mirror of
https://github.com/lucaspalomodevelop/core.git
synced 2026-03-19 02:54:38 +00:00
crypto: address a few potential loopholes for #logjam
o Regenerate all dhparam files. (Looksie, we don't have under 1024!) o Make beast mitigation the default, been around since 2011. o Tweak the cipher settings via recommendations below. Open points are the zapping of 1024 bit dhparam and how we should handle dhparam shipping in the future. Please write in to discuss. :) Taken from: https://weakdh.org/sysadmin.html
This commit is contained in:
Franco Fichtner
parent
ee4486d8df
commit
ca18801b96
@ -1,5 +1,5 @@
|
||||
-----BEGIN DH PARAMETERS-----
|
||||
MIGHAoGBAINPWm4z+KHppuzSZFjreaLrKdI/wkP0ojutrSlkiszXsGkbU6++GB1C
|
||||
7ZH2ZVpSIo4z31XyQnlraIkyY2pAItxqN8ozWaz84QLSHcwVcWKDEU7ZP0ISyTep
|
||||
alnFPGG8nJBSzxch+7H3HOfM68y6kfMtFDWuZtYj/9Zw4W42fVDLAgEC
|
||||
MIGHAoGBANl0O/jYGYAnQRtxvQ97D2bt7nraWGbn877Fy7+/7DWhLVAR8tgAUaXo
|
||||
Z5usvCot++T2FCryeGwQjXirwy1sahSZFKUQ6kG5n09fVOY9oI8HQ1SsTjemEetG
|
||||
Aqa0VbcVvll2K0nY1p8OJPGlEWmeBi21OSv5ZYjnxigvc38brIw7AgEC
|
||||
-----END DH PARAMETERS-----
|
||||
|
||||
@ -1,8 +1,8 @@
|
||||
-----BEGIN DH PARAMETERS-----
|
||||
MIIBCAKCAQEAmWwXhRjeqPYl1TvXeKZt5W8MHe0keJK7wC+uPMxpGFVXlvPnWdN+
|
||||
W/GyimtD2rHYWF1gyr5IbhiEkXSAuTCnwokwz9XiNQ3hKY/iwTPDo0Go8beB5Ezr
|
||||
wz8DibSIv93Va5C+fHzwosuwTAqaOgpOzPqSmVS/UmUATssxOuCK6Crv7YyA5knW
|
||||
v0JsJK3VfloeXq/p4skn/KRgL2twO5puJvZWGycMd3cv9+afsWjES/ItwzEHNSEG
|
||||
sPen/kNDB4nH+WFKdXnP3fUAqPZCxiqaBC+UnuHngm7Se4smc7DeJkUsed7NLIeg
|
||||
zDZ0a3bKZ3UB0lcLGbqXIhh74TtFQ1egmwIBAg==
|
||||
MIIBCAKCAQEA7RQUrHIRzq0Xvaq+08JJ/oMwnWnKMDh7yKArgyBG71Bi5Gl/EeJl
|
||||
glIUtEsW5nHjrbQhaJf9oC2G/zTK7xrtuURTcQVxQjA1xXAYMrAeMFV+vYKgoHj6
|
||||
brkqW0ivb3tSNUAZOMzAToXDZtCo4dhee9ZU+ZrdOpTTTpxX0S4kGGgN4qdCiDJm
|
||||
IzUp8WUl8prnhdFzDlVmYfzep8gXdvFsCYOczpjV66godQWtSaO6+ntCEg2DK1o+
|
||||
W7EM8yN85yzy8MLbpc6oYzoaASSQGdYUuMtzVvaHKGueEv2bjUJ7CMSZXkd2z3c7
|
||||
d56EajFmu8xlsUnvmXi3831RwBJH20LcewIBAg==
|
||||
-----END DH PARAMETERS-----
|
||||
|
||||
@ -1,13 +1,13 @@
|
||||
-----BEGIN DH PARAMETERS-----
|
||||
MIICCAKCAgEA1G0VaCFVkFFPB0pL1Y6NtAlysfvZaAXXmmJ89Xy5wrNLEZfTdmqT
|
||||
NmABAhr0DD6+1rcI5d4LriRLhTFf77COjW/+FelEA5BZBsoQDL6QsxWt4VoLT6uK
|
||||
bKVkbtwKycz0uOU1areS5gWHF71KRmKgooOuY2yl7a75uLn4QYCS7hKLXsAIB8eC
|
||||
63nl81T5gXOAc3hMiKrk8hKLUA6zkMfqWIpG06wvicaPlg8GyQavwGxONDNl/Y2r
|
||||
XyRoh/4ja7Moz0tUCmZV+iKtGgq5wekJ1fCN3zhXPX6h6WujoYqzcCmPLFCuIuEa
|
||||
kxRy9XaDTe8V40p1RDc4yMYQrl2hxrO8YPRBewigILYxEfe+51qE5Sb//UZszwNL
|
||||
kIhW9ObfAkotXoH81xke4EN0RX+rVK1ZYbeBIDCn62ZqNsUVkMh5Otsh0TiK7SP9
|
||||
O14IflklQqpyYc+aHMNknhsN30MFV3aD/785QS8zcWUdSdQeZlbjjFgJ4Xpt+r3p
|
||||
X6Vv8cwEh8qDHn2CaOfZtyTx2V3B2LU1sJZQ9ynVzlxy2clQcVboXPM1xNgzHSsd
|
||||
bFgPMJUAq9VjLGrbN6a3NqWwXnQPMuczX1G3T690fKF55e/boIAXZD1hEZqKt1f0
|
||||
DuCwyf/D4CEGyHhHIdVm7f1kTaErWzSgqcc2wGsjFi3ABTG2byxTnSsCAQI=
|
||||
MIICCAKCAgEAuyZ+CFkBpcDArpt1oXlt8OgPLw/YMgnz5l5DHTVLOy25ndDhwU9Z
|
||||
IDmMAG6EDK/44duQ85G1e1j350Vj7dXQ55dDsr7+3hnEfv/sA/yak44fc6Sln8lZ
|
||||
wnsEl0ehLdunUDdWhBhXip6gg0TjtwSTLu9jz5VMahN9bI9ffI7Jhndx4abjtNVi
|
||||
Km+cb0ivuKxoy1odCvZCbEXQMYEx3iqER4XwfuryHdj6gz20WdpJdIYZSivArTL2
|
||||
ZsBrE1VO0HNboSX41FSkIT/H4gozvTczjefTec4787cKMoHPGNMcE6y4+I1G2m3Z
|
||||
XZvSLkx4+STxqdpAxvUsmgCTkpYn8geHJd2OAN25pEhvOGnsbIuWW01bKO0nGNdO
|
||||
HWlTDqYB2W86u9JAgr+3cMyTv2EMEOz7/YB3yzI91S5s+LeNDJJDVYRCBnLjB6G4
|
||||
zISLESIqORcYUNkW63XvNFKVSfeY+SYjVqrFw/N0CeleJIcrTfLKWqdNBxlZH1Ef
|
||||
7xYpfH+o3se2yZSOMNKB6+hAlhUss3bKTkM68OFR4eWWFkAb0Nd4nNgED7WZpObd
|
||||
ewYEY+7ZNCYhD7o+gZ/QDTaqun7UwQ1AvDpyoU3H9WdBzQ46MhIpb6R2T8vfY6TR
|
||||
mEO6DZRBo1DKlfCEvyN/ybBTBRHdckFIT+OzRfoQAH4XCG5iujeEDZMCAQI=
|
||||
-----END DH PARAMETERS-----
|
||||
|
||||
@ -1172,26 +1172,7 @@ EOD;
|
||||
// Harden SSL a bit for PCI conformance testing
|
||||
$lighty_config .= "ssl.use-sslv2 = \"disable\"\n";
|
||||
|
||||
/* Hifn accelerators do NOT work with the BEAST mitigation code. Do not allow it to be enabled if a Hifn card has been detected. */
|
||||
$fd = @fopen('/var/run/dmesg.boot', 'r');
|
||||
if ($fd) {
|
||||
while (!feof($fd)) {
|
||||
$dmesgl = fgets($fd);
|
||||
if (preg_match("/^hifn.: (.*?),/", $dmesgl, $matches) && isset($config['system']['webgui']['beast_protection'])) {
|
||||
unset($config['system']['webgui']['beast_protection']);
|
||||
log_error("BEAST Protection disabled because a conflicting cryptographic accelerator card has been detected (" . $matches[1] . ")");
|
||||
break;
|
||||
}
|
||||
}
|
||||
fclose($fd);
|
||||
}
|
||||
|
||||
if (isset($config['system']['webgui']['beast_protection'])) {
|
||||
$lighty_config .= "ssl.honor-cipher-order = \"enable\"\n";
|
||||
$lighty_config .= "ssl.cipher-list = \"ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM\"\n";
|
||||
} else {
|
||||
$lighty_config .= "ssl.cipher-list = \"DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:CAMELLIA256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:CAMELLIA128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:RC4-SHA:RC4-MD5:!aNULL:!eNULL:!3DES:@STRENGTH\"\n";
|
||||
}
|
||||
$lighty_config .= 'ssl.cipher-list = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"' . PHP_EOL;
|
||||
|
||||
if(!(empty($ca) || (strlen(trim($ca)) == 0)))
|
||||
$lighty_config .= "ssl.ca-file = \"/var/etc/{$ca_location}\"\n\n";
|
||||
|
||||
@ -43,7 +43,6 @@ $pconfig['disableconsolemenu'] = isset($config['system']['disableconsolemenu']);
|
||||
$pconfig['noantilockout'] = isset($config['system']['webgui']['noantilockout']);
|
||||
$pconfig['nodnsrebindcheck'] = isset($config['system']['webgui']['nodnsrebindcheck']);
|
||||
$pconfig['nohttpreferercheck'] = isset($config['system']['webgui']['nohttpreferercheck']);
|
||||
$pconfig['beast_protection'] = isset($config['system']['webgui']['beast_protection']);
|
||||
$pconfig['enable_xdebug'] = isset($config['system']['webgui']['enable_xdebug']) ;
|
||||
$pconfig['loginautocomplete'] = isset($config['system']['webgui']['loginautocomplete']);
|
||||
$pconfig['althostnames'] = $config['system']['webgui']['althostnames'];
|
||||
@ -163,11 +162,6 @@ if ($_POST) {
|
||||
else
|
||||
unset($config['system']['webgui']['nohttpreferercheck']);
|
||||
|
||||
if ($_POST['beast_protection'] == "yes")
|
||||
$config['system']['webgui']['beast_protection'] = true;
|
||||
else
|
||||
unset($config['system']['webgui']['beast_protection']);
|
||||
|
||||
if ($_POST['enable_xdebug'] == "yes") {
|
||||
$config['system']['webgui']['enable_xdebug'] = true;
|
||||
} else {
|
||||
@ -255,21 +249,6 @@ if ($_POST) {
|
||||
}
|
||||
}
|
||||
|
||||
unset($hwcrypto);
|
||||
$fd = @fopen('/var/run/dmesg.boot', 'r');
|
||||
if ($fd) {
|
||||
while (!feof($fd)) {
|
||||
$dmesgl = fgets($fd);
|
||||
if (preg_match("/^hifn.: (.*?),/", $dmesgl, $matches)) {
|
||||
unset($pconfig['beast_protection']);
|
||||
$disable_beast_option = "disabled";
|
||||
$hwcrypto = $matches[1];
|
||||
break;
|
||||
}
|
||||
}
|
||||
fclose($fd);
|
||||
}
|
||||
|
||||
$pgtitle = array(gettext("System"),gettext("Settings"),gettext("Admin Access"));
|
||||
include("head.inc");
|
||||
|
||||
@ -469,22 +448,6 @@ include("head.inc");
|
||||
"webConfigurator access in certain corner cases such as using external scripts to interact with this system. More information on HTTP_REFERER is available from <a target='_blank' href='http://en.wikipedia.org/wiki/HTTP_referrer'>Wikipedia</a>."); ?>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td width="22%" valign="top" class="vncell"><?=gettext("BEAST Attack Protection"); ?></td>
|
||||
<td width="78%" class="vtable">
|
||||
<input name="beast_protection" type="checkbox" id="beast_protection" value="yes" <?php if ($pconfig['beast_protection']) echo "checked=\"checked\""; ?> <?= $disable_beast_option ?>/>
|
||||
<strong><?=gettext("Mitigate the BEAST SSL Attack"); ?></strong>
|
||||
<br />
|
||||
<?php echo gettext("When this is checked, the webConfigurator can mitigate BEAST SSL attacks. ") ?>
|
||||
<br />
|
||||
<?php if ($disable_beast_option) {
|
||||
echo "<br />" . sprintf(gettext("This option has been automatically disabled because a conflicting cryptographic accelerator card has been detected (%s)."), $hwcrypto) . "<br /><br />";
|
||||
} ?>
|
||||
<?php echo gettext("This option is off by default because Hifn accelerators do NOT work with this option, and the GUI will not function. " .
|
||||
"It is possible that other accelerators have a similar problem that is not yet known/documented. " .
|
||||
"More information on BEAST is available from <a target='_blank' href='https://en.wikipedia.org/wiki/Transport_Layer_Security#BEAST_attack'>Wikipedia</a>."); ?>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td width="22%" valign="top" class="vncell"><?=gettext("Enable XDebug"); ?></td>
|
||||
<td width="78%" class="vtable">
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user