ssl_ipsandports == '' ? true : false),
'label' => 'SSL',
@@ -356,6 +370,32 @@ return array(
)
),
'value' => array()
+ ),
+ 'honorcipherorder' => array(
+ 'visible' => ($ssl_ipsandports != '' ? true : false),
+ 'label' => $lng['admin']['domain_honorcipherorder'],
+ 'type' => 'checkbox',
+ 'values' => array(
+ array(
+ 'label' => $lng['panel']['yes'],
+ 'value' => '1'
+ )
+ ),
+ 'value' => array()
+ ),
+ 'sessiontickets' => array(
+ 'visible' => ($ssl_ipsandports != '' ? true : false) && \Froxlor\Settings::Get('system.webserver') != 'lighttpd',
+ 'label' => $lng['admin']['domain_sessiontickets'],
+ 'type' => 'checkbox',
+ 'values' => array(
+ array(
+ 'label' => $lng['panel']['yes'],
+ 'value' => '1'
+ )
+ ),
+ 'value' => array(
+ '1'
+ )
)
)
),
diff --git a/lib/formfields/admin/domains/formfield.domains_edit.php b/lib/formfields/admin/domains/formfield.domains_edit.php
index 21659c81..96f17caf 100644
--- a/lib/formfields/admin/domains/formfield.domains_edit.php
+++ b/lib/formfields/admin/domains/formfield.domains_edit.php
@@ -212,6 +212,20 @@ return array(
'image' => 'icons/domain_edit.png',
'visible' => \Froxlor\Settings::Get('system.use_ssl') == '1' ? true : false,
'fields' => array(
+ 'sslenabled' => array(
+ 'visible' => ($ssl_ipsandports != '' ? true : false),
+ 'label' => $lng['admin']['domain_sslenabled'],
+ 'type' => 'checkbox',
+ 'values' => array(
+ array(
+ 'label' => $lng['panel']['yes'],
+ 'value' => '1'
+ )
+ ),
+ 'value' => array(
+ $result['ssl_enabled']
+ )
+ ),
'no_ssl_available_info' => array(
'visible' => ($ssl_ipsandports == '' ? true : false),
'label' => 'SSL',
@@ -290,7 +304,7 @@ return array(
'label' => $lng['serversettings']['ssl']['ssl_protocols']['title'],
'desc' => $lng['serversettings']['ssl']['ssl_protocols']['description'],
'type' => 'checkbox',
- 'value' => !empty($result['ssl_protocols']) ? explode(",", $result['ssl_protocols']) : explode(",", \Froxlor\Settings::Get('system.ssl_protocols')),
+ 'value' => ! empty($result['ssl_protocols']) ? explode(",", $result['ssl_protocols']) : explode(",", \Froxlor\Settings::Get('system.ssl_protocols')),
'values' => array(
array(
'value' => 'TLSv1',
@@ -316,14 +330,14 @@ return array(
'label' => $lng['serversettings']['ssl']['ssl_cipher_list']['title'],
'desc' => $lng['serversettings']['ssl']['ssl_cipher_list']['description'],
'type' => 'text',
- 'value' => !empty($result['ssl_cipher_list']) ? $result['ssl_cipher_list'] : \Froxlor\Settings::Get('system.ssl_cipher_list')
+ 'value' => ! empty($result['ssl_cipher_list']) ? $result['ssl_cipher_list'] : \Froxlor\Settings::Get('system.ssl_cipher_list')
),
'tlsv13_cipher_list' => array(
'visible' => (($ssl_ipsandports != '' ? true : false) && $userinfo['change_serversettings'] == '1' && \Froxlor\Settings::Get('system.webserver') == "apache2" && \Froxlor\Settings::Get('system.apache24') == 1 ? true : false),
'label' => $lng['serversettings']['ssl']['tlsv13_cipher_list']['title'],
'desc' => $lng['serversettings']['ssl']['tlsv13_cipher_list']['description'],
'type' => 'text',
- 'value' => !empty($result['tlsv13_cipher_list']) ? $result['tlsv13_cipher_list'] : \Froxlor\Settings::Get('system.tlsv13_cipher_list')
+ 'value' => ! empty($result['tlsv13_cipher_list']) ? $result['tlsv13_cipher_list'] : \Froxlor\Settings::Get('system.tlsv13_cipher_list')
),
'ssl_specialsettings' => array(
'visible' => ($userinfo['change_serversettings'] == '1' ? true : false),
@@ -401,6 +415,34 @@ return array(
'value' => array(
$result['ocsp_stapling']
)
+ ),
+ 'honorcipherorder' => array(
+ 'visible' => ($ssl_ipsandports != '' ? true : false),
+ 'label' => $lng['admin']['domain_honorcipherorder'],
+ 'type' => 'checkbox',
+ 'values' => array(
+ array(
+ 'label' => $lng['panel']['yes'],
+ 'value' => '1'
+ )
+ ),
+ 'value' => array(
+ $result['ssl_honorcipherorder']
+ )
+ ),
+ 'sessiontickets' => array(
+ 'visible' => ($ssl_ipsandports != '' ? true : false) && \Froxlor\Settings::Get('system.webserver') != 'lighttpd',
+ 'label' => $lng['admin']['domain_sessiontickets'],
+ 'type' => 'checkbox',
+ 'values' => array(
+ array(
+ 'label' => $lng['panel']['yes'],
+ 'value' => '1'
+ )
+ ),
+ 'value' => array(
+ $result['ssl_sessiontickets']
+ )
)
)
),
diff --git a/lib/formfields/customer/domains/formfield.domains_add.php b/lib/formfields/customer/domains/formfield.domains_add.php
index 1e6f47eb..577a0c03 100644
--- a/lib/formfields/customer/domains/formfield.domains_add.php
+++ b/lib/formfields/customer/domains/formfield.domains_add.php
@@ -83,6 +83,19 @@ return array(
'image' => 'icons/domain_add.png',
'visible' => \Froxlor\Settings::Get('system.use_ssl') == '1' ? ($ssl_ipsandports != '' ? true : false) : false,
'fields' => array(
+ 'sslenabled' => array(
+ 'label' => $lng['admin']['domain_sslenabled'],
+ 'type' => 'checkbox',
+ 'values' => array(
+ array(
+ 'label' => $lng['panel']['yes'],
+ 'value' => '1'
+ )
+ ),
+ 'value' => array(
+ '1'
+ )
+ ),
'ssl_redirect' => array(
'label' => $lng['domains']['ssl_redirect']['title'],
'desc' => $lng['domains']['ssl_redirect']['description'],
diff --git a/lib/formfields/customer/domains/formfield.domains_edit.php b/lib/formfields/customer/domains/formfield.domains_edit.php
index 0fd54134..d9b77ce8 100644
--- a/lib/formfields/customer/domains/formfield.domains_edit.php
+++ b/lib/formfields/customer/domains/formfield.domains_edit.php
@@ -99,6 +99,19 @@ return array(
'image' => 'icons/domain_edit.png',
'visible' => \Froxlor\Settings::Get('system.use_ssl') == '1' ? ($ssl_ipsandports != '' ? (\Froxlor\Domain\Domain::domainHasSslIpPort($result['id']) ? true : false) : false) : false,
'fields' => array(
+ 'sslenabled' => array(
+ 'label' => $lng['admin']['domain_sslenabled'],
+ 'type' => 'checkbox',
+ 'values' => array(
+ array(
+ 'label' => $lng['panel']['yes'],
+ 'value' => '1'
+ )
+ ),
+ 'value' => array(
+ $result['ssl_enabled']
+ )
+ ),
'ssl_redirect' => array(
'label' => $lng['domains']['ssl_redirect']['title'],
'desc' => $lng['domains']['ssl_redirect']['description'] . ($result['temporary_ssl_redirect'] > 1 ? $lng['domains']['ssl_redirect_temporarilydisabled'] : ''),
diff --git a/lng/english.lng.php b/lng/english.lng.php
index 067cd898..626ff1c7 100644
--- a/lng/english.lng.php
+++ b/lng/english.lng.php
@@ -2082,3 +2082,6 @@ $lng['admin']['domain_override_tls'] = 'Override system TLS settings';
$lng['domains']['isaliasdomainof'] = 'Is aliasdomain for %s';
$lng['serversettings']['apply_specialsettings_default']['title'] = 'Default value for "' . $lng['admin']['specialsettingsforsubdomains'] . "' setting when editing a domain";
$lng['serversettings']['apply_phpconfigs_default']['title'] = 'Default value for "' . $lng['admin']['phpsettingsforsubdomains'] . "' setting when editing a domain";
+$lng['admin']['domain_sslenabled'] = 'Enable usage of SSL';
+$lng['admin']['domain_honorcipherorder'] = 'Honor the (server) cipher order, default no';
+$lng['admin']['domain_sessiontickets'] = 'Enable TLS sessiontickets (RFC 5077), default yes';
diff --git a/lng/german.lng.php b/lng/german.lng.php
index fb381138..667f6ea3 100644
--- a/lng/german.lng.php
+++ b/lng/german.lng.php
@@ -1729,3 +1729,6 @@ $lng['admin']['domain_override_tls'] = 'Überschreibe System TLS Einstellungen';
$lng['domains']['isaliasdomainof'] = 'Ist Aliasdomain für %s';
$lng['serversettings']['apply_specialsettings_default']['title'] = 'Standardwert für "' . $lng['admin']['specialsettingsforsubdomains'] . "' Einstellung beim Bearbeiten einer Domain";
$lng['serversettings']['apply_phpconfigs_default']['title'] = 'Standardwert für "' . $lng['admin']['phpsettingsforsubdomains'] . "' Einstellung beim Bearbeiten einer Domain";
+$lng['admin']['domain_sslenabled'] = 'Aktiviere Nutzung von SSL';
+$lng['admin']['domain_honorcipherorder'] = 'Bevorzuge die serverseitige Cipher Reihenfolge, Standardwert nein';
+$lng['admin']['domain_sessiontickets'] = 'Aktiviere TLS Sessiontickets (RFC 5077), Standardwert ja';