From 54987a9ce57f4186940c2e00422cf10b3b0ff8c7 Mon Sep 17 00:00:00 2001 From: Michael Seevogel Date: Wed, 7 Oct 2020 15:35:05 +0200 Subject: [PATCH 1/7] try to detect the correct OpenSSL version and activate TLS 1.3 if available for Nginx systems --- server/conf/nginx_vhost.conf.master | 7 +- .../100-monitor_needs_restarting.inc.php | 243 ++++++++++++++++++ server/lib/classes/system.inc.php | 21 ++ server/plugins-available/nginx_plugin.inc.php | 4 + 4 files changed, 274 insertions(+), 1 deletion(-) create mode 100644 server/lib/classes/cron.d/100-monitor_needs_restarting.inc.php diff --git a/server/conf/nginx_vhost.conf.master b/server/conf/nginx_vhost.conf.master index bfa94f8fb3..f6addcc44d 100644 --- a/server/conf/nginx_vhost.conf.master +++ b/server/conf/nginx_vhost.conf.master @@ -18,7 +18,12 @@ server { listen : ssl proxy_protocol; - ssl_protocols TLSv1.2; + + +ssl_protocols TLSv1.3 TLSv1.2; + +ssl_protocols TLSv1.2; + # ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; # ssl_prefer_server_ciphers on; diff --git a/server/lib/classes/cron.d/100-monitor_needs_restarting.inc.php b/server/lib/classes/cron.d/100-monitor_needs_restarting.inc.php new file mode 100644 index 0000000000..cab5f68edb --- /dev/null +++ b/server/lib/classes/cron.d/100-monitor_needs_restarting.inc.php @@ -0,0 +1,243 @@ +uses('getconf'); + $server_config = $app->getconf->get_server_config($conf['server_id'], 'server'); + if($server_config['monitor_system_updates'] == 'n') return; + + /* used for all monitor cronjobs */ + $app->load('monitor_tools'); + $this->_tools = new monitor_tools(); + /* end global section for monitor cronjobs */ + + /* the id of the server as int */ + $server_id = intval($conf['server_id']); + + /** The type of the data */ + + + $type = 'system_update'; + + /* This monitoring is only available on Debian or Ubuntu */ + if (file_exists('/etc/debian_version')) { + + /* + * first update the "apt database" + */ + shell_exec('while fuser /var/lib/apt/lists/lock >/dev/null 2>&1 ; do sleep 2; done; apt-get update'); + + /* + * Then test the upgrade. + * if there is any output, then there is a needed update + */ + $aptData = shell_exec('while fuser /var/lib/dpkg/lock >/dev/null 2>&1 || fuser /var/lib/apt/lists/lock >/dev/null 2>&1 ; do sleep 2; done; apt-get -s -qq dist-upgrade'); + if ($aptData == '') { + /* There is nothing to update! */ + $state = 'ok'; + } else { + /* + * There is something to update! this is in most cases not critical, so we can + * do a system-update once a month or so... + */ + $state = 'info'; + } + + /* + * Fetch the output + */ + $data['output'] = $aptData; + } elseif (file_exists('/etc/gentoo-release')) { + + /* + * first update the portage tree + */ + + // In keeping with gentoo's rsync policy, don't update to frequently (every four hours - taken from http://www.gentoo.org/doc/en/source_mirrors.xml) + $do_update = true; + if (file_exists('/usr/portage/metadata/timestamp.chk')) { + $datetime = file_get_contents('/usr/portage/metadata/timestamp.chk'); + $datetime = trim($datetime); + + $dstamp = strtotime($datetime); + if ($dstamp) { + $checkat = $dstamp + 14400; // + 4hours + if (mktime() < $checkat) { + $do_update = false; + } + } + } + + if ($do_update) { + shell_exec('emerge --sync --quiet'); + } + + /* + * Then test the upgrade. + * if there is any output, then there is a needed update + */ + $emergeData = shell_exec('glsa-check -t affected'); + if ($emergeData == '') { + /* There is nothing to update! */ + $state = 'ok'; + $data['output'] = 'No unapplied GLSA\'s found on the system.'; + } else { + /* There is something to update! */ + $state = 'info'; + $data['output'] = shell_exec('glsa-check -pv --nocolor affected 2>/dev/null'); + } + } elseif (file_exists('/etc/SuSE-release')) { + + /* + * update and find the upgrade. + * if there is any output, then there is a needed update + */ + $aptData = shell_exec('zypper -q lu'); + if ($aptData == '') { + /* There is nothing to update! */ + $state = 'ok'; + } else { + /* + * There is something to update! this is in most cases not critical, so we can + * do a system-update once a month or so... + */ + $state = 'info'; + } + + /* + * Fetch the output + */ + $data['output'] = shell_exec('zypper lu'); + + } elseif(file_exists('/etc/redhat-release')) { + /* + * update and find the upgrade. + * if there is any output, then there is a needed update + */ + + /* try to figure out the default package manager first */ + if(file_exists('/usr/bin/dnf') && (is_link('/usr/bin/yum'))) { + $rhPkgMgr = 'dnf'; + } elseif(file_exists('/usr/bin/dnf') && (!file_exists('/usr/bin/yum'))) { + $rhPkgMgr = 'dnf'; + } else { + $rhPkgMgr = 'yum'; + } + + $aptData = shell_exec($rhPkgMgr. ' -q list updates'); + + if ($aptData == '') { + /* There is nothing to update! */ + $state = 'ok'; + } else { + /* + * There is something to update! this is in most cases not critical, so we can + * do a system-update once a month or so... + */ + $state = 'info'; + } + + /* + * Fetch the output + */ + + $data['output'] = shell_exec($rhPkgMgr. ' -q list updates'); + + } else { + /* + * It is not Debian/Ubuntu, so there is no data and no state + * + * no_state, NOT unknown, because "unknown" is shown as state + * inside the GUI. no_state is hidden. + * + * We have to write NO DATA inside the DB, because the GUI + * could not know, if there is any dat, or not... + */ + $state = 'no_state'; + $data['output'] = ''; + } + + $res = array(); + $res['server_id'] = $server_id; + $res['type'] = $type; + $res['data'] = $data; + $res['state'] = $state; + + //* Ensure that output is encoded so that it does not break the serialize + //$res['data']['output'] = htmlentities($res['data']['output']); + $res['data']['output'] = htmlentities($res['data']['output'], ENT_QUOTES, 'UTF-8'); + + /* + * Insert the data into the database + */ + $sql = 'REPLACE INTO monitor_data (server_id, type, created, data, state) ' . + 'VALUES (?, ?, UNIX_TIMESTAMP(), ?, ?)'; + $app->dbmaster->query($sql, $res['server_id'], $res['type'], serialize($res['data']), $res['state']); + + /* The new data is written, now we can delete the old one */ + $this->_tools->delOldRecords($res['type'], $res['server_id']); + + parent::onRunJob(); + } + + /* this function is optional if it contains no custom code */ + public function onAfterRun() { + global $app; + + parent::onAfterRun(); + } + +} + +?> diff --git a/server/lib/classes/system.inc.php b/server/lib/classes/system.inc.php index 32afb9943c..bcaef1f2c4 100644 --- a/server/lib/classes/system.inc.php +++ b/server/lib/classes/system.inc.php @@ -2087,6 +2087,27 @@ class system{ } } + function getopensslversion($get_minor = false) { + global $app; + if($this->is_installed('openssl')) $cmd = 'openssl version'; + else { + $app->log("Could not check OpenSSL version, openssl not found.", LOGLEVEL_DEBUG); + return '1.0.1'; + } + exec($cmd, $output, $return_var); + if($return_var != 0 || !$output[0]) { + $app->log("Could not check OpenSSL version, openssl did not return any data.", LOGLEVEL_WARN); + return '1.0.1'; + } + if(preg_match('/OpenSSL\s*(\d+)(\.(\d+)(\.(\d+))*)?(\D|$)/i', $output[0], $matches)) { + return $matches[1] . (isset($matches[3]) ? '.' . $matches[3] : '') . (isset($matches[5]) && $get_minor == true ? '.' . $matches[5] : ''); + } else { + $app->log("Could not check OpenSSL version, did not find version string in openssl output.", LOGLEVEL_WARN); + return '1.0.1'; + } + + } + function getapacheversion($get_minor = false) { global $app; diff --git a/server/plugins-available/nginx_plugin.inc.php b/server/plugins-available/nginx_plugin.inc.php index c361d3f62f..bdc2c0e276 100644 --- a/server/plugins-available/nginx_plugin.inc.php +++ b/server/plugins-available/nginx_plugin.inc.php @@ -1621,6 +1621,10 @@ class nginx_plugin { // set logging variable $vhost_data['logging'] = $web_config['logging']; + $app->log("Found OpenSSL version: " . $app->system->getopensslversion($get_minor = true), LOGLEVEL_DEBUG); + + $vhost_data['openssl_version'] = $app->system->getopensslversion($get_minor = true); + $tpl->setVar($vhost_data); $server_alias = array(); -- GitLab From 541b7f0f47a2f597c57be8189d0f633837a39d26 Mon Sep 17 00:00:00 2001 From: Michael Seevogel Date: Wed, 7 Oct 2020 15:36:07 +0200 Subject: [PATCH 2/7] removed leftovers --- .../100-monitor_needs_restarting.inc.php | 243 ------------------ 1 file changed, 243 deletions(-) delete mode 100644 server/lib/classes/cron.d/100-monitor_needs_restarting.inc.php diff --git a/server/lib/classes/cron.d/100-monitor_needs_restarting.inc.php b/server/lib/classes/cron.d/100-monitor_needs_restarting.inc.php deleted file mode 100644 index cab5f68edb..0000000000 --- a/server/lib/classes/cron.d/100-monitor_needs_restarting.inc.php +++ /dev/null @@ -1,243 +0,0 @@ -uses('getconf'); - $server_config = $app->getconf->get_server_config($conf['server_id'], 'server'); - if($server_config['monitor_system_updates'] == 'n') return; - - /* used for all monitor cronjobs */ - $app->load('monitor_tools'); - $this->_tools = new monitor_tools(); - /* end global section for monitor cronjobs */ - - /* the id of the server as int */ - $server_id = intval($conf['server_id']); - - /** The type of the data */ - - - $type = 'system_update'; - - /* This monitoring is only available on Debian or Ubuntu */ - if (file_exists('/etc/debian_version')) { - - /* - * first update the "apt database" - */ - shell_exec('while fuser /var/lib/apt/lists/lock >/dev/null 2>&1 ; do sleep 2; done; apt-get update'); - - /* - * Then test the upgrade. - * if there is any output, then there is a needed update - */ - $aptData = shell_exec('while fuser /var/lib/dpkg/lock >/dev/null 2>&1 || fuser /var/lib/apt/lists/lock >/dev/null 2>&1 ; do sleep 2; done; apt-get -s -qq dist-upgrade'); - if ($aptData == '') { - /* There is nothing to update! */ - $state = 'ok'; - } else { - /* - * There is something to update! this is in most cases not critical, so we can - * do a system-update once a month or so... - */ - $state = 'info'; - } - - /* - * Fetch the output - */ - $data['output'] = $aptData; - } elseif (file_exists('/etc/gentoo-release')) { - - /* - * first update the portage tree - */ - - // In keeping with gentoo's rsync policy, don't update to frequently (every four hours - taken from http://www.gentoo.org/doc/en/source_mirrors.xml) - $do_update = true; - if (file_exists('/usr/portage/metadata/timestamp.chk')) { - $datetime = file_get_contents('/usr/portage/metadata/timestamp.chk'); - $datetime = trim($datetime); - - $dstamp = strtotime($datetime); - if ($dstamp) { - $checkat = $dstamp + 14400; // + 4hours - if (mktime() < $checkat) { - $do_update = false; - } - } - } - - if ($do_update) { - shell_exec('emerge --sync --quiet'); - } - - /* - * Then test the upgrade. - * if there is any output, then there is a needed update - */ - $emergeData = shell_exec('glsa-check -t affected'); - if ($emergeData == '') { - /* There is nothing to update! */ - $state = 'ok'; - $data['output'] = 'No unapplied GLSA\'s found on the system.'; - } else { - /* There is something to update! */ - $state = 'info'; - $data['output'] = shell_exec('glsa-check -pv --nocolor affected 2>/dev/null'); - } - } elseif (file_exists('/etc/SuSE-release')) { - - /* - * update and find the upgrade. - * if there is any output, then there is a needed update - */ - $aptData = shell_exec('zypper -q lu'); - if ($aptData == '') { - /* There is nothing to update! */ - $state = 'ok'; - } else { - /* - * There is something to update! this is in most cases not critical, so we can - * do a system-update once a month or so... - */ - $state = 'info'; - } - - /* - * Fetch the output - */ - $data['output'] = shell_exec('zypper lu'); - - } elseif(file_exists('/etc/redhat-release')) { - /* - * update and find the upgrade. - * if there is any output, then there is a needed update - */ - - /* try to figure out the default package manager first */ - if(file_exists('/usr/bin/dnf') && (is_link('/usr/bin/yum'))) { - $rhPkgMgr = 'dnf'; - } elseif(file_exists('/usr/bin/dnf') && (!file_exists('/usr/bin/yum'))) { - $rhPkgMgr = 'dnf'; - } else { - $rhPkgMgr = 'yum'; - } - - $aptData = shell_exec($rhPkgMgr. ' -q list updates'); - - if ($aptData == '') { - /* There is nothing to update! */ - $state = 'ok'; - } else { - /* - * There is something to update! this is in most cases not critical, so we can - * do a system-update once a month or so... - */ - $state = 'info'; - } - - /* - * Fetch the output - */ - - $data['output'] = shell_exec($rhPkgMgr. ' -q list updates'); - - } else { - /* - * It is not Debian/Ubuntu, so there is no data and no state - * - * no_state, NOT unknown, because "unknown" is shown as state - * inside the GUI. no_state is hidden. - * - * We have to write NO DATA inside the DB, because the GUI - * could not know, if there is any dat, or not... - */ - $state = 'no_state'; - $data['output'] = ''; - } - - $res = array(); - $res['server_id'] = $server_id; - $res['type'] = $type; - $res['data'] = $data; - $res['state'] = $state; - - //* Ensure that output is encoded so that it does not break the serialize - //$res['data']['output'] = htmlentities($res['data']['output']); - $res['data']['output'] = htmlentities($res['data']['output'], ENT_QUOTES, 'UTF-8'); - - /* - * Insert the data into the database - */ - $sql = 'REPLACE INTO monitor_data (server_id, type, created, data, state) ' . - 'VALUES (?, ?, UNIX_TIMESTAMP(), ?, ?)'; - $app->dbmaster->query($sql, $res['server_id'], $res['type'], serialize($res['data']), $res['state']); - - /* The new data is written, now we can delete the old one */ - $this->_tools->delOldRecords($res['type'], $res['server_id']); - - parent::onRunJob(); - } - - /* this function is optional if it contains no custom code */ - public function onAfterRun() { - global $app; - - parent::onAfterRun(); - } - -} - -?> -- GitLab From 9ffe21723f6ed3d7e0511d713cd35ddf700efadc Mon Sep 17 00:00:00 2001 From: Michael Seevogel Date: Wed, 7 Oct 2020 19:34:32 +0200 Subject: [PATCH 3/7] added extra checks for TLS 1.3 availability --- server/conf/nginx_vhost.conf.master | 8 +++-- server/lib/classes/system.inc.php | 29 +++++++++++++++++-- server/plugins-available/nginx_plugin.inc.php | 19 ++++++++++-- 3 files changed, 48 insertions(+), 8 deletions(-) diff --git a/server/conf/nginx_vhost.conf.master b/server/conf/nginx_vhost.conf.master index f6addcc44d..1752b83ab5 100644 --- a/server/conf/nginx_vhost.conf.master +++ b/server/conf/nginx_vhost.conf.master @@ -19,10 +19,12 @@ server { - -ssl_protocols TLSv1.3 TLSv1.2; + + + ssl_protocols TLSv1.3 TLSv1.2; -ssl_protocols TLSv1.2; + + ssl_protocols TLSv1.2; # ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; # ssl_prefer_server_ciphers on; diff --git a/server/lib/classes/system.inc.php b/server/lib/classes/system.inc.php index bcaef1f2c4..b592211dd5 100644 --- a/server/lib/classes/system.inc.php +++ b/server/lib/classes/system.inc.php @@ -2094,7 +2094,8 @@ class system{ $app->log("Could not check OpenSSL version, openssl not found.", LOGLEVEL_DEBUG); return '1.0.1'; } - exec($cmd, $output, $return_var); + + exec($cmd, $output, $return_var); if($return_var != 0 || !$output[0]) { $app->log("Could not check OpenSSL version, openssl did not return any data.", LOGLEVEL_WARN); return '1.0.1'; @@ -2106,7 +2107,31 @@ class system{ return '1.0.1'; } - } + } + + function getnginxversion($get_minor = false) { + global $app; + + if($this->is_installed('nginx')) $cmd = 'nginx -v 2>&1'; + else { + $app->log("Could not check Nginx version, nginx not found.", LOGLEVEL_DEBUG); + return false; + } + + exec($cmd, $output, $return_var); + + if($return_var != 0 || !$output[0]) { + $app->log("Could not check Nginx version, nginx did not return any data.", LOGLEVEL_WARN); + return false; + } + + if(preg_match('/nginx version: nginx\/\s*(\d+)(\.(\d+)(\.(\d+))*)?(\D|$)/i', $output[0], $matches)) { + return $matches[1] . (isset($matches[3]) ? '.' . $matches[3] : '') . (isset($matches[5]) && $get_minor == true ? '.' . $matches[5] : ''); + } else { + $app->log("Could not check Nginx version, did not find version string in nginx output.", LOGLEVEL_WARN); + return false; + } + } function getapacheversion($get_minor = false) { global $app; diff --git a/server/plugins-available/nginx_plugin.inc.php b/server/plugins-available/nginx_plugin.inc.php index bdc2c0e276..5439efeb2f 100644 --- a/server/plugins-available/nginx_plugin.inc.php +++ b/server/plugins-available/nginx_plugin.inc.php @@ -1621,10 +1621,23 @@ class nginx_plugin { // set logging variable $vhost_data['logging'] = $web_config['logging']; - $app->log("Found OpenSSL version: " . $app->system->getopensslversion($get_minor = true), LOGLEVEL_DEBUG); + // check if OpenSSL and Nginx supports TLS 1.3 + //$app->log("Found OpenSSL version: " . $app->system->getopensslversion($get_minor = true), LOGLEVEL_DEBUG); + $nginx_version = $app->system->getnginxversion(true); + $openssl_version = $app->system->getopensslversion(true); - $vhost_data['openssl_version'] = $app->system->getopensslversion($get_minor = true); - + $app->system->exec_safe('nginx -V 2>&1', $output, $return_var); + + if(preg_match('/built with OpenSSL\s*(\d+)(\.(\d+)(\.(\d+))*)?(\D|$)/i', $output[0], $matches)) { + $nginx_openssl_ver = $matches[1] . (isset($matches[3]) ? '.' . $matches[3] : '') . (isset($matches[5]) ? '.' . $matches[5] : ''); + } + + if(version_compare($app->system->getopensslversion(true), $nginx_openssl_ver, '>=')) { + if((version_compare($app->system->getnginxversion(true), '1.13.0', '>=') && version_compare($app->system->getopensslversion(true), '1.1.1', '>='))) { + $app->log('Enable TLS 1.3 for: '.$domain, LOGLEVEL_DEBUG); + $vhost_data['tls13_available'] = $app->system->getopensslversion(true); + } + } $tpl->setVar($vhost_data); $server_alias = array(); -- GitLab From 0fa67c4154268cdf2ed16db2204989aa4968d751 Mon Sep 17 00:00:00 2001 From: Michael Seevogel Date: Tue, 13 Oct 2020 14:16:15 +0200 Subject: [PATCH 4/7] updated Nginx OpenSSL version detection --- server/plugins-available/nginx_plugin.inc.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/server/plugins-available/nginx_plugin.inc.php b/server/plugins-available/nginx_plugin.inc.php index 5439efeb2f..d76ef1849a 100644 --- a/server/plugins-available/nginx_plugin.inc.php +++ b/server/plugins-available/nginx_plugin.inc.php @@ -1622,15 +1622,14 @@ class nginx_plugin { $vhost_data['logging'] = $web_config['logging']; // check if OpenSSL and Nginx supports TLS 1.3 - //$app->log("Found OpenSSL version: " . $app->system->getopensslversion($get_minor = true), LOGLEVEL_DEBUG); $nginx_version = $app->system->getnginxversion(true); $openssl_version = $app->system->getopensslversion(true); - $app->system->exec_safe('nginx -V 2>&1', $output, $return_var); + $output = $app->system->exec_safe('nginx -V 2>&1'); if(preg_match('/built with OpenSSL\s*(\d+)(\.(\d+)(\.(\d+))*)?(\D|$)/i', $output[0], $matches)) { $nginx_openssl_ver = $matches[1] . (isset($matches[3]) ? '.' . $matches[3] : '') . (isset($matches[5]) ? '.' . $matches[5] : ''); - } + } if(version_compare($app->system->getopensslversion(true), $nginx_openssl_ver, '>=')) { if((version_compare($app->system->getnginxversion(true), '1.13.0', '>=') && version_compare($app->system->getopensslversion(true), '1.1.1', '>='))) { @@ -1638,6 +1637,7 @@ class nginx_plugin { $vhost_data['tls13_available'] = $app->system->getopensslversion(true); } } + $tpl->setVar($vhost_data); $server_alias = array(); -- GitLab From 14297267b4f6f57ab38240c7645ed49828ebb6db Mon Sep 17 00:00:00 2001 From: Michael Seevogel Date: Tue, 20 Oct 2020 17:12:21 +0200 Subject: [PATCH 5/7] trimmed the code since it seems to be enough to provide TLS 1.3 when Nginx was linked against OpenSSL 1.1.1 at build time --- server/plugins-available/nginx_plugin.inc.php | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/server/plugins-available/nginx_plugin.inc.php b/server/plugins-available/nginx_plugin.inc.php index d76ef1849a..6182c676a6 100644 --- a/server/plugins-available/nginx_plugin.inc.php +++ b/server/plugins-available/nginx_plugin.inc.php @@ -1622,20 +1622,15 @@ class nginx_plugin { $vhost_data['logging'] = $web_config['logging']; // check if OpenSSL and Nginx supports TLS 1.3 - $nginx_version = $app->system->getnginxversion(true); - $openssl_version = $app->system->getopensslversion(true); - $output = $app->system->exec_safe('nginx -V 2>&1'); if(preg_match('/built with OpenSSL\s*(\d+)(\.(\d+)(\.(\d+))*)?(\D|$)/i', $output[0], $matches)) { $nginx_openssl_ver = $matches[1] . (isset($matches[3]) ? '.' . $matches[3] : '') . (isset($matches[5]) ? '.' . $matches[5] : ''); } - if(version_compare($app->system->getopensslversion(true), $nginx_openssl_ver, '>=')) { - if((version_compare($app->system->getnginxversion(true), '1.13.0', '>=') && version_compare($app->system->getopensslversion(true), '1.1.1', '>='))) { - $app->log('Enable TLS 1.3 for: '.$domain, LOGLEVEL_DEBUG); - $vhost_data['tls13_available'] = $app->system->getopensslversion(true); - } + if((version_compare($app->system->getnginxversion(true), '1.13.0', '>=') && version_compare($nginx_openssl_ver, '1.1.1', '>='))) { + $app->log('Enable TLS 1.3 for: '.$domain, LOGLEVEL_DEBUG); + $vhost_data['tls13_available'] = $nginx_openssl_ver; } $tpl->setVar($vhost_data); -- GitLab From d07b2ad07e622059e399a29f03da9dae8c8a030c Mon Sep 17 00:00:00 2001 From: Michael Seevogel Date: Tue, 20 Oct 2020 17:21:04 +0200 Subject: [PATCH 6/7] modified comment --- server/plugins-available/nginx_plugin.inc.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/server/plugins-available/nginx_plugin.inc.php b/server/plugins-available/nginx_plugin.inc.php index 6182c676a6..8ecee93321 100644 --- a/server/plugins-available/nginx_plugin.inc.php +++ b/server/plugins-available/nginx_plugin.inc.php @@ -1621,7 +1621,7 @@ class nginx_plugin { // set logging variable $vhost_data['logging'] = $web_config['logging']; - // check if OpenSSL and Nginx supports TLS 1.3 + // Provide TLS 1.3 support if Nginx is >= 1.13.0 and when it was linked against OpenSSL(>=1.1.1) at build time. $output = $app->system->exec_safe('nginx -V 2>&1'); if(preg_match('/built with OpenSSL\s*(\d+)(\.(\d+)(\.(\d+))*)?(\D|$)/i', $output[0], $matches)) { -- GitLab From 3b3762f52cef782889c0443282bb8621d5d18ad3 Mon Sep 17 00:00:00 2001 From: Michael Seevogel Date: Tue, 20 Oct 2020 17:50:56 +0200 Subject: [PATCH 7/7] adjusted Nginx TLS 1.3 naming and switched to true if TLS 1.3 is supported --- server/conf/nginx_vhost.conf.master | 2 +- server/plugins-available/nginx_plugin.inc.php | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/server/conf/nginx_vhost.conf.master b/server/conf/nginx_vhost.conf.master index 3bf65bd341..57dffe1369 100644 --- a/server/conf/nginx_vhost.conf.master +++ b/server/conf/nginx_vhost.conf.master @@ -19,7 +19,7 @@ server { - + ssl_protocols TLSv1.3 TLSv1.2; diff --git a/server/plugins-available/nginx_plugin.inc.php b/server/plugins-available/nginx_plugin.inc.php index 8ecee93321..fc2088fefb 100644 --- a/server/plugins-available/nginx_plugin.inc.php +++ b/server/plugins-available/nginx_plugin.inc.php @@ -1621,7 +1621,7 @@ class nginx_plugin { // set logging variable $vhost_data['logging'] = $web_config['logging']; - // Provide TLS 1.3 support if Nginx is >= 1.13.0 and when it was linked against OpenSSL(>=1.1.1) at build time. + // Provide TLS 1.3 support if Nginx version is >= 1.13.0 and when it was linked against OpenSSL(>=1.1.1) at build time. $output = $app->system->exec_safe('nginx -V 2>&1'); if(preg_match('/built with OpenSSL\s*(\d+)(\.(\d+)(\.(\d+))*)?(\D|$)/i', $output[0], $matches)) { @@ -1630,7 +1630,7 @@ class nginx_plugin { if((version_compare($app->system->getnginxversion(true), '1.13.0', '>=') && version_compare($nginx_openssl_ver, '1.1.1', '>='))) { $app->log('Enable TLS 1.3 for: '.$domain, LOGLEVEL_DEBUG); - $vhost_data['tls13_available'] = $nginx_openssl_ver; + $vhost_data['tls1.3_supported'] = 'y'; } $tpl->setVar($vhost_data); -- GitLab