summaryrefslogtreecommitdiffstats
path: root/satellit_installer/static_files/lighttpd
diff options
context:
space:
mode:
authorSimon Rettberg2023-09-20 15:14:22 +0200
committerSimon Rettberg2023-09-20 15:14:22 +0200
commitc83bca780c56d985e7e8261da843c0bedc57c1fe (patch)
treeca49639708933cae44b7e0e0b3ca94c93deee4cf /satellit_installer/static_files/lighttpd
parent[SSPS] Update NetBoot OS download URL (diff)
downloadsetup-scripts-c83bca780c56d985e7e8261da843c0bedc57c1fe.tar.gz
setup-scripts-c83bca780c56d985e7e8261da843c0bedc57c1fe.tar.xz
setup-scripts-c83bca780c56d985e7e8261da843c0bedc57c1fe.zip
[SSPS] Update ciphers for lighttpd config
Diffstat (limited to 'satellit_installer/static_files/lighttpd')
-rwxr-xr-xsatellit_installer/static_files/lighttpd/usr/share/lighttpd/auto-ssl.sh44
1 files changed, 36 insertions, 8 deletions
diff --git a/satellit_installer/static_files/lighttpd/usr/share/lighttpd/auto-ssl.sh b/satellit_installer/static_files/lighttpd/usr/share/lighttpd/auto-ssl.sh
index fef2268..7cc1dfc 100755
--- a/satellit_installer/static_files/lighttpd/usr/share/lighttpd/auto-ssl.sh
+++ b/satellit_installer/static_files/lighttpd/usr/share/lighttpd/auto-ssl.sh
@@ -7,6 +7,12 @@ declare -rg REDIR_FLAG="/etc/lighttpd/redirect.flag"
declare -rg INTERNAL_BOTH="/etc/ssl/openslx/lighttpd/server.pem"
declare -g INTERNAL_CHAIN="/etc/ssl/openslx/lighttpd/ca-chain.pem"
+if ! [ -s "$DHPARAM" ]; then
+ curl -sS -m 10 "https://ssl-config.mozilla.org/ffdhe2048.txt" > "$DHPARAM"
+fi
+if ! openssl dhparam -noout -in "$DHPARAM" >&2; then
+ rm -f -- "$DHPARAM"
+fi
if ! [ -s "$DHPARAM" ] && ! ps aux | grep 'openssl dhparam' | grep -q -v grep; then
openssl dhparam -out "$DHPARAM" 2048 &>/dev/null &
fi
@@ -15,6 +21,10 @@ fi
wait
+if ! openssl dhparam -noout -in "$DHPARAM" >&2; then
+ rm -f -- "$DHPARAM"
+fi
+
[ -s "$INTERNAL_CHAIN" ] || INTERNAL_CHAIN=
readonly INTERNAL_CHAIN
@@ -22,25 +32,43 @@ if [ -f "/usr/lib/lighttpd/mod_openssl.so" ]; then
echo 'server.modules += ( "mod_openssl" )'
fi
+debian="$( lsb_release -sr )"
+debian="${debian%%.*}"
+
cat <<HEREDOC
\$SERVER["socket"] == ":443" {
protocol = "https://"
ssl.engine = "enable"
ssl.disable-client-renegotiation = "enable"
- # ECDH/ECDHE ciphers curve strength (see "openssl ecparam -list_curves")
- ssl.ec-curve = "secp384r1"
- # Compression is by default off at compile-time, but use if needed
- # ssl.use-compression = "disable"
+HEREDOC
- # intermediate configuration, tweak to your needs
+if (( debian == 9 )); then
+ cat <<HEREDOC
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
- ssl.honor-cipher-order = "enable"
- ssl.cipher-list = "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"
+ ssl.honor-cipher-order = "disable"
+ ssl.cipher-list = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305"
+
+HEREDOC
+elif (( debian == 10 )); then
+ cat <<HEREDOC
+ ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.2", "Options" => "-SessionTicket")
+ ssl.honor-cipher-order = "disable"
+ ssl.cipher-list = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305"
+
+HEREDOC
+else # if (( debian >= 11 )); then
+ cat <<HEREDOC
+ ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.2")
+ ssl.openssl.ssl-conf-cmd += ("Options" => "-ServerPreference")
+ ssl.openssl.ssl-conf-cmd += ("CipherString" => "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305")
- # pemfile is cert+privkey, ca-file is the intermediate chain in one file
HEREDOC
+fi
+
+echo " # pemfile is cert+privkey, ca-file is the intermediate chain in one file"
+
if [ -s "$PUBLIC_BOTH" ]; then
echo " ssl.pemfile = \"${PUBLIC_BOTH}\""
[ -s "$CHAIN" ] && echo " ssl.ca-file = \"${CHAIN}\""