From 8be19f199c450df69a127c17995b98f71cf759e7 Mon Sep 17 00:00:00 2001 From: Sroka Date: Fri, 18 Dec 2020 19:48:11 +0100 Subject: [PATCH 1/4] fix tls1.3 in nginx --- server/conf/nginx_vhost.conf.master | 4 +--- server/plugins-available/nginx_plugin.inc.php | 12 +++--------- 2 files changed, 4 insertions(+), 12 deletions(-) diff --git a/server/conf/nginx_vhost.conf.master b/server/conf/nginx_vhost.conf.master index 5bd90fd822..f2b3e0f833 100644 --- a/server/conf/nginx_vhost.conf.master +++ b/server/conf/nginx_vhost.conf.master @@ -19,11 +19,9 @@ server { - - + ssl_protocols TLSv1.3 TLSv1.2; - ssl_protocols TLSv1.2; # ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; diff --git a/server/plugins-available/nginx_plugin.inc.php b/server/plugins-available/nginx_plugin.inc.php index 9eb2e1ef04..ddaba273e5 100644 --- a/server/plugins-available/nginx_plugin.inc.php +++ b/server/plugins-available/nginx_plugin.inc.php @@ -1631,16 +1631,10 @@ class nginx_plugin { // set logging variable $vhost_data['logging'] = $web_config['logging']; - // Provide TLS 1.3 support if Nginx version is >= 1.13.0 and when it was linked against OpenSSL(>=1.1.1) at build time. - $output = $app->system->exec_safe('nginx -V 2>&1'); - - if(preg_match('/built with OpenSSL\s*(\d+)(\.(\d+)(\.(\d+))*)?(\D|$)/i', $output[0], $matches)) { - $nginx_openssl_ver = $matches[1] . (isset($matches[3]) ? '.' . $matches[3] : '') . (isset($matches[5]) ? '.' . $matches[5] : ''); - } - - if((version_compare($app->system->getnginxversion(true), '1.13.0', '>=') && version_compare($nginx_openssl_ver, '1.1.1', '>='))) { + // Provide TLS 1.3 support if Nginx version is >= 1.13.0 and when it was linked against OpenSSL(>=1.1.1) at build time. + if((version_compare($app->system->getnginxversion(true), '1.13.0', '>=') && version_compare($app->system->getopensslversion(true), '1.1.1', '>='))) { $app->log('Enable TLS 1.3 for: '.$domain, LOGLEVEL_DEBUG); - $vhost_data['tls1.3_supported'] = 'y'; + $vhost_data['tls13_supported'] = "y"; } $tpl->setVar($vhost_data); -- GitLab From e0453b974d712e3b38de4ee5b0ee2e4feb0fcc0b Mon Sep 17 00:00:00 2001 From: Sroka Date: Sun, 20 Dec 2020 15:37:14 +0100 Subject: [PATCH 2/4] fix tls1.3 in nginx --- server/plugins-available/nginx_plugin.inc.php | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/server/plugins-available/nginx_plugin.inc.php b/server/plugins-available/nginx_plugin.inc.php index ddaba273e5..5213063a84 100644 --- a/server/plugins-available/nginx_plugin.inc.php +++ b/server/plugins-available/nginx_plugin.inc.php @@ -1631,8 +1631,11 @@ class nginx_plugin { // set logging variable $vhost_data['logging'] = $web_config['logging']; - // Provide TLS 1.3 support if Nginx version is >= 1.13.0 and when it was linked against OpenSSL(>=1.1.1) at build time. - if((version_compare($app->system->getnginxversion(true), '1.13.0', '>=') && version_compare($app->system->getopensslversion(true), '1.1.1', '>='))) { + // Provide TLS 1.3 support if Nginx version is >= 1.13.0 and when it was linked against OpenSSL(>=1.1.1) at build time and when it was linked against OpenSSL(>=1.1.1) at runtime. + $nginx_openssl_ver = $app->system->exec_safe('nginx -V 2>&1 | grep OpenSSL | sed \'s/.*built\([a-zA-Z ]*\)OpenSSL \([0-9.]*\).*/\2/\''); + if(version_compare($app->system->getnginxversion(true), '1.13.0', '>=') + && version_compare($nginx_openssl_ver, '1.1.1', '>=') + && version_compare($app->system->getopensslversion(true), '1.1.1', '>=')) { $app->log('Enable TLS 1.3 for: '.$domain, LOGLEVEL_DEBUG); $vhost_data['tls13_supported'] = "y"; } -- GitLab From f77cf03c6be318f93517fb2f7abc6bd1579d54a6 Mon Sep 17 00:00:00 2001 From: Sroka Date: Sun, 20 Dec 2020 16:29:29 +0100 Subject: [PATCH 3/4] fix tls1.3 in nginx --- server/plugins-available/nginx_plugin.inc.php | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/server/plugins-available/nginx_plugin.inc.php b/server/plugins-available/nginx_plugin.inc.php index 5213063a84..7d95671b70 100644 --- a/server/plugins-available/nginx_plugin.inc.php +++ b/server/plugins-available/nginx_plugin.inc.php @@ -1632,10 +1632,11 @@ class nginx_plugin { $vhost_data['logging'] = $web_config['logging']; // Provide TLS 1.3 support if Nginx version is >= 1.13.0 and when it was linked against OpenSSL(>=1.1.1) at build time and when it was linked against OpenSSL(>=1.1.1) at runtime. - $nginx_openssl_ver = $app->system->exec_safe('nginx -V 2>&1 | grep OpenSSL | sed \'s/.*built\([a-zA-Z ]*\)OpenSSL \([0-9.]*\).*/\2/\''); + $nginx_openssl_build_ver = $app->system->exec_safe('nginx -V 2>&1 | grep OpenSSL | sed \'s/.*built\([a-zA-Z ]*\)OpenSSL \([0-9.]*\).*/\2/\''); + $nginx_openssl_running_ver = $app->system->exec_safe('nginx -V 2>&1 | grep \'running with\' | sed \'s/.*running\([a-zA-Z ]*\)OpenSSL \([0-9.]*\).*/\2/\''); if(version_compare($app->system->getnginxversion(true), '1.13.0', '>=') - && version_compare($nginx_openssl_ver, '1.1.1', '>=') - && version_compare($app->system->getopensslversion(true), '1.1.1', '>=')) { + && version_compare($nginx_openssl_build_ver, '1.1.1', '>=') + && (empty($nginx_openssl_running_ver) || version_compare($nginx_openssl_running_ver, '1.1.1', '>='))) { $app->log('Enable TLS 1.3 for: '.$domain, LOGLEVEL_DEBUG); $vhost_data['tls13_supported'] = "y"; } -- GitLab From 1e01e0dd39a8b7b72b80d4c6543ed09523b86828 Mon Sep 17 00:00:00 2001 From: Sroka Date: Mon, 21 Dec 2020 11:10:36 +0100 Subject: [PATCH 4/4] fix tls1.3 in nginx - more precise selector --- server/plugins-available/nginx_plugin.inc.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/server/plugins-available/nginx_plugin.inc.php b/server/plugins-available/nginx_plugin.inc.php index 7d95671b70..ada8e71c3c 100644 --- a/server/plugins-available/nginx_plugin.inc.php +++ b/server/plugins-available/nginx_plugin.inc.php @@ -1632,8 +1632,8 @@ class nginx_plugin { $vhost_data['logging'] = $web_config['logging']; // Provide TLS 1.3 support if Nginx version is >= 1.13.0 and when it was linked against OpenSSL(>=1.1.1) at build time and when it was linked against OpenSSL(>=1.1.1) at runtime. - $nginx_openssl_build_ver = $app->system->exec_safe('nginx -V 2>&1 | grep OpenSSL | sed \'s/.*built\([a-zA-Z ]*\)OpenSSL \([0-9.]*\).*/\2/\''); - $nginx_openssl_running_ver = $app->system->exec_safe('nginx -V 2>&1 | grep \'running with\' | sed \'s/.*running\([a-zA-Z ]*\)OpenSSL \([0-9.]*\).*/\2/\''); + $nginx_openssl_build_ver = $app->system->exec_safe('nginx -V 2>&1 | grep \'built with OpenSSL\' | sed \'s/.*built\([a-zA-Z ]*\)OpenSSL \([0-9.]*\).*/\2/\''); + $nginx_openssl_running_ver = $app->system->exec_safe('nginx -V 2>&1 | grep \'running with OpenSSL\' | sed \'s/.*running\([a-zA-Z ]*\)OpenSSL \([0-9.]*\).*/\2/\''); if(version_compare($app->system->getnginxversion(true), '1.13.0', '>=') && version_compare($nginx_openssl_build_ver, '1.1.1', '>=') && (empty($nginx_openssl_running_ver) || version_compare($nginx_openssl_running_ver, '1.1.1', '>='))) { -- GitLab