Commit 8a8b9d25 authored by Marius Burkard's avatar Marius Burkard
Browse files

Merge branch 'nginx_tls1_3' into 'develop'

Fixing tls1.3 in nginx config file

Closes #5971

See merge request ispconfig/ispconfig3!1364
parents 2780c48b 1e01e0dd
......@@ -19,11 +19,9 @@ server {
</tmpl_if>
</tmpl_if>
<tmpl_if name='tls1.3_supported' op='==' value='y'>
<tmpl_var name="ssl_protocols">
<tmpl_if name='tls13_supported' op='==' value='y'>
ssl_protocols TLSv1.3 TLSv1.2;
<tmpl_else>
<tmpl_var name="ssl_protocols">
ssl_protocols TLSv1.2;
</tmpl_if>
# ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
......
......@@ -1631,16 +1631,14 @@ class nginx_plugin {
// set logging variable
$vhost_data['logging'] = $web_config['logging'];
// Provide TLS 1.3 support if Nginx version is >= 1.13.0 and when it was linked against OpenSSL(>=1.1.1) at build time.
$output = $app->system->exec_safe('nginx -V 2>&1');
if(preg_match('/built with OpenSSL\s*(\d+)(\.(\d+)(\.(\d+))*)?(\D|$)/i', $output[0], $matches)) {
$nginx_openssl_ver = $matches[1] . (isset($matches[3]) ? '.' . $matches[3] : '') . (isset($matches[5]) ? '.' . $matches[5] : '');
}
if((version_compare($app->system->getnginxversion(true), '1.13.0', '>=') && version_compare($nginx_openssl_ver, '1.1.1', '>='))) {
// Provide TLS 1.3 support if Nginx version is >= 1.13.0 and when it was linked against OpenSSL(>=1.1.1) at build time and when it was linked against OpenSSL(>=1.1.1) at runtime.
$nginx_openssl_build_ver = $app->system->exec_safe('nginx -V 2>&1 | grep \'built with OpenSSL\' | sed \'s/.*built\([a-zA-Z ]*\)OpenSSL \([0-9.]*\).*/\2/\'');
$nginx_openssl_running_ver = $app->system->exec_safe('nginx -V 2>&1 | grep \'running with OpenSSL\' | sed \'s/.*running\([a-zA-Z ]*\)OpenSSL \([0-9.]*\).*/\2/\'');
if(version_compare($app->system->getnginxversion(true), '1.13.0', '>=')
&& version_compare($nginx_openssl_build_ver, '1.1.1', '>=')
&& (empty($nginx_openssl_running_ver) || version_compare($nginx_openssl_running_ver, '1.1.1', '>='))) {
$app->log('Enable TLS 1.3 for: '.$domain, LOGLEVEL_DEBUG);
$vhost_data['tls1.3_supported'] = 'y';
$vhost_data['tls13_supported'] = "y";
}
$tpl->setVar($vhost_data);
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment