diff --git a/src/etc/inc/system.inc b/src/etc/inc/system.inc index 41189e0b1..22482ffc0 100644 --- a/src/etc/inc/system.inc +++ b/src/etc/inc/system.inc @@ -1276,8 +1276,11 @@ EOD; // Harden SSL a bit for PCI conformance testing $lighty_config .= "ssl.use-sslv2 = \"disable\"\n"; - - $lighty_config .= 'ssl.cipher-list = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"' . PHP_EOL; + if (empty($config['system']['webgui']['ssl-ciphers'])) { + $lighty_config .= 'ssl.cipher-list = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"' . PHP_EOL; + } else { + $lighty_config .= 'ssl.cipher-list = "'.$config['system']['webgui']['ssl-ciphers'].'"' . PHP_EOL; + } if(!(empty($ca) || (strlen(trim($ca)) == 0))) { $lighty_config .= "ssl.ca-file = \"/var/etc/{$ca_location}\"\n\n"; diff --git a/src/opnsense/scripts/system/rfc5246_cipher_suites.csv b/src/opnsense/scripts/system/rfc5246_cipher_suites.csv new file mode 100644 index 000000000..d6bd45f1e --- /dev/null +++ b/src/opnsense/scripts/system/rfc5246_cipher_suites.csv @@ -0,0 +1,349 @@ +Value,Description,DTLS-OK,Reference +"0x00,0x00",TLS_NULL_WITH_NULL_NULL,Y,[RFC5246] +"0x00,0x01",TLS_RSA_WITH_NULL_MD5,Y,[RFC5246] +"0x00,0x02",TLS_RSA_WITH_NULL_SHA,Y,[RFC5246] +"0x00,0x03",TLS_RSA_EXPORT_WITH_RC4_40_MD5,N,[RFC4346][RFC6347] +"0x00,0x04",TLS_RSA_WITH_RC4_128_MD5,N,[RFC5246][RFC6347] +"0x00,0x05",TLS_RSA_WITH_RC4_128_SHA,N,[RFC5246][RFC6347] +"0x00,0x06",TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5,Y,[RFC4346] +"0x00,0x07",TLS_RSA_WITH_IDEA_CBC_SHA,Y,[RFC5469] +"0x00,0x08",TLS_RSA_EXPORT_WITH_DES40_CBC_SHA,Y,[RFC4346] +"0x00,0x09",TLS_RSA_WITH_DES_CBC_SHA,Y,[RFC5469] +"0x00,0x0A",TLS_RSA_WITH_3DES_EDE_CBC_SHA,Y,[RFC5246] +"0x00,0x0B",TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,Y,[RFC4346] +"0x00,0x0C",TLS_DH_DSS_WITH_DES_CBC_SHA,Y,[RFC5469] +"0x00,0x0D",TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA,Y,[RFC5246] +"0x00,0x0E",TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,Y,[RFC4346] +"0x00,0x0F",TLS_DH_RSA_WITH_DES_CBC_SHA,Y,[RFC5469] +"0x00,0x10",TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA,Y,[RFC5246] +"0x00,0x11",TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,Y,[RFC4346] +"0x00,0x12",TLS_DHE_DSS_WITH_DES_CBC_SHA,Y,[RFC5469] +"0x00,0x13",TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,Y,[RFC5246] +"0x00,0x14",TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,Y,[RFC4346] +"0x00,0x15",TLS_DHE_RSA_WITH_DES_CBC_SHA,Y,[RFC5469] +"0x00,0x16",TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,Y,[RFC5246] +"0x00,0x17",TLS_DH_anon_EXPORT_WITH_RC4_40_MD5,N,[RFC4346][RFC6347] +"0x00,0x18",TLS_DH_anon_WITH_RC4_128_MD5,N,[RFC5246][RFC6347] +"0x00,0x19",TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA,Y,[RFC4346] +"0x00,0x1A",TLS_DH_anon_WITH_DES_CBC_SHA,Y,[RFC5469] +"0x00,0x1B",TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,Y,[RFC5246] +"0x00,0x1C-1D",Reserved to avoid conflicts with SSLv3,,[RFC5246] +"0x00,0x1E",TLS_KRB5_WITH_DES_CBC_SHA,Y,[RFC2712] +"0x00,0x1F",TLS_KRB5_WITH_3DES_EDE_CBC_SHA,Y,[RFC2712] +"0x00,0x20",TLS_KRB5_WITH_RC4_128_SHA,N,[RFC2712][RFC6347] +"0x00,0x21",TLS_KRB5_WITH_IDEA_CBC_SHA,Y,[RFC2712] +"0x00,0x22",TLS_KRB5_WITH_DES_CBC_MD5,Y,[RFC2712] +"0x00,0x23",TLS_KRB5_WITH_3DES_EDE_CBC_MD5,Y,[RFC2712] +"0x00,0x24",TLS_KRB5_WITH_RC4_128_MD5,N,[RFC2712][RFC6347] +"0x00,0x25",TLS_KRB5_WITH_IDEA_CBC_MD5,Y,[RFC2712] +"0x00,0x26",TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA,Y,[RFC2712] +"0x00,0x27",TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA,Y,[RFC2712] +"0x00,0x28",TLS_KRB5_EXPORT_WITH_RC4_40_SHA,N,[RFC2712][RFC6347] +"0x00,0x29",TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5,Y,[RFC2712] +"0x00,0x2A",TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5,Y,[RFC2712] +"0x00,0x2B",TLS_KRB5_EXPORT_WITH_RC4_40_MD5,N,[RFC2712][RFC6347] +"0x00,0x2C",TLS_PSK_WITH_NULL_SHA,Y,[RFC4785] +"0x00,0x2D",TLS_DHE_PSK_WITH_NULL_SHA,Y,[RFC4785] +"0x00,0x2E",TLS_RSA_PSK_WITH_NULL_SHA,Y,[RFC4785] +"0x00,0x2F",TLS_RSA_WITH_AES_128_CBC_SHA,Y,[RFC5246] +"0x00,0x30",TLS_DH_DSS_WITH_AES_128_CBC_SHA,Y,[RFC5246] +"0x00,0x31",TLS_DH_RSA_WITH_AES_128_CBC_SHA,Y,[RFC5246] +"0x00,0x32",TLS_DHE_DSS_WITH_AES_128_CBC_SHA,Y,[RFC5246] +"0x00,0x33",TLS_DHE_RSA_WITH_AES_128_CBC_SHA,Y,[RFC5246] +"0x00,0x34",TLS_DH_anon_WITH_AES_128_CBC_SHA,Y,[RFC5246] +"0x00,0x35",TLS_RSA_WITH_AES_256_CBC_SHA,Y,[RFC5246] +"0x00,0x36",TLS_DH_DSS_WITH_AES_256_CBC_SHA,Y,[RFC5246] +"0x00,0x37",TLS_DH_RSA_WITH_AES_256_CBC_SHA,Y,[RFC5246] +"0x00,0x38",TLS_DHE_DSS_WITH_AES_256_CBC_SHA,Y,[RFC5246] +"0x00,0x39",TLS_DHE_RSA_WITH_AES_256_CBC_SHA,Y,[RFC5246] +"0x00,0x3A",TLS_DH_anon_WITH_AES_256_CBC_SHA,Y,[RFC5246] +"0x00,0x3B",TLS_RSA_WITH_NULL_SHA256,Y,[RFC5246] +"0x00,0x3C",TLS_RSA_WITH_AES_128_CBC_SHA256,Y,[RFC5246] +"0x00,0x3D",TLS_RSA_WITH_AES_256_CBC_SHA256,Y,[RFC5246] +"0x00,0x3E",TLS_DH_DSS_WITH_AES_128_CBC_SHA256,Y,[RFC5246] +"0x00,0x3F",TLS_DH_RSA_WITH_AES_128_CBC_SHA256,Y,[RFC5246] +"0x00,0x40",TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,Y,[RFC5246] +"0x00,0x41",TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,Y,[RFC5932] +"0x00,0x42",TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA,Y,[RFC5932] +"0x00,0x43",TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA,Y,[RFC5932] +"0x00,0x44",TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,Y,[RFC5932] +"0x00,0x45",TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,Y,[RFC5932] +"0x00,0x46",TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,Y,[RFC5932] +"0x00,0x47-4F","Reserved to avoid conflicts with +deployed implementations",,[Pasi_Eronen] +"0x00,0x50-58",Reserved to avoid conflicts,,"[Pasi Eronen, , 2008-04-04. 2008-04-04]" +"0x00,0x59-5C","Reserved to avoid conflicts with +deployed implementations",,[Pasi_Eronen] +"0x00,0x5D-5F",Unassigned,, +"0x00,0x60-66","Reserved to avoid conflicts with +widely deployed implementations",,[Pasi_Eronen] +"0x00,0x67",TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,Y,[RFC5246] +"0x00,0x68",TLS_DH_DSS_WITH_AES_256_CBC_SHA256,Y,[RFC5246] +"0x00,0x69",TLS_DH_RSA_WITH_AES_256_CBC_SHA256,Y,[RFC5246] +"0x00,0x6A",TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,Y,[RFC5246] +"0x00,0x6B",TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,Y,[RFC5246] +"0x00,0x6C",TLS_DH_anon_WITH_AES_128_CBC_SHA256,Y,[RFC5246] +"0x00,0x6D",TLS_DH_anon_WITH_AES_256_CBC_SHA256,Y,[RFC5246] +"0x00,0x6E-83",Unassigned,, +"0x00,0x84",TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,Y,[RFC5932] +"0x00,0x85",TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA,Y,[RFC5932] +"0x00,0x86",TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA,Y,[RFC5932] +"0x00,0x87",TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,Y,[RFC5932] +"0x00,0x88",TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,Y,[RFC5932] +"0x00,0x89",TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA,Y,[RFC5932] +"0x00,0x8A",TLS_PSK_WITH_RC4_128_SHA,N,[RFC4279][RFC6347] +"0x00,0x8B",TLS_PSK_WITH_3DES_EDE_CBC_SHA,Y,[RFC4279] +"0x00,0x8C",TLS_PSK_WITH_AES_128_CBC_SHA,Y,[RFC4279] +"0x00,0x8D",TLS_PSK_WITH_AES_256_CBC_SHA,Y,[RFC4279] +"0x00,0x8E",TLS_DHE_PSK_WITH_RC4_128_SHA,N,[RFC4279][RFC6347] +"0x00,0x8F",TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA,Y,[RFC4279] +"0x00,0x90",TLS_DHE_PSK_WITH_AES_128_CBC_SHA,Y,[RFC4279] +"0x00,0x91",TLS_DHE_PSK_WITH_AES_256_CBC_SHA,Y,[RFC4279] +"0x00,0x92",TLS_RSA_PSK_WITH_RC4_128_SHA,N,[RFC4279][RFC6347] +"0x00,0x93",TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA,Y,[RFC4279] +"0x00,0x94",TLS_RSA_PSK_WITH_AES_128_CBC_SHA,Y,[RFC4279] +"0x00,0x95",TLS_RSA_PSK_WITH_AES_256_CBC_SHA,Y,[RFC4279] +"0x00,0x96",TLS_RSA_WITH_SEED_CBC_SHA,Y,[RFC4162] +"0x00,0x97",TLS_DH_DSS_WITH_SEED_CBC_SHA,Y,[RFC4162] +"0x00,0x98",TLS_DH_RSA_WITH_SEED_CBC_SHA,Y,[RFC4162] +"0x00,0x99",TLS_DHE_DSS_WITH_SEED_CBC_SHA,Y,[RFC4162] +"0x00,0x9A",TLS_DHE_RSA_WITH_SEED_CBC_SHA,Y,[RFC4162] +"0x00,0x9B",TLS_DH_anon_WITH_SEED_CBC_SHA,Y,[RFC4162] +"0x00,0x9C",TLS_RSA_WITH_AES_128_GCM_SHA256,Y,[RFC5288] +"0x00,0x9D",TLS_RSA_WITH_AES_256_GCM_SHA384,Y,[RFC5288] +"0x00,0x9E",TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,Y,[RFC5288] +"0x00,0x9F",TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,Y,[RFC5288] +"0x00,0xA0",TLS_DH_RSA_WITH_AES_128_GCM_SHA256,Y,[RFC5288] +"0x00,0xA1",TLS_DH_RSA_WITH_AES_256_GCM_SHA384,Y,[RFC5288] +"0x00,0xA2",TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,Y,[RFC5288] +"0x00,0xA3",TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,Y,[RFC5288] +"0x00,0xA4",TLS_DH_DSS_WITH_AES_128_GCM_SHA256,Y,[RFC5288] +"0x00,0xA5",TLS_DH_DSS_WITH_AES_256_GCM_SHA384,Y,[RFC5288] +"0x00,0xA6",TLS_DH_anon_WITH_AES_128_GCM_SHA256,Y,[RFC5288] +"0x00,0xA7",TLS_DH_anon_WITH_AES_256_GCM_SHA384,Y,[RFC5288] +"0x00,0xA8",TLS_PSK_WITH_AES_128_GCM_SHA256,Y,[RFC5487] +"0x00,0xA9",TLS_PSK_WITH_AES_256_GCM_SHA384,Y,[RFC5487] +"0x00,0xAA",TLS_DHE_PSK_WITH_AES_128_GCM_SHA256,Y,[RFC5487] +"0x00,0xAB",TLS_DHE_PSK_WITH_AES_256_GCM_SHA384,Y,[RFC5487] +"0x00,0xAC",TLS_RSA_PSK_WITH_AES_128_GCM_SHA256,Y,[RFC5487] +"0x00,0xAD",TLS_RSA_PSK_WITH_AES_256_GCM_SHA384,Y,[RFC5487] +"0x00,0xAE",TLS_PSK_WITH_AES_128_CBC_SHA256,Y,[RFC5487] +"0x00,0xAF",TLS_PSK_WITH_AES_256_CBC_SHA384,Y,[RFC5487] +"0x00,0xB0",TLS_PSK_WITH_NULL_SHA256,Y,[RFC5487] +"0x00,0xB1",TLS_PSK_WITH_NULL_SHA384,Y,[RFC5487] +"0x00,0xB2",TLS_DHE_PSK_WITH_AES_128_CBC_SHA256,Y,[RFC5487] +"0x00,0xB3",TLS_DHE_PSK_WITH_AES_256_CBC_SHA384,Y,[RFC5487] +"0x00,0xB4",TLS_DHE_PSK_WITH_NULL_SHA256,Y,[RFC5487] +"0x00,0xB5",TLS_DHE_PSK_WITH_NULL_SHA384,Y,[RFC5487] +"0x00,0xB6",TLS_RSA_PSK_WITH_AES_128_CBC_SHA256,Y,[RFC5487] +"0x00,0xB7",TLS_RSA_PSK_WITH_AES_256_CBC_SHA384,Y,[RFC5487] +"0x00,0xB8",TLS_RSA_PSK_WITH_NULL_SHA256,Y,[RFC5487] +"0x00,0xB9",TLS_RSA_PSK_WITH_NULL_SHA384,Y,[RFC5487] +"0x00,0xBA",TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,Y,[RFC5932] +"0x00,0xBB",TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256,Y,[RFC5932] +"0x00,0xBC",TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256,Y,[RFC5932] +"0x00,0xBD",TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256,Y,[RFC5932] +"0x00,0xBE",TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,Y,[RFC5932] +"0x00,0xBF",TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256,Y,[RFC5932] +"0x00,0xC0",TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,Y,[RFC5932] +"0x00,0xC1",TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256,Y,[RFC5932] +"0x00,0xC2",TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256,Y,[RFC5932] +"0x00,0xC3",TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256,Y,[RFC5932] +"0x00,0xC4",TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,Y,[RFC5932] +"0x00,0xC5",TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,Y,[RFC5932] +"0x00,0xC6-FE",Unassigned,, +"0x00,0xFF",TLS_EMPTY_RENEGOTIATION_INFO_SCSV,Y,[RFC5746] +"0x01-55,*",Unassigned,, +"0x56,0x00",TLS_FALLBACK_SCSV,Y,[RFC7507] +"0x56,0x01-0xC0,0x00",Unassigned,, +"0xC0,0x01",TLS_ECDH_ECDSA_WITH_NULL_SHA,Y,[RFC4492] +"0xC0,0x02",TLS_ECDH_ECDSA_WITH_RC4_128_SHA,N,[RFC4492][RFC6347] +"0xC0,0x03",TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,Y,[RFC4492] +"0xC0,0x04",TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,Y,[RFC4492] +"0xC0,0x05",TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,Y,[RFC4492] +"0xC0,0x06",TLS_ECDHE_ECDSA_WITH_NULL_SHA,Y,[RFC4492] +"0xC0,0x07",TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,N,[RFC4492][RFC6347] +"0xC0,0x08",TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,Y,[RFC4492] +"0xC0,0x09",TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,Y,[RFC4492] +"0xC0,0x0A",TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,Y,[RFC4492] +"0xC0,0x0B",TLS_ECDH_RSA_WITH_NULL_SHA,Y,[RFC4492] +"0xC0,0x0C",TLS_ECDH_RSA_WITH_RC4_128_SHA,N,[RFC4492][RFC6347] +"0xC0,0x0D",TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,Y,[RFC4492] +"0xC0,0x0E",TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,Y,[RFC4492] +"0xC0,0x0F",TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,Y,[RFC4492] +"0xC0,0x10",TLS_ECDHE_RSA_WITH_NULL_SHA,Y,[RFC4492] +"0xC0,0x11",TLS_ECDHE_RSA_WITH_RC4_128_SHA,N,[RFC4492][RFC6347] +"0xC0,0x12",TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,Y,[RFC4492] +"0xC0,0x13",TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,Y,[RFC4492] +"0xC0,0x14",TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,Y,[RFC4492] +"0xC0,0x15",TLS_ECDH_anon_WITH_NULL_SHA,Y,[RFC4492] +"0xC0,0x16",TLS_ECDH_anon_WITH_RC4_128_SHA,N,[RFC4492][RFC6347] +"0xC0,0x17",TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA,Y,[RFC4492] +"0xC0,0x18",TLS_ECDH_anon_WITH_AES_128_CBC_SHA,Y,[RFC4492] +"0xC0,0x19",TLS_ECDH_anon_WITH_AES_256_CBC_SHA,Y,[RFC4492] +"0xC0,0x1A",TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA,Y,[RFC5054] +"0xC0,0x1B",TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA,Y,[RFC5054] +"0xC0,0x1C",TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA,Y,[RFC5054] +"0xC0,0x1D",TLS_SRP_SHA_WITH_AES_128_CBC_SHA,Y,[RFC5054] +"0xC0,0x1E",TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA,Y,[RFC5054] +"0xC0,0x1F",TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA,Y,[RFC5054] +"0xC0,0x20",TLS_SRP_SHA_WITH_AES_256_CBC_SHA,Y,[RFC5054] +"0xC0,0x21",TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA,Y,[RFC5054] +"0xC0,0x22",TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA,Y,[RFC5054] +"0xC0,0x23",TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,Y,[RFC5289] +"0xC0,0x24",TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,Y,[RFC5289] +"0xC0,0x25",TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,Y,[RFC5289] +"0xC0,0x26",TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,Y,[RFC5289] +"0xC0,0x27",TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,Y,[RFC5289] +"0xC0,0x28",TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,Y,[RFC5289] +"0xC0,0x29",TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,Y,[RFC5289] +"0xC0,0x2A",TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,Y,[RFC5289] +"0xC0,0x2B",TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,Y,[RFC5289] +"0xC0,0x2C",TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,Y,[RFC5289] +"0xC0,0x2D",TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,Y,[RFC5289] +"0xC0,0x2E",TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,Y,[RFC5289] +"0xC0,0x2F",TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,Y,[RFC5289] +"0xC0,0x30",TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,Y,[RFC5289] +"0xC0,0x31",TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,Y,[RFC5289] +"0xC0,0x32",TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,Y,[RFC5289] +"0xC0,0x33",TLS_ECDHE_PSK_WITH_RC4_128_SHA,N,[RFC5489][RFC6347] +"0xC0,0x34",TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA,Y,[RFC5489] +"0xC0,0x35",TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA,Y,[RFC5489] +"0xC0,0x36",TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA,Y,[RFC5489] +"0xC0,0x37",TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256,Y,[RFC5489] +"0xC0,0x38",TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384,Y,[RFC5489] +"0xC0,0x39",TLS_ECDHE_PSK_WITH_NULL_SHA,Y,[RFC5489] +"0xC0,0x3A",TLS_ECDHE_PSK_WITH_NULL_SHA256,Y,[RFC5489] +"0xC0,0x3B",TLS_ECDHE_PSK_WITH_NULL_SHA384,Y,[RFC5489] +"0xC0,0x3C",TLS_RSA_WITH_ARIA_128_CBC_SHA256,Y,[RFC6209] +"0xC0,0x3D",TLS_RSA_WITH_ARIA_256_CBC_SHA384,Y,[RFC6209] +"0xC0,0x3E",TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256,Y,[RFC6209] +"0xC0,0x3F",TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384,Y,[RFC6209] +"0xC0,0x40",TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256,Y,[RFC6209] +"0xC0,0x41",TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384,Y,[RFC6209] +"0xC0,0x42",TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256,Y,[RFC6209] +"0xC0,0x43",TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384,Y,[RFC6209] +"0xC0,0x44",TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256,Y,[RFC6209] +"0xC0,0x45",TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384,Y,[RFC6209] +"0xC0,0x46",TLS_DH_anon_WITH_ARIA_128_CBC_SHA256,Y,[RFC6209] +"0xC0,0x47",TLS_DH_anon_WITH_ARIA_256_CBC_SHA384,Y,[RFC6209] +"0xC0,0x48",TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256,Y,[RFC6209] +"0xC0,0x49",TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384,Y,[RFC6209] +"0xC0,0x4A",TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256,Y,[RFC6209] +"0xC0,0x4B",TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384,Y,[RFC6209] +"0xC0,0x4C",TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256,Y,[RFC6209] +"0xC0,0x4D",TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384,Y,[RFC6209] +"0xC0,0x4E",TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256,Y,[RFC6209] +"0xC0,0x4F",TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384,Y,[RFC6209] +"0xC0,0x50",TLS_RSA_WITH_ARIA_128_GCM_SHA256,Y,[RFC6209] +"0xC0,0x51",TLS_RSA_WITH_ARIA_256_GCM_SHA384,Y,[RFC6209] +"0xC0,0x52",TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256,Y,[RFC6209] +"0xC0,0x53",TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384,Y,[RFC6209] +"0xC0,0x54",TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256,Y,[RFC6209] +"0xC0,0x55",TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384,Y,[RFC6209] +"0xC0,0x56",TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256,Y,[RFC6209] +"0xC0,0x57",TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384,Y,[RFC6209] +"0xC0,0x58",TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256,Y,[RFC6209] +"0xC0,0x59",TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384,Y,[RFC6209] +"0xC0,0x5A",TLS_DH_anon_WITH_ARIA_128_GCM_SHA256,Y,[RFC6209] +"0xC0,0x5B",TLS_DH_anon_WITH_ARIA_256_GCM_SHA384,Y,[RFC6209] +"0xC0,0x5C",TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256,Y,[RFC6209] +"0xC0,0x5D",TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384,Y,[RFC6209] +"0xC0,0x5E",TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256,Y,[RFC6209] +"0xC0,0x5F",TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384,Y,[RFC6209] +"0xC0,0x60",TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256,Y,[RFC6209] +"0xC0,0x61",TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384,Y,[RFC6209] +"0xC0,0x62",TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256,Y,[RFC6209] +"0xC0,0x63",TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384,Y,[RFC6209] +"0xC0,0x64",TLS_PSK_WITH_ARIA_128_CBC_SHA256,Y,[RFC6209] +"0xC0,0x65",TLS_PSK_WITH_ARIA_256_CBC_SHA384,Y,[RFC6209] +"0xC0,0x66",TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256,Y,[RFC6209] +"0xC0,0x67",TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384,Y,[RFC6209] +"0xC0,0x68",TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256,Y,[RFC6209] +"0xC0,0x69",TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384,Y,[RFC6209] +"0xC0,0x6A",TLS_PSK_WITH_ARIA_128_GCM_SHA256,Y,[RFC6209] +"0xC0,0x6B",TLS_PSK_WITH_ARIA_256_GCM_SHA384,Y,[RFC6209] +"0xC0,0x6C",TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256,Y,[RFC6209] +"0xC0,0x6D",TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384,Y,[RFC6209] +"0xC0,0x6E",TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256,Y,[RFC6209] +"0xC0,0x6F",TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384,Y,[RFC6209] +"0xC0,0x70",TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256,Y,[RFC6209] +"0xC0,0x71",TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384,Y,[RFC6209] +"0xC0,0x72",TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,Y,[RFC6367] +"0xC0,0x73",TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,Y,[RFC6367] +"0xC0,0x74",TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,Y,[RFC6367] +"0xC0,0x75",TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,Y,[RFC6367] +"0xC0,0x76",TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,Y,[RFC6367] +"0xC0,0x77",TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384,Y,[RFC6367] +"0xC0,0x78",TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256,Y,[RFC6367] +"0xC0,0x79",TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384,Y,[RFC6367] +"0xC0,0x7A",TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256,Y,[RFC6367] +"0xC0,0x7B",TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384,Y,[RFC6367] +"0xC0,0x7C",TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256,Y,[RFC6367] +"0xC0,0x7D",TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384,Y,[RFC6367] +"0xC0,0x7E",TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256,Y,[RFC6367] +"0xC0,0x7F",TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384,Y,[RFC6367] +"0xC0,0x80",TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256,Y,[RFC6367] +"0xC0,0x81",TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384,Y,[RFC6367] +"0xC0,0x82",TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256,Y,[RFC6367] +"0xC0,0x83",TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384,Y,[RFC6367] +"0xC0,0x84",TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256,Y,[RFC6367] +"0xC0,0x85",TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384,Y,[RFC6367] +"0xC0,0x86",TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256,Y,[RFC6367] +"0xC0,0x87",TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384,Y,[RFC6367] +"0xC0,0x88",TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256,Y,[RFC6367] +"0xC0,0x89",TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384,Y,[RFC6367] +"0xC0,0x8A",TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256,Y,[RFC6367] +"0xC0,0x8B",TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384,Y,[RFC6367] +"0xC0,0x8C",TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256,Y,[RFC6367] +"0xC0,0x8D",TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384,Y,[RFC6367] +"0xC0,0x8E",TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256,Y,[RFC6367] +"0xC0,0x8F",TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384,Y,[RFC6367] +"0xC0,0x90",TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256,Y,[RFC6367] +"0xC0,0x91",TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384,Y,[RFC6367] +"0xC0,0x92",TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256,Y,[RFC6367] +"0xC0,0x93",TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384,Y,[RFC6367] +"0xC0,0x94",TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256,Y,[RFC6367] +"0xC0,0x95",TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384,Y,[RFC6367] +"0xC0,0x96",TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256,Y,[RFC6367] +"0xC0,0x97",TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384,Y,[RFC6367] +"0xC0,0x98",TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256,Y,[RFC6367] +"0xC0,0x99",TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384,Y,[RFC6367] +"0xC0,0x9A",TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256,Y,[RFC6367] +"0xC0,0x9B",TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384,Y,[RFC6367] +"0xC0,0x9C",TLS_RSA_WITH_AES_128_CCM,Y,[RFC6655] +"0xC0,0x9D",TLS_RSA_WITH_AES_256_CCM,Y,[RFC6655] +"0xC0,0x9E",TLS_DHE_RSA_WITH_AES_128_CCM,Y,[RFC6655] +"0xC0,0x9F",TLS_DHE_RSA_WITH_AES_256_CCM,Y,[RFC6655] +"0xC0,0xA0",TLS_RSA_WITH_AES_128_CCM_8,Y,[RFC6655] +"0xC0,0xA1",TLS_RSA_WITH_AES_256_CCM_8,Y,[RFC6655] +"0xC0,0xA2",TLS_DHE_RSA_WITH_AES_128_CCM_8,Y,[RFC6655] +"0xC0,0xA3",TLS_DHE_RSA_WITH_AES_256_CCM_8,Y,[RFC6655] +"0xC0,0xA4",TLS_PSK_WITH_AES_128_CCM,Y,[RFC6655] +"0xC0,0xA5",TLS_PSK_WITH_AES_256_CCM,Y,[RFC6655] +"0xC0,0xA6",TLS_DHE_PSK_WITH_AES_128_CCM,Y,[RFC6655] +"0xC0,0xA7",TLS_DHE_PSK_WITH_AES_256_CCM,Y,[RFC6655] +"0xC0,0xA8",TLS_PSK_WITH_AES_128_CCM_8,Y,[RFC6655] +"0xC0,0xA9",TLS_PSK_WITH_AES_256_CCM_8,Y,[RFC6655] +"0xC0,0xAA",TLS_PSK_DHE_WITH_AES_128_CCM_8,Y,[RFC6655] +"0xC0,0xAB",TLS_PSK_DHE_WITH_AES_256_CCM_8,Y,[RFC6655] +"0xC0,0xAC",TLS_ECDHE_ECDSA_WITH_AES_128_CCM,Y,[RFC7251] +"0xC0,0xAD",TLS_ECDHE_ECDSA_WITH_AES_256_CCM,Y,[RFC7251] +"0xC0,0xAE",TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,Y,[RFC7251] +"0xC0,0xAF",TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,Y,[RFC7251] +"0xC0,0xB0-FF",Unassigned,, +"0xC1-CB,*",Unassigned,, +"0xCC,0x00-A7",Unassigned,, +"0xCC,0xA8",TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,Y,[RFC7905] +"0xCC,0xA9",TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,Y,[RFC7905] +"0xCC,0xAA",TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,Y,[RFC7905] +"0xCC,0xAB",TLS_PSK_WITH_CHACHA20_POLY1305_SHA256,Y,[RFC7905] +"0xCC,0xAC",TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256,Y,[RFC7905] +"0xCC,0xAD",TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256,Y,[RFC7905] +"0xCC,0xAE",TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256,Y,[RFC7905] +"0xCC,0xAF-FF",Unassigned,, +"0xCD-FD,*",Unassigned,, +"0xFE,0x00-FD",Unassigned,, +"0xFE,0xFE-FF","Reserved to avoid conflicts with +widely deployed implementations",,[Pasi_Eronen] +"0xFF,0x00-FF",Reserved for Private Use,,[RFC5246] diff --git a/src/opnsense/scripts/system/ssl_ciphers.py b/src/opnsense/scripts/system/ssl_ciphers.py new file mode 100755 index 000000000..b715580eb --- /dev/null +++ b/src/opnsense/scripts/system/ssl_ciphers.py @@ -0,0 +1,62 @@ +#!/usr/local/bin/python2.7 + +""" + Copyright (c) 2016 Ad Schellevis + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + + -------------------------------------------------------------------------------------- + return all available ciphers +""" +import tempfile +import subprocess +import os +import sys +import ujson +import csv + +if __name__ == '__main__': + # source http://www.iana.org/assignments/tls-parameters/tls-parameters-4.csv + rfc5246_file = '%s/rfc5246_cipher_suites.csv' % os.path.dirname(os.path.realpath(__file__)) + rfc5246 = dict() + if os.path.isfile(rfc5246_file): + with open(rfc5246_file, 'rb') as csvfile: + for row in csv.reader(csvfile, delimiter=',', quotechar='"'): + rfc5246[row[0]] = {'description': row[1]} + + result = {} + with tempfile.NamedTemporaryFile() as output_stream: + subprocess.call(['/usr/bin/openssl', 'ciphers', '-V'], stdout=output_stream, stderr=open(os.devnull, 'wb')) + output_stream.seek(0) + for line in output_stream.read().strip().split('\n'): + parts = line.strip().split() + if len(parts) > 1: + cipher_id = parts[0] + cipher_key = parts[2] + item = {'version': parts[3], 'id': cipher_id, 'description': ''} + for part in parts[4:]: + item[part.split('=')[0]] = part.split('=')[-1] + if cipher_id in rfc5246: + item['description'] = rfc5246[cipher_id]['description'] + result[cipher_key] = item + print ujson.dumps(result) diff --git a/src/opnsense/service/conf/actions.d/actions_system.conf b/src/opnsense/service/conf/actions.d/actions_system.conf index e8813849a..d2a8bab51 100644 --- a/src/opnsense/service/conf/actions.d/actions_system.conf +++ b/src/opnsense/service/conf/actions.d/actions_system.conf @@ -3,3 +3,9 @@ command:/usr/local/opnsense/scripts/systemhealth/activity.py parameters:%s type:script_output message:show system activity + +[ssl.ciphers] +command:/usr/local/opnsense/scripts/system/ssl_ciphers.py +parameters: +type:script_output +message:list ssl ciphers diff --git a/src/www/system_advanced_admin.php b/src/www/system_advanced_admin.php index 77229df9f..d0d793c4b 100644 --- a/src/www/system_advanced_admin.php +++ b/src/www/system_advanced_admin.php @@ -39,6 +39,11 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { $pconfig['webguiproto'] = $config['system']['webgui']['protocol']; $pconfig['webguiport'] = $config['system']['webgui']['port']; $pconfig['ssl-certref'] = $config['system']['webgui']['ssl-certref']; + if (!empty($config['system']['webgui']['ssl-ciphers'])) { + $pconfig['ssl-ciphers'] = explode(':', $config['system']['webgui']['ssl-ciphers']); + } else { + $pconfig['ssl-ciphers'] = array(); + } $pconfig['disablehttpredirect'] = isset($config['system']['webgui']['disablehttpredirect']); $pconfig['disableconsolemenu'] = isset($config['system']['disableconsolemenu']); $pconfig['disableintegratedauth'] = !empty($config['system']['disableintegratedauth']); @@ -84,9 +89,15 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { if (count($input_errors) ==0) { // flag web ui for restart + if (!empty($pconfig['ssl-ciphers'])) { + $newciphers = implode(':', $pconfig['ssl-ciphers']); + } else { + $newciphers = ''; + } if ($config['system']['webgui']['protocol'] != $pconfig['webguiproto'] || $config['system']['webgui']['port'] != $pconfig['webguiport'] || $config['system']['webgui']['ssl-certref'] != $pconfig['ssl-certref'] || + $config['system']['webgui']['ssl-ciphers'] != $newciphers || ($pconfig['disablehttpredirect'] == "yes") != !empty($config['system']['webgui']['disablehttpredirect']) ) { $restart_webgui = true; @@ -97,6 +108,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { $config['system']['webgui']['protocol'] = $pconfig['webguiproto']; $config['system']['webgui']['port'] = $pconfig['webguiport']; $config['system']['webgui']['ssl-certref'] = $pconfig['ssl-certref']; + $config['system']['webgui']['ssl-ciphers'] = $newciphers; if ($pconfig['disablehttpredirect'] == "yes") { $config['system']['webgui']['disablehttpredirect'] = true; @@ -359,6 +371,24 @@ include("head.inc"); + + + + + + +