diff options
| author | Simon Rettberg | 2023-09-20 15:14:22 +0200 |
|---|---|---|
| committer | Simon Rettberg | 2023-09-20 15:14:22 +0200 |
| commit | c83bca780c56d985e7e8261da843c0bedc57c1fe (patch) | |
| tree | ca49639708933cae44b7e0e0b3ca94c93deee4cf | |
| parent | [SSPS] Update NetBoot OS download URL (diff) | |
| download | setup-scripts-c83bca780c56d985e7e8261da843c0bedc57c1fe.tar.gz setup-scripts-c83bca780c56d985e7e8261da843c0bedc57c1fe.tar.xz setup-scripts-c83bca780c56d985e7e8261da843c0bedc57c1fe.zip | |
[SSPS] Update ciphers for lighttpd config
| -rwxr-xr-x | satellit_installer/static_files/lighttpd/usr/share/lighttpd/auto-ssl.sh | 44 |
1 files changed, 36 insertions, 8 deletions
diff --git a/satellit_installer/static_files/lighttpd/usr/share/lighttpd/auto-ssl.sh b/satellit_installer/static_files/lighttpd/usr/share/lighttpd/auto-ssl.sh index fef2268..7cc1dfc 100755 --- a/satellit_installer/static_files/lighttpd/usr/share/lighttpd/auto-ssl.sh +++ b/satellit_installer/static_files/lighttpd/usr/share/lighttpd/auto-ssl.sh @@ -7,6 +7,12 @@ declare -rg REDIR_FLAG="/etc/lighttpd/redirect.flag" declare -rg INTERNAL_BOTH="/etc/ssl/openslx/lighttpd/server.pem" declare -g INTERNAL_CHAIN="/etc/ssl/openslx/lighttpd/ca-chain.pem" +if ! [ -s "$DHPARAM" ]; then + curl -sS -m 10 "https://ssl-config.mozilla.org/ffdhe2048.txt" > "$DHPARAM" +fi +if ! openssl dhparam -noout -in "$DHPARAM" >&2; then + rm -f -- "$DHPARAM" +fi if ! [ -s "$DHPARAM" ] && ! ps aux | grep 'openssl dhparam' | grep -q -v grep; then openssl dhparam -out "$DHPARAM" 2048 &>/dev/null & fi @@ -15,6 +21,10 @@ fi wait +if ! openssl dhparam -noout -in "$DHPARAM" >&2; then + rm -f -- "$DHPARAM" +fi + [ -s "$INTERNAL_CHAIN" ] || INTERNAL_CHAIN= readonly INTERNAL_CHAIN @@ -22,25 +32,43 @@ if [ -f "/usr/lib/lighttpd/mod_openssl.so" ]; then echo 'server.modules += ( "mod_openssl" )' fi +debian="$( lsb_release -sr )" +debian="${debian%%.*}" + cat <<HEREDOC \$SERVER["socket"] == ":443" { protocol = "https://" ssl.engine = "enable" ssl.disable-client-renegotiation = "enable" - # ECDH/ECDHE ciphers curve strength (see "openssl ecparam -list_curves") - ssl.ec-curve = "secp384r1" - # Compression is by default off at compile-time, but use if needed - # ssl.use-compression = "disable" +HEREDOC - # intermediate configuration, tweak to your needs +if (( debian == 9 )); then + cat <<HEREDOC ssl.use-sslv2 = "disable" ssl.use-sslv3 = "disable" - ssl.honor-cipher-order = "enable" - ssl.cipher-list = "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS" + ssl.honor-cipher-order = "disable" + ssl.cipher-list = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305" + +HEREDOC +elif (( debian == 10 )); then + cat <<HEREDOC + ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.2", "Options" => "-SessionTicket") + ssl.honor-cipher-order = "disable" + ssl.cipher-list = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305" + +HEREDOC +else # if (( debian >= 11 )); then + cat <<HEREDOC + ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.2") + ssl.openssl.ssl-conf-cmd += ("Options" => "-ServerPreference") + ssl.openssl.ssl-conf-cmd += ("CipherString" => "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305") - # pemfile is cert+privkey, ca-file is the intermediate chain in one file HEREDOC +fi + +echo " # pemfile is cert+privkey, ca-file is the intermediate chain in one file" + if [ -s "$PUBLIC_BOTH" ]; then echo " ssl.pemfile = \"${PUBLIC_BOTH}\"" [ -s "$CHAIN" ] && echo " ssl.ca-file = \"${CHAIN}\"" |