maketank/Froxlor
2
0
Fork 0
Code Pull Requests Releases Activity

Added option to set the TLS protocol versions to be used in webservers

Browse Source 
Signed-off-by: Michael Kaufmann (d00p) <d00p@froxlor.org>
This commit is contained in:
Michael Kaufmann (d00p)
2018-01-10 10:12:26 +01:00
parent 9312e4967e
commit 4bcdfc0786
7 changed files with 36 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
actions/admin/settings/131.ssl.php
View File

@@ -30,6 +30,20 @@ return array(
'save_method' => 'storeSettingField', 'save_method' => 'storeSettingField',
'overview_option' => true 'overview_option' => true
), ),
'system_ssl_protocols' => array(
'label' => $lng['serversettings']['ssl']['ssl_protocols'],
'settinggroup' => 'system',
'varname' => 'ssl_protocols',
'type' => 'option',
'default' => 'TLSv1,TLSv1.2',
'option_mode' => 'multiple',
'option_options' => array(
'TLSv1' => 'TLSv1',
'TLSv1.1' => 'TLSv1.1',
'TLSv1.2' => 'TLSv1.2'
),
'save_method' => 'storeSettingField'
),
'system_ssl_cipher_list' => array( 'system_ssl_cipher_list' => array(
'label' => $lng['serversettings']['ssl']['ssl_cipher_list'], 'label' => $lng['serversettings']['ssl']['ssl_cipher_list'],
'settinggroup' => 'system', 'settinggroup' => 'system',
@@ -87,8 +101,7 @@ return array(
'string_type' => 'string', 'string_type' => 'string',
'string_emptyallowed' => false, 'string_emptyallowed' => false,
'default' => 'shmcb:/var/run/apache2/ocsp-stapling.cache(131072)', 'default' => 'shmcb:/var/run/apache2/ocsp-stapling.cache(131072)',
'visible' => Settings::Get('system.webserver') == "apache2" && 'visible' => Settings::Get('system.webserver') == "apache2" && Settings::Get('system.apache24') == 1,
Settings::Get('system.apache24') == 1,
'save_method' => 'storeSettingField' 'save_method' => 'storeSettingField'
), ),
'system_leenabled' => array( 'system_leenabled' => array(
@@ -120,7 +133,7 @@ return array(
'type' => 'string', 'type' => 'string',
'string_type' => 'file', 'string_type' => 'file',
'default' => '/etc/apache2/conf-enabled/acme.conf', 'default' => '/etc/apache2/conf-enabled/acme.conf',
'save_method' => 'storeSettingField', 'save_method' => 'storeSettingField'
), ),
'system_letsencryptca' => array( 'system_letsencryptca' => array(
'label' => $lng['serversettings']['letsencryptca'], 'label' => $lng['serversettings']['letsencryptca'],
@@ -130,8 +143,8 @@ return array(
'default' => 'testing', 'default' => 'testing',
'option_mode' => 'one', 'option_mode' => 'one',
'option_options' => array( 'option_options' => array(
'testing' => 'https://acme-staging'.(Settings::Get('system.leapiversion') == '2' ? '-v02' : '').'.api.letsencrypt.org (Test)', 'testing' => 'https://acme-staging' . (Settings::Get('system.leapiversion') == '2' ? '-v02' : '') . '.api.letsencrypt.org (Test)',
'production' => 'https://acme-v0'.Settings::Get('system.leapiversion').'.api.letsencrypt.org (Live)' 'production' => 'https://acme-v0' . Settings::Get('system.leapiversion') . '.api.letsencrypt.org (Live)'
), ),
'save_method' => 'storeSettingField' 'save_method' => 'storeSettingField'
), ),

3
install/froxlor.sql
View File

@@ -557,6 +557,7 @@ INSERT INTO `panel_settings` (`settinggroup`, `varname`, `value`) VALUES
('system', 'leregistered', '0'), ('system', 'leregistered', '0'),
('system', 'nssextrausers', '0'), ('system', 'nssextrausers', '0'),
('system', 'disable_le_selfcheck', '0'), ('system', 'disable_le_selfcheck', '0'),
('system', 'ssl_protocols', 'TLSv1,TLSv1.2'),
('panel', 'decimal_places', '4'), ('panel', 'decimal_places', '4'),
('panel', 'adminmail', 'admin@SERVERNAME'), ('panel', 'adminmail', 'admin@SERVERNAME'),
('panel', 'phpmyadmin_url', ''), ('panel', 'phpmyadmin_url', ''),
@@ -589,7 +590,7 @@ INSERT INTO `panel_settings` (`settinggroup`, `varname`, `value`) VALUES
('panel', 'password_special_char', '!?<>§$%+#=@'), ('panel', 'password_special_char', '!?<>§$%+#=@'),
('panel', 'customer_hide_options', ''), ('panel', 'customer_hide_options', ''),
('panel', 'version', '0.9.38.8'), ('panel', 'version', '0.9.38.8'),
('panel', 'db_version', '201801091'); ('panel', 'db_version', '201801100');
DROP TABLE IF EXISTS `panel_tasks`; DROP TABLE IF EXISTS `panel_tasks`;

9
install/updates/froxlor/0.9/update_0.9.inc.php
View File

@@ -3743,3 +3743,12 @@ if (isDatabaseVersion('201801090')) {
updateToDbVersion('201801091'); updateToDbVersion('201801091');
} }
if (isDatabaseVersion('201801091')) {
showUpdateStep("Adding new setting for SSL protocols");
Settings::AddNew('system.ssl_protocols', 'TLSv1,TLSv1.2');
lastStepStatus(0);
updateToDbVersion('201801100');
}

2
lng/english.lng.php
View File

@@ -2092,3 +2092,5 @@ $lng['serversettings']['leapiversion']['title'] = "Chose Let's Encrypt ACME impl
$lng['serversettings']['leapiversion']['description'] = "Chose between ACME v1 and ACME v2 implementation for Let's Encrypt."; $lng['serversettings']['leapiversion']['description'] = "Chose between ACME v1 and ACME v2 implementation for Let's Encrypt.";
$lng['error']['nowildcardwithletsencryptv2'] = 'Let\'s Encrypt can only validate wildcard-domains by DNS with ACME v2, sorry. Please set the ServerAlias to WWW or disable it completely'; $lng['error']['nowildcardwithletsencryptv2'] = 'Let\'s Encrypt can only validate wildcard-domains by DNS with ACME v2, sorry. Please set the ServerAlias to WWW or disable it completely';
$lng['admin']['phpsettings']['pass_authorizationheader'] = 'Add "-pass-header Authorization" / "CGIPassAuth On" to vhosts'; $lng['admin']['phpsettings']['pass_authorizationheader'] = 'Add "-pass-header Authorization" / "CGIPassAuth On" to vhosts';
$lng['serversettings']['ssl']['ssl_protocols']['title'] = 'Configure the TLS protocol version';
$lng['serversettings']['ssl']['ssl_protocols']['description'] = 'This is a list of ssl protocols that you want (or don\'t want) to use when using SSL. <b>Notice:</b> Some older browsers may not support the newest protcol versions.<br /><br /><b>Default value is:</b><pre>TLSv1, TLSv1.2</pre>';

2
lng/german.lng.php
View File

@@ -1743,3 +1743,5 @@ $lng['serversettings']['leapiversion']['title'] = "Wähle Let's Encrypt ACME Imp
$lng['serversettings']['leapiversion']['description'] = "Wähle zwischen ACME v1 und ACME v2 Implementierung von Let's Encrypt."; $lng['serversettings']['leapiversion']['description'] = "Wähle zwischen ACME v1 und ACME v2 Implementierung von Let's Encrypt.";
$lng['error']['nowildcardwithletsencryptv2'] = 'Let\'s Encrypt kann in ACME v2 Wildcard-Domains nur via DNS validieren, sorry. Bitte den ServerAlias auf WWW setzen oder deaktivieren'; $lng['error']['nowildcardwithletsencryptv2'] = 'Let\'s Encrypt kann in ACME v2 Wildcard-Domains nur via DNS validieren, sorry. Bitte den ServerAlias auf WWW setzen oder deaktivieren';
$lng['admin']['phpsettings']['pass_authorizationheader'] = 'Füge "-pass-header Authorization" / "CGIPassAuth On" in Vhosts ein'; $lng['admin']['phpsettings']['pass_authorizationheader'] = 'Füge "-pass-header Authorization" / "CGIPassAuth On" in Vhosts ein';
$lng['serversettings']['ssl']['ssl_protocols']['title'] = 'SSL Protokollversion festlegen';
$lng['serversettings']['ssl']['ssl_protocols']['description'] = 'Dies ist eine Liste von SSL/TLS Protokollversionen die genutzt werden sollen (oder auch nicht genutzt werden sollen), wenn SSL verwendet wird. <b>Hinweis:</b> Ältere Browser sind möglicherweise nicht vollständig zum neusten Protokoll kompatibel.<br /><br /><b>Standard-Wert ist:</b><pre>TLSv1, TLSv1.2</pre>';

4
scripts/jobs/cron_tasks.inc.http.10.apache.php
View File

@@ -454,7 +454,7 @@ class apache extends HttpConfigBase
} else { } else {
$this->virtualhosts_data[$vhosts_filename] .= ' SSLEngine On' . "\n"; $this->virtualhosts_data[$vhosts_filename] .= ' SSLEngine On' . "\n";
$this->virtualhosts_data[$vhosts_filename] .= ' SSLProtocol -ALL +TLSv1 +TLSv1.2' . "\n"; $this->virtualhosts_data[$vhosts_filename] .= ' SSLProtocol -ALL' . str_replace(","," +", Settings::Get('system.ssl_protocols')) . "\n";
if (Settings::Get('system.apache24') == '1') { if (Settings::Get('system.apache24') == '1') {
if (Settings::Get('system.http2_support') == '1') { if (Settings::Get('system.http2_support') == '1') {
$this->virtualhosts_data[$vhosts_filename] .= ' Protocols h2 http/1.1' . "\n"; $this->virtualhosts_data[$vhosts_filename] .= ' Protocols h2 http/1.1' . "\n";
@@ -892,7 +892,7 @@ class apache extends HttpConfigBase
if ($domain['ssl_cert_file'] != '') { if ($domain['ssl_cert_file'] != '') {
$vhost_content .= ' SSLEngine On' . "\n"; $vhost_content .= ' SSLEngine On' . "\n";
$vhost_content .= ' SSLProtocol -ALL +TLSv1 +TLSv1.2' . "\n"; $vhost_content .= ' SSLProtocol -ALL' . str_replace(","," +", Settings::Get('system.ssl_protocols')) . "\n";
if (Settings::Get('system.apache24') == '1') { if (Settings::Get('system.apache24') == '1') {
if (isset($domain['http2']) && $domain['http2'] == '1') { if (isset($domain['http2']) && $domain['http2'] == '1') {
$vhost_content .= ' Protocols h2 http/1.1' . "\n"; $vhost_content .= ' Protocols h2 http/1.1' . "\n";

2
scripts/jobs/cron_tasks.inc.http.30.nginx.php
View File

@@ -623,7 +623,7 @@ class nginx extends HttpConfigBase
} else { } else {
// obsolete: ssl on now belongs to the listen block as 'ssl' at the end // obsolete: ssl on now belongs to the listen block as 'ssl' at the end
// $sslsettings .= "\t" . 'ssl on;' . "\n"; // $sslsettings .= "\t" . 'ssl on;' . "\n";
$sslsettings .= "\t" . 'ssl_protocols TLSv1 TLSv1.2;' . "\n"; $sslsettings .= "\t" . 'ssl_protocols ' . str_replace(",", " ", Settings::Get('system.ssl_protocols')) . ';' . "\n";
$sslsettings .= "\t" . 'ssl_ciphers ' . Settings::Get('system.ssl_cipher_list') . ';' . "\n"; $sslsettings .= "\t" . 'ssl_ciphers ' . Settings::Get('system.ssl_cipher_list') . ';' . "\n";
$sslsettings .= "\t" . 'ssl_ecdh_curve secp384r1;' . "\n"; $sslsettings .= "\t" . 'ssl_ecdh_curve secp384r1;' . "\n";
$sslsettings .= "\t" . 'ssl_prefer_server_ciphers on;' . "\n"; $sslsettings .= "\t" . 'ssl_prefer_server_ciphers on;' . "\n";