From b032f5b2ba89213500397dae619eb586cc99bd8b Mon Sep 17 00:00:00 2001
From: Michael Kaufmann <d00p@froxlor.org>
Date: Sun, 18 Nov 2018 20:34:53 +0100
Subject: [PATCH] add dhparams for webserver/ssl, refs #519

Signed-off-by: Michael Kaufmann <d00p@froxlor.org>
---
 actions/admin/settings/130.webserver.php         | 11 +++++++++++
 install/froxlor.sql                              |  3 ++-
 install/updates/froxlor/0.10/update_0.10.inc.php | 13 +++++++++++--
 install/updates/froxlor/0.9/update_0.9.inc.php   |  5 +++++
 lib/version.inc.php                              |  2 +-
 lng/english.lng.php                              |  2 ++
 lng/german.lng.php                               |  2 ++
 scripts/jobs/cron_tasks.inc.http.10.apache.php   | 14 ++++++++++++++
 scripts/jobs/cron_tasks.inc.http.20.lighttpd.php | 16 ++++++++++++++++
 scripts/jobs/cron_tasks.inc.http.30.nginx.php    |  7 +++++++
 10 files changed, 71 insertions(+), 4 deletions(-)

diff --git a/actions/admin/settings/130.webserver.php b/actions/admin/settings/130.webserver.php
index 84e81f18..bd3f615f 100644
--- a/actions/admin/settings/130.webserver.php
+++ b/actions/admin/settings/130.webserver.php
@@ -73,6 +73,17 @@ return array(
 					),
 					'visible' => Settings::Get('system.use_ssl')
 				),
+				'system_dhparams_file' => array(
+					'label' => $lng['serversettings']['dhparams_file'],
+					'settinggroup' => 'system',
+					'varname' => 'dhparams_file',
+					'type' => 'string',
+					'string_type' => 'file',
+					'string_emptyallowed' => true,
+					'default' => '',
+					'save_method' => 'storeSettingField',
+					'visible' => Settings::Get('system.use_ssl')
+				),
 				'system_httpuser' => array(
 					'label' => $lng['admin']['webserver_user'],
 					'settinggroup' => 'system',
diff --git a/install/froxlor.sql b/install/froxlor.sql
index 2d15204b..4b362704 100644
--- a/install/froxlor.sql
+++ b/install/froxlor.sql
@@ -654,6 +654,7 @@ opcache.interned_strings_buffer'),
 	('system', 'logfiles_type', '1'),
 	('system', 'logfiles_piped', '0'),
 	('system', 'logfiles_script', ''),
+	('system', 'dhparams_file', ''),
 	('api', 'enabled', '0'),
 	('panel', 'decimal_places', '4'),
 	('panel', 'adminmail', 'admin@SERVERNAME'),
@@ -687,7 +688,7 @@ opcache.interned_strings_buffer'),
 	('panel', 'password_special_char', '!?<>§$%+#=@'),
 	('panel', 'customer_hide_options', ''),
 	('panel', 'version', '0.10.0'),
-	('panel', 'db_version', '201809280');
+	('panel', 'db_version', '201811180');
 
 
 DROP TABLE IF EXISTS `panel_tasks`;
diff --git a/install/updates/froxlor/0.10/update_0.10.inc.php b/install/updates/froxlor/0.10/update_0.10.inc.php
index 57bce60e..870b39cc 100644
--- a/install/updates/froxlor/0.10/update_0.10.inc.php
+++ b/install/updates/froxlor/0.10/update_0.10.inc.php
@@ -21,8 +21,8 @@ if (! defined('_CRON_UPDATE')) {
 	}
 }
 
-if (isFroxlorVersion('0.9.39.5')) {
-	showUpdateStep("Updating from 0.9.39.5 to 0.10.0", false);
+if (isFroxlorVersion('0.9.40')) {
+	showUpdateStep("Updating from 0.9.40 to 0.10.0", false);
 	
 	showUpdateStep("Adding new api keys table");
 	Database::query("DROP TABLE IF EXISTS `api_keys`;");
@@ -68,3 +68,12 @@ if (isFroxlorVersion('0.9.39.5')) {
 	
 	updateToVersion('0.10.0');
 }
+
+if (isDatabaseVersion('201809280')) {
+
+	showUpdateStep("Adding dhparams-file setting");
+	Settings::AddNew("system.dhparams_file",  '');
+	lastStepStatus(0);
+
+	updateToDbVersion('201811180');
+}
diff --git a/install/updates/froxlor/0.9/update_0.9.inc.php b/install/updates/froxlor/0.9/update_0.9.inc.php
index 6aeea723..158c40af 100644
--- a/install/updates/froxlor/0.9/update_0.9.inc.php
+++ b/install/updates/froxlor/0.9/update_0.9.inc.php
@@ -4060,3 +4060,8 @@ if (isDatabaseVersion('201809180')) {
 	
 	updateToDbVersion('201809280');
 }
+
+if (isFroxlorVersion('0.9.39.5')) {
+	showUpdateStep("Updating from 0.9.39.5 to 0.9.40", false);
+	updateToVersion('0.9.40');
+}
diff --git a/lib/version.inc.php b/lib/version.inc.php
index 11d224ce..91928d06 100644
--- a/lib/version.inc.php
+++ b/lib/version.inc.php
@@ -19,7 +19,7 @@
 $version = '0.10.0';
 
 // Database version (YYYYMMDDC where C is a daily counter)
-$dbversion = '201809280';
+$dbversion = '201811180';
 
 // Distribution branding-tag (used for Debian etc.)
 $branding = '';
diff --git a/lng/english.lng.php b/lng/english.lng.php
index a3250e0b..6607c09c 100644
--- a/lng/english.lng.php
+++ b/lng/english.lng.php
@@ -2148,3 +2148,5 @@ $lng['apikeys']['valid_until'] = 'Valid until';
 $lng['apikeys']['valid_until_help'] = 'Date until valid, format YYYY-MM-DD';
 $lng['serversettings']['enable_api']['title'] = 'Enable external API usage';
 $lng['serversettings']['enable_api']['description'] = 'In order to use the froxlor API you need to activate this option. For more detailed information see <a href="https://api.froxlor.org/" target="_new">https://api.froxlor.org/</a>';
+$lng['serversettings']['dhparams_file']['title'] = 'DHParams file (Diffie–Hellman key exchange)';
+$lng['serversettings']['dhparams_file']['description'] = 'If a dhparams.pem file is specified here it will be included in the webserver configuration. Leave empty to disable.<br>Example: /etc/apache2/ssl/dhparams.pem<br><br>If the file does not exist, it will be created automatically with the following command: <em>openssl dhparam -out /etc/apache2/ssl/dhparams.pem 4096<em>. It is recommended to create the file prior to specifying it here as the creation takes quite a while and blocks the cronjob.';
diff --git a/lng/german.lng.php b/lng/german.lng.php
index 751b8dc6..cca60a30 100644
--- a/lng/german.lng.php
+++ b/lng/german.lng.php
@@ -1796,3 +1796,5 @@ $lng['apikeys']['valid_until'] = 'Gültig bis';
 $lng['apikeys']['valid_until_help'] = 'Datum Gültigkeitsende, Format JJJJ-MM-TT';
 $lng['serversettings']['enable_api']['title'] = 'Aktiviere externe API Nutzung';
 $lng['serversettings']['enable_api']['description'] = 'Um die froxlor API nutzen zu können, muss diese Option aktiviert sein. Für detaillierte Informationen siehe <a href="https://api.froxlor.org/" target="_new">https://api.froxlor.org/</a>';
+$lng['serversettings']['dhparams_file']['title'] = 'DHParams Datei (Diffie–Hellman key exchange)';
+$lng['serversettings']['dhparams_file']['description'] = 'Wird eine dhparams.pem Datei hier angegeben, wir sie in die Webserver Konfiguration mit eingefügt.<br>Beispiel: /etc/apache2/ssl/dhparams.pem<br><br>Existiert die Datei nicht, wird sie wie folgt erstellt: <em>openssl dhparam -out /etc/apache2/ssl/dhparams.pem 4096<em>. Es wird empfohlen die Datei zu erstellen, bevor sie hier angegeben wird, da die Erstellung längere Zeit in Anspruch nimmt und den Cronjob blockiert.';
diff --git a/scripts/jobs/cron_tasks.inc.http.10.apache.php b/scripts/jobs/cron_tasks.inc.http.10.apache.php
index 4294ecf5..566f34ae 100644
--- a/scripts/jobs/cron_tasks.inc.http.10.apache.php
+++ b/scripts/jobs/cron_tasks.inc.http.10.apache.php
@@ -474,6 +474,13 @@ class apache extends HttpConfigBase
 								if (Settings::Get('system.http2_support') == '1') {
 									$this->virtualhosts_data[$vhosts_filename] .= ' Protocols h2 http/1.1' . "\n";
 								}
+								if (!empty(Settings::Get('system.dhparams_file'))) {
+									$dhparams = makeCorrectFile(Settings::Get('system.dhparams_file'));
+									if (!file_exists($dhparams)) {
+										safe_exec('openssl dhparam -out '.escapeshellarg($dhparams).' 4096');
+									}
+									$this->virtualhosts_data[$vhosts_filename] .= ' SSLOpenSSLConfCmd DHParameters "' . $dhparams . '"' . "\n";
+								}
 								$this->virtualhosts_data[$vhosts_filename] .= ' SSLCompression Off' . "\n";
 							}
 							// this makes it more secure, thx to Marcel (08/2013)
@@ -937,6 +944,13 @@ class apache extends HttpConfigBase
 					if (isset($domain['http2']) && $domain['http2'] == '1' && Settings::Get('system.http2_support') == '1') {
 						$vhost_content .= ' Protocols h2 http/1.1' . "\n";
 					}
+					if (!empty(Settings::Get('system.dhparams_file'))) {
+						$dhparams = makeCorrectFile(Settings::Get('system.dhparams_file'));
+						if (!file_exists($dhparams)) {
+							safe_exec('openssl dhparam -out '.escapeshellarg($dhparams).' 4096');
+						}
+						$vhost_content .= '  SSLOpenSSLConfCmd DHParameters "' . $dhparams . '"' . "\n";
+					}
 					$vhost_content .= '  SSLCompression Off' . "\n";
 				}
 				// this makes it more secure, thx to Marcel (08/2013)
diff --git a/scripts/jobs/cron_tasks.inc.http.20.lighttpd.php b/scripts/jobs/cron_tasks.inc.http.20.lighttpd.php
index 1df73682..10fb96be 100644
--- a/scripts/jobs/cron_tasks.inc.http.20.lighttpd.php
+++ b/scripts/jobs/cron_tasks.inc.http.20.lighttpd.php
@@ -243,6 +243,14 @@ class lighttpd extends HttpConfigBase
 					} else {
 						$this->lighttpd_data[$vhost_filename] .= 'ssl.engine = "enable"' . "\n";
 						$this->lighttpd_data[$vhost_filename] .= 'ssl.use-compression = "disable"' . "\n";
+						if (!empty(Settings::Get('system.dhparams_file'))) {
+							$dhparams = makeCorrectFile(Settings::Get('system.dhparams_file'));
+							if (!file_exists($dhparams)) {
+								safe_exec('openssl dhparam -out '.escapeshellarg($dhparams).' 4096');
+							}
+							$this->lighttpd_data[$vhost_filename] .= 'ssl.dh-file = "' . $dhparams . '"' . "\n";
+							$this->lighttpd_data[$vhost_filename] .= 'ssl.ec-curve = "secp384r1"' . "\n";
+						}
 						$this->lighttpd_data[$vhost_filename] .= 'ssl.use-sslv2 = "disable"' . "\n";
 						$this->lighttpd_data[$vhost_filename] .= 'ssl.use-sslv3 = "disable"' . "\n";
 						$this->lighttpd_data[$vhost_filename] .= 'ssl.cipher-list = "' . Settings::Get('system.ssl_cipher_list') . '"' . "\n";
@@ -552,6 +560,14 @@ class lighttpd extends HttpConfigBase
 				// ssl.engine only necessary once in the ip/port vhost (SERVER['socket'] condition)
 				//$ssl_settings .= 'ssl.engine = "enable"' . "\n";
 				$ssl_settings .= 'ssl.use-compression = "disable"' . "\n";
+				if (!empty(Settings::Get('system.dhparams_file'))) {
+					$dhparams = makeCorrectFile(Settings::Get('system.dhparams_file'));
+					if (!file_exists($dhparams)) {
+						safe_exec('openssl dhparam -out '.escapeshellarg($dhparams).' 4096');
+					}
+					$ssl_settings .= 'ssl.dh-file = "' . $dhparams . '"' . "\n";
+					$ssl_settings .= 'ssl.ec-curve = "secp384r1"' . "\n";
+				}
 				$ssl_settings .= 'ssl.use-sslv2 = "disable"' . "\n";
 				$ssl_settings .= 'ssl.use-sslv3 = "disable"' . "\n";
 				$ssl_settings .= 'ssl.cipher-list = "' . Settings::Get('system.ssl_cipher_list') . '"' . "\n";
diff --git a/scripts/jobs/cron_tasks.inc.http.30.nginx.php b/scripts/jobs/cron_tasks.inc.http.30.nginx.php
index 4f01a2b9..eeb8fbde 100644
--- a/scripts/jobs/cron_tasks.inc.http.30.nginx.php
+++ b/scripts/jobs/cron_tasks.inc.http.30.nginx.php
@@ -625,6 +625,13 @@ class nginx extends HttpConfigBase
 				// $sslsettings .= "\t" . 'ssl on;' . "\n";
 				$sslsettings .= "\t" . 'ssl_protocols ' . str_replace(",", " ", Settings::Get('system.ssl_protocols')) . ';' . "\n";
 				$sslsettings .= "\t" . 'ssl_ciphers ' . Settings::Get('system.ssl_cipher_list') . ';' . "\n";
+				if (!empty(Settings::Get('system.dhparams_file'))) {
+					$dhparams = makeCorrectFile(Settings::Get('system.dhparams_file'));
+					if (!file_exists($dhparams)) {
+						safe_exec('openssl dhparam -out '.escapeshellarg($dhparams).' 4096');
+					}
+					$sslsettings .= 'ssl_dhparam ' . $dhparams . ';' . "\n";
+				}
 				$sslsettings .= "\t" . 'ssl_ecdh_curve secp384r1;' . "\n";
 				$sslsettings .= "\t" . 'ssl_prefer_server_ciphers on;' . "\n";
 				$sslsettings .= "\t" . 'ssl_certificate ' . makeCorrectFile($domain_or_ip['ssl_cert_file']) . ';' . "\n";