diff --git a/actions/admin/settings/130.webserver.php b/actions/admin/settings/130.webserver.php
index 84e81f18..bd3f615f 100644
--- a/actions/admin/settings/130.webserver.php
+++ b/actions/admin/settings/130.webserver.php
@@ -73,6 +73,17 @@ return array(
),
'visible' => Settings::Get('system.use_ssl')
),
+ 'system_dhparams_file' => array(
+ 'label' => $lng['serversettings']['dhparams_file'],
+ 'settinggroup' => 'system',
+ 'varname' => 'dhparams_file',
+ 'type' => 'string',
+ 'string_type' => 'file',
+ 'string_emptyallowed' => true,
+ 'default' => '',
+ 'save_method' => 'storeSettingField',
+ 'visible' => Settings::Get('system.use_ssl')
+ ),
'system_httpuser' => array(
'label' => $lng['admin']['webserver_user'],
'settinggroup' => 'system',
diff --git a/install/froxlor.sql b/install/froxlor.sql
index 2d15204b..4b362704 100644
--- a/install/froxlor.sql
+++ b/install/froxlor.sql
@@ -654,6 +654,7 @@ opcache.interned_strings_buffer'),
('system', 'logfiles_type', '1'),
('system', 'logfiles_piped', '0'),
('system', 'logfiles_script', ''),
+ ('system', 'dhparams_file', ''),
('api', 'enabled', '0'),
('panel', 'decimal_places', '4'),
('panel', 'adminmail', 'admin@SERVERNAME'),
@@ -687,7 +688,7 @@ opcache.interned_strings_buffer'),
('panel', 'password_special_char', '!?<>§$%+#=@'),
('panel', 'customer_hide_options', ''),
('panel', 'version', '0.10.0'),
- ('panel', 'db_version', '201809280');
+ ('panel', 'db_version', '201811180');
DROP TABLE IF EXISTS `panel_tasks`;
diff --git a/install/updates/froxlor/0.10/update_0.10.inc.php b/install/updates/froxlor/0.10/update_0.10.inc.php
index 57bce60e..870b39cc 100644
--- a/install/updates/froxlor/0.10/update_0.10.inc.php
+++ b/install/updates/froxlor/0.10/update_0.10.inc.php
@@ -21,8 +21,8 @@ if (! defined('_CRON_UPDATE')) {
}
}
-if (isFroxlorVersion('0.9.39.5')) {
- showUpdateStep("Updating from 0.9.39.5 to 0.10.0", false);
+if (isFroxlorVersion('0.9.40')) {
+ showUpdateStep("Updating from 0.9.40 to 0.10.0", false);
showUpdateStep("Adding new api keys table");
Database::query("DROP TABLE IF EXISTS `api_keys`;");
@@ -68,3 +68,12 @@ if (isFroxlorVersion('0.9.39.5')) {
updateToVersion('0.10.0');
}
+
+if (isDatabaseVersion('201809280')) {
+
+ showUpdateStep("Adding dhparams-file setting");
+ Settings::AddNew("system.dhparams_file", '');
+ lastStepStatus(0);
+
+ updateToDbVersion('201811180');
+}
diff --git a/install/updates/froxlor/0.9/update_0.9.inc.php b/install/updates/froxlor/0.9/update_0.9.inc.php
index 6aeea723..158c40af 100644
--- a/install/updates/froxlor/0.9/update_0.9.inc.php
+++ b/install/updates/froxlor/0.9/update_0.9.inc.php
@@ -4060,3 +4060,8 @@ if (isDatabaseVersion('201809180')) {
updateToDbVersion('201809280');
}
+
+if (isFroxlorVersion('0.9.39.5')) {
+ showUpdateStep("Updating from 0.9.39.5 to 0.9.40", false);
+ updateToVersion('0.9.40');
+}
diff --git a/lib/version.inc.php b/lib/version.inc.php
index 11d224ce..91928d06 100644
--- a/lib/version.inc.php
+++ b/lib/version.inc.php
@@ -19,7 +19,7 @@
$version = '0.10.0';
// Database version (YYYYMMDDC where C is a daily counter)
-$dbversion = '201809280';
+$dbversion = '201811180';
// Distribution branding-tag (used for Debian etc.)
$branding = '';
diff --git a/lng/english.lng.php b/lng/english.lng.php
index a3250e0b..6607c09c 100644
--- a/lng/english.lng.php
+++ b/lng/english.lng.php
@@ -2148,3 +2148,5 @@ $lng['apikeys']['valid_until'] = 'Valid until';
$lng['apikeys']['valid_until_help'] = 'Date until valid, format YYYY-MM-DD';
$lng['serversettings']['enable_api']['title'] = 'Enable external API usage';
$lng['serversettings']['enable_api']['description'] = 'In order to use the froxlor API you need to activate this option. For more detailed information see https://api.froxlor.org/';
+$lng['serversettings']['dhparams_file']['title'] = 'DHParams file (Diffie–Hellman key exchange)';
+$lng['serversettings']['dhparams_file']['description'] = 'If a dhparams.pem file is specified here it will be included in the webserver configuration. Leave empty to disable.
Example: /etc/apache2/ssl/dhparams.pem
If the file does not exist, it will be created automatically with the following command: openssl dhparam -out /etc/apache2/ssl/dhparams.pem 4096. It is recommended to create the file prior to specifying it here as the creation takes quite a while and blocks the cronjob.';
diff --git a/lng/german.lng.php b/lng/german.lng.php
index 751b8dc6..cca60a30 100644
--- a/lng/german.lng.php
+++ b/lng/german.lng.php
@@ -1796,3 +1796,5 @@ $lng['apikeys']['valid_until'] = 'Gültig bis';
$lng['apikeys']['valid_until_help'] = 'Datum Gültigkeitsende, Format JJJJ-MM-TT';
$lng['serversettings']['enable_api']['title'] = 'Aktiviere externe API Nutzung';
$lng['serversettings']['enable_api']['description'] = 'Um die froxlor API nutzen zu können, muss diese Option aktiviert sein. Für detaillierte Informationen siehe https://api.froxlor.org/';
+$lng['serversettings']['dhparams_file']['title'] = 'DHParams Datei (Diffie–Hellman key exchange)';
+$lng['serversettings']['dhparams_file']['description'] = 'Wird eine dhparams.pem Datei hier angegeben, wir sie in die Webserver Konfiguration mit eingefügt.
Beispiel: /etc/apache2/ssl/dhparams.pem
Existiert die Datei nicht, wird sie wie folgt erstellt: openssl dhparam -out /etc/apache2/ssl/dhparams.pem 4096. Es wird empfohlen die Datei zu erstellen, bevor sie hier angegeben wird, da die Erstellung längere Zeit in Anspruch nimmt und den Cronjob blockiert.';
diff --git a/scripts/jobs/cron_tasks.inc.http.10.apache.php b/scripts/jobs/cron_tasks.inc.http.10.apache.php
index 4294ecf5..566f34ae 100644
--- a/scripts/jobs/cron_tasks.inc.http.10.apache.php
+++ b/scripts/jobs/cron_tasks.inc.http.10.apache.php
@@ -474,6 +474,13 @@ class apache extends HttpConfigBase
if (Settings::Get('system.http2_support') == '1') {
$this->virtualhosts_data[$vhosts_filename] .= ' Protocols h2 http/1.1' . "\n";
}
+ if (!empty(Settings::Get('system.dhparams_file'))) {
+ $dhparams = makeCorrectFile(Settings::Get('system.dhparams_file'));
+ if (!file_exists($dhparams)) {
+ safe_exec('openssl dhparam -out '.escapeshellarg($dhparams).' 4096');
+ }
+ $this->virtualhosts_data[$vhosts_filename] .= ' SSLOpenSSLConfCmd DHParameters "' . $dhparams . '"' . "\n";
+ }
$this->virtualhosts_data[$vhosts_filename] .= ' SSLCompression Off' . "\n";
}
// this makes it more secure, thx to Marcel (08/2013)
@@ -937,6 +944,13 @@ class apache extends HttpConfigBase
if (isset($domain['http2']) && $domain['http2'] == '1' && Settings::Get('system.http2_support') == '1') {
$vhost_content .= ' Protocols h2 http/1.1' . "\n";
}
+ if (!empty(Settings::Get('system.dhparams_file'))) {
+ $dhparams = makeCorrectFile(Settings::Get('system.dhparams_file'));
+ if (!file_exists($dhparams)) {
+ safe_exec('openssl dhparam -out '.escapeshellarg($dhparams).' 4096');
+ }
+ $vhost_content .= ' SSLOpenSSLConfCmd DHParameters "' . $dhparams . '"' . "\n";
+ }
$vhost_content .= ' SSLCompression Off' . "\n";
}
// this makes it more secure, thx to Marcel (08/2013)
diff --git a/scripts/jobs/cron_tasks.inc.http.20.lighttpd.php b/scripts/jobs/cron_tasks.inc.http.20.lighttpd.php
index 1df73682..10fb96be 100644
--- a/scripts/jobs/cron_tasks.inc.http.20.lighttpd.php
+++ b/scripts/jobs/cron_tasks.inc.http.20.lighttpd.php
@@ -243,6 +243,14 @@ class lighttpd extends HttpConfigBase
} else {
$this->lighttpd_data[$vhost_filename] .= 'ssl.engine = "enable"' . "\n";
$this->lighttpd_data[$vhost_filename] .= 'ssl.use-compression = "disable"' . "\n";
+ if (!empty(Settings::Get('system.dhparams_file'))) {
+ $dhparams = makeCorrectFile(Settings::Get('system.dhparams_file'));
+ if (!file_exists($dhparams)) {
+ safe_exec('openssl dhparam -out '.escapeshellarg($dhparams).' 4096');
+ }
+ $this->lighttpd_data[$vhost_filename] .= 'ssl.dh-file = "' . $dhparams . '"' . "\n";
+ $this->lighttpd_data[$vhost_filename] .= 'ssl.ec-curve = "secp384r1"' . "\n";
+ }
$this->lighttpd_data[$vhost_filename] .= 'ssl.use-sslv2 = "disable"' . "\n";
$this->lighttpd_data[$vhost_filename] .= 'ssl.use-sslv3 = "disable"' . "\n";
$this->lighttpd_data[$vhost_filename] .= 'ssl.cipher-list = "' . Settings::Get('system.ssl_cipher_list') . '"' . "\n";
@@ -552,6 +560,14 @@ class lighttpd extends HttpConfigBase
// ssl.engine only necessary once in the ip/port vhost (SERVER['socket'] condition)
//$ssl_settings .= 'ssl.engine = "enable"' . "\n";
$ssl_settings .= 'ssl.use-compression = "disable"' . "\n";
+ if (!empty(Settings::Get('system.dhparams_file'))) {
+ $dhparams = makeCorrectFile(Settings::Get('system.dhparams_file'));
+ if (!file_exists($dhparams)) {
+ safe_exec('openssl dhparam -out '.escapeshellarg($dhparams).' 4096');
+ }
+ $ssl_settings .= 'ssl.dh-file = "' . $dhparams . '"' . "\n";
+ $ssl_settings .= 'ssl.ec-curve = "secp384r1"' . "\n";
+ }
$ssl_settings .= 'ssl.use-sslv2 = "disable"' . "\n";
$ssl_settings .= 'ssl.use-sslv3 = "disable"' . "\n";
$ssl_settings .= 'ssl.cipher-list = "' . Settings::Get('system.ssl_cipher_list') . '"' . "\n";
diff --git a/scripts/jobs/cron_tasks.inc.http.30.nginx.php b/scripts/jobs/cron_tasks.inc.http.30.nginx.php
index 4f01a2b9..eeb8fbde 100644
--- a/scripts/jobs/cron_tasks.inc.http.30.nginx.php
+++ b/scripts/jobs/cron_tasks.inc.http.30.nginx.php
@@ -625,6 +625,13 @@ class nginx extends HttpConfigBase
// $sslsettings .= "\t" . 'ssl on;' . "\n";
$sslsettings .= "\t" . 'ssl_protocols ' . str_replace(",", " ", Settings::Get('system.ssl_protocols')) . ';' . "\n";
$sslsettings .= "\t" . 'ssl_ciphers ' . Settings::Get('system.ssl_cipher_list') . ';' . "\n";
+ if (!empty(Settings::Get('system.dhparams_file'))) {
+ $dhparams = makeCorrectFile(Settings::Get('system.dhparams_file'));
+ if (!file_exists($dhparams)) {
+ safe_exec('openssl dhparam -out '.escapeshellarg($dhparams).' 4096');
+ }
+ $sslsettings .= 'ssl_dhparam ' . $dhparams . ';' . "\n";
+ }
$sslsettings .= "\t" . 'ssl_ecdh_curve secp384r1;' . "\n";
$sslsettings .= "\t" . 'ssl_prefer_server_ciphers on;' . "\n";
$sslsettings .= "\t" . 'ssl_certificate ' . makeCorrectFile($domain_or_ip['ssl_cert_file']) . ';' . "\n";