From 9ffe21723f6ed3d7e0511d713cd35ddf700efadc Mon Sep 17 00:00:00 2001
From: Michael Seevogel <git@michaelseevogel.de>
Date: Wed, 7 Oct 2020 19:34:32 +0200
Subject: [PATCH] added extra checks for TLS 1.3 availability

---
 server/conf/nginx_vhost.conf.master           |  8 +++--
 server/lib/classes/system.inc.php             | 29 +++++++++++++++++--
 server/plugins-available/nginx_plugin.inc.php | 19 ++++++++++--
 3 files changed, 48 insertions(+), 8 deletions(-)

diff --git a/server/conf/nginx_vhost.conf.master b/server/conf/nginx_vhost.conf.master
index f6addcc44d..1752b83ab5 100644
--- a/server/conf/nginx_vhost.conf.master
+++ b/server/conf/nginx_vhost.conf.master
@@ -19,10 +19,12 @@ server {
 </tmpl_if>
 </tmpl_if>
 
-<tmpl_if name='openssl_version' op='>=' value='1.1.1' format='version'>
-<tmpl_var name="ssl_comment">ssl_protocols TLSv1.3 TLSv1.2;
+<tmpl_if name='tls13_available' op='>=' value='1.1.1' format='version'>
+<tmpl_var name="ssl_protocols">
+	ssl_protocols TLSv1.3 TLSv1.2;
 <tmpl_else>
-<tmpl_var name="ssl_comment">ssl_protocols TLSv1.2;
+<tmpl_var name="ssl_protocols">
+	ssl_protocols TLSv1.2;
 </tmpl_if>
 		# ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
 		# ssl_prefer_server_ciphers on;
diff --git a/server/lib/classes/system.inc.php b/server/lib/classes/system.inc.php
index bcaef1f2c4..b592211dd5 100644
--- a/server/lib/classes/system.inc.php
+++ b/server/lib/classes/system.inc.php
@@ -2094,7 +2094,8 @@ class system{
 			$app->log("Could not check OpenSSL version, openssl not found.", LOGLEVEL_DEBUG);
                         return '1.0.1';
                 }
-                exec($cmd, $output, $return_var);
+
+		exec($cmd, $output, $return_var);
                 if($return_var != 0 || !$output[0]) {
 			$app->log("Could not check OpenSSL version, openssl did not return any data.", LOGLEVEL_WARN);
                         return '1.0.1';
@@ -2106,7 +2107,31 @@ class system{
 			return '1.0.1';
                 }
 
-        }
+	}
+
+	function getnginxversion($get_minor = false) {
+		global $app;
+
+		if($this->is_installed('nginx')) $cmd = 'nginx -v 2>&1';
+		else {
+                        $app->log("Could not check Nginx version, nginx not found.", LOGLEVEL_DEBUG);
+                        return false;
+                }
+
+		exec($cmd, $output, $return_var);
+
+		if($return_var != 0 || !$output[0]) {
+                        $app->log("Could not check Nginx version, nginx did not return any data.", LOGLEVEL_WARN);
+                        return false;
+		}
+
+		if(preg_match('/nginx version: nginx\/\s*(\d+)(\.(\d+)(\.(\d+))*)?(\D|$)/i', $output[0], $matches)) {
+			return $matches[1] . (isset($matches[3]) ? '.' . $matches[3] : '') . (isset($matches[5]) && $get_minor == true ? '.' . $matches[5] : '');
+                } else {
+                        $app->log("Could not check Nginx version, did not find version string in nginx output.", LOGLEVEL_WARN);
+                        return false;
+                }
+	}
 
 	function getapacheversion($get_minor = false) {
 		global $app;
diff --git a/server/plugins-available/nginx_plugin.inc.php b/server/plugins-available/nginx_plugin.inc.php
index bdc2c0e276..5439efeb2f 100644
--- a/server/plugins-available/nginx_plugin.inc.php
+++ b/server/plugins-available/nginx_plugin.inc.php
@@ -1621,10 +1621,23 @@ class nginx_plugin {
 		// set logging variable
 		$vhost_data['logging'] = $web_config['logging'];
 
-		$app->log("Found OpenSSL version: " . $app->system->getopensslversion($get_minor = true), LOGLEVEL_DEBUG);
+                // check if OpenSSL and Nginx supports TLS 1.3
+		//$app->log("Found OpenSSL version: " . $app->system->getopensslversion($get_minor = true), LOGLEVEL_DEBUG);
+		$nginx_version = $app->system->getnginxversion(true);
+		$openssl_version = $app->system->getopensslversion(true);
 
-		$vhost_data['openssl_version'] = $app->system->getopensslversion($get_minor = true);
-		
+		$app->system->exec_safe('nginx -V 2>&1', $output, $return_var);
+
+		if(preg_match('/built with OpenSSL\s*(\d+)(\.(\d+)(\.(\d+))*)?(\D|$)/i', $output[0], $matches)) {
+                        $nginx_openssl_ver = $matches[1] . (isset($matches[3]) ? '.' . $matches[3] : '') . (isset($matches[5]) ? '.' . $matches[5] : '');
+                } 
+
+		if(version_compare($app->system->getopensslversion(true), $nginx_openssl_ver, '>=')) {
+			if((version_compare($app->system->getnginxversion(true), '1.13.0', '>=') && version_compare($app->system->getopensslversion(true), '1.1.1', '>='))) {
+				$app->log('Enable TLS 1.3 for: '.$domain, LOGLEVEL_DEBUG);
+				$vhost_data['tls13_available'] = $app->system->getopensslversion(true);
+			}
+		}
 		$tpl->setVar($vhost_data);
 
 		$server_alias = array();
-- 
GitLab