From c83bca780c56d985e7e8261da843c0bedc57c1fe Mon Sep 17 00:00:00 2001
From: Simon Rettberg
Date: Wed, 20 Sep 2023 15:14:22 +0200
Subject: [SSPS] Update ciphers for lighttpd config

---
 .../lighttpd/usr/share/lighttpd/auto-ssl.sh        | 44 ++++++++++++++++++----
 1 file changed, 36 insertions(+), 8 deletions(-)

diff --git a/satellit_installer/static_files/lighttpd/usr/share/lighttpd/auto-ssl.sh b/satellit_installer/static_files/lighttpd/usr/share/lighttpd/auto-ssl.sh
index fef2268..7cc1dfc 100755
--- a/satellit_installer/static_files/lighttpd/usr/share/lighttpd/auto-ssl.sh
+++ b/satellit_installer/static_files/lighttpd/usr/share/lighttpd/auto-ssl.sh
@@ -7,6 +7,12 @@ declare -rg REDIR_FLAG="/etc/lighttpd/redirect.flag"
 declare -rg INTERNAL_BOTH="/etc/ssl/openslx/lighttpd/server.pem"
 declare -g INTERNAL_CHAIN="/etc/ssl/openslx/lighttpd/ca-chain.pem"
 
+if ! [ -s "$DHPARAM" ]; then
+	curl -sS -m 10 "https://ssl-config.mozilla.org/ffdhe2048.txt" > "$DHPARAM"
+fi
+if ! openssl dhparam -noout -in "$DHPARAM" >&2; then
+	rm -f -- "$DHPARAM"
+fi
 if ! [ -s "$DHPARAM" ] && ! ps aux | grep 'openssl dhparam' | grep -q -v grep; then
 	openssl dhparam -out "$DHPARAM" 2048 &>/dev/null &
 fi
@@ -15,6 +21,10 @@ fi
 
 wait
 
+if ! openssl dhparam -noout -in "$DHPARAM" >&2; then
+	rm -f -- "$DHPARAM"
+fi
+
 [ -s "$INTERNAL_CHAIN" ] || INTERNAL_CHAIN=
 readonly INTERNAL_CHAIN
 
@@ -22,25 +32,43 @@ if [ -f "/usr/lib/lighttpd/mod_openssl.so" ]; then
 	echo 'server.modules += ( "mod_openssl" )'
 fi
 
+debian="$( lsb_release -sr )"
+debian="${debian%%.*}"
+
 cat <<HEREDOC
 \$SERVER["socket"] == ":443" {
 	protocol	 = "https://"
 	ssl.engine   = "enable"
 	ssl.disable-client-renegotiation = "enable"
 
-	# ECDH/ECDHE ciphers curve strength (see "openssl ecparam -list_curves")
-	ssl.ec-curve			  = "secp384r1"
-	# Compression is by default off at compile-time, but use if needed
-	# ssl.use-compression	 = "disable"
+HEREDOC
 
-	# intermediate configuration, tweak to your needs
+if (( debian == 9 )); then
+	cat <<HEREDOC
 	ssl.use-sslv2 = "disable"
 	ssl.use-sslv3 = "disable"
-	ssl.honor-cipher-order	= "enable"
-	ssl.cipher-list		   = "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"
+	ssl.honor-cipher-order = "disable"
+	ssl.cipher-list = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305"
+
+HEREDOC
+elif (( debian == 10 )); then
+	cat <<HEREDOC
+	ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.2", "Options" => "-SessionTicket")
+	ssl.honor-cipher-order = "disable"
+	ssl.cipher-list = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305"
+
+HEREDOC
+else # if (( debian >= 11 )); then
+	cat <<HEREDOC
+	ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.2")
+	ssl.openssl.ssl-conf-cmd += ("Options" => "-ServerPreference")
+	ssl.openssl.ssl-conf-cmd += ("CipherString" => "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305")
 
-	# pemfile is cert+privkey, ca-file is the intermediate chain in one file
 HEREDOC
+fi
+
+echo "	# pemfile is cert+privkey, ca-file is the intermediate chain in one file"
+
 if [ -s "$PUBLIC_BOTH" ]; then
 	echo "	ssl.pemfile			   = \"${PUBLIC_BOTH}\""
 	[ -s "$CHAIN" ] && echo "	ssl.ca-file = \"${CHAIN}\""
-- 
cgit v1.2.3-55-g7522