From ca18801b9635f283bae4a3a3057f4940cc48fa23 Mon Sep 17 00:00:00 2001 From: Franco Fichtner Date: Fri, 22 May 2015 14:16:19 +0200 Subject: [PATCH] crypto: address a few potential loopholes for #logjam o Regenerate all dhparam files. (Looksie, we don't have under 1024!) o Make beast mitigation the default, been around since 2011. o Tweak the cipher settings via recommendations below. Open points are the zapping of 1024 bit dhparam and how we should handle dhparam shipping in the future. Please write in to discuss. :) Taken from: https://weakdh.org/sysadmin.html --- src/etc/dh-parameters.1024 | 6 ++--- src/etc/dh-parameters.2048 | 12 +++++----- src/etc/dh-parameters.4096 | 22 +++++++++--------- src/etc/inc/system.inc | 21 +----------------- src/www/system_advanced_admin.php | 37 ------------------------------- 5 files changed, 21 insertions(+), 77 deletions(-) diff --git a/src/etc/dh-parameters.1024 b/src/etc/dh-parameters.1024 index 3148f4c5e..03ddceb58 100644 --- a/src/etc/dh-parameters.1024 +++ b/src/etc/dh-parameters.1024 @@ -1,5 +1,5 @@ -----BEGIN DH PARAMETERS----- -MIGHAoGBAINPWm4z+KHppuzSZFjreaLrKdI/wkP0ojutrSlkiszXsGkbU6++GB1C -7ZH2ZVpSIo4z31XyQnlraIkyY2pAItxqN8ozWaz84QLSHcwVcWKDEU7ZP0ISyTep -alnFPGG8nJBSzxch+7H3HOfM68y6kfMtFDWuZtYj/9Zw4W42fVDLAgEC +MIGHAoGBANl0O/jYGYAnQRtxvQ97D2bt7nraWGbn877Fy7+/7DWhLVAR8tgAUaXo +Z5usvCot++T2FCryeGwQjXirwy1sahSZFKUQ6kG5n09fVOY9oI8HQ1SsTjemEetG +Aqa0VbcVvll2K0nY1p8OJPGlEWmeBi21OSv5ZYjnxigvc38brIw7AgEC -----END DH PARAMETERS----- diff --git a/src/etc/dh-parameters.2048 b/src/etc/dh-parameters.2048 index f0e1a5d35..aa2311843 100644 --- a/src/etc/dh-parameters.2048 +++ b/src/etc/dh-parameters.2048 @@ -1,8 +1,8 @@ -----BEGIN DH PARAMETERS----- -MIIBCAKCAQEAmWwXhRjeqPYl1TvXeKZt5W8MHe0keJK7wC+uPMxpGFVXlvPnWdN+ -W/GyimtD2rHYWF1gyr5IbhiEkXSAuTCnwokwz9XiNQ3hKY/iwTPDo0Go8beB5Ezr -wz8DibSIv93Va5C+fHzwosuwTAqaOgpOzPqSmVS/UmUATssxOuCK6Crv7YyA5knW -v0JsJK3VfloeXq/p4skn/KRgL2twO5puJvZWGycMd3cv9+afsWjES/ItwzEHNSEG -sPen/kNDB4nH+WFKdXnP3fUAqPZCxiqaBC+UnuHngm7Se4smc7DeJkUsed7NLIeg -zDZ0a3bKZ3UB0lcLGbqXIhh74TtFQ1egmwIBAg== +MIIBCAKCAQEA7RQUrHIRzq0Xvaq+08JJ/oMwnWnKMDh7yKArgyBG71Bi5Gl/EeJl +glIUtEsW5nHjrbQhaJf9oC2G/zTK7xrtuURTcQVxQjA1xXAYMrAeMFV+vYKgoHj6 +brkqW0ivb3tSNUAZOMzAToXDZtCo4dhee9ZU+ZrdOpTTTpxX0S4kGGgN4qdCiDJm +IzUp8WUl8prnhdFzDlVmYfzep8gXdvFsCYOczpjV66godQWtSaO6+ntCEg2DK1o+ +W7EM8yN85yzy8MLbpc6oYzoaASSQGdYUuMtzVvaHKGueEv2bjUJ7CMSZXkd2z3c7 +d56EajFmu8xlsUnvmXi3831RwBJH20LcewIBAg== -----END DH PARAMETERS----- diff --git a/src/etc/dh-parameters.4096 b/src/etc/dh-parameters.4096 index 30058a136..e868369ee 100644 --- a/src/etc/dh-parameters.4096 +++ b/src/etc/dh-parameters.4096 @@ -1,13 +1,13 @@ -----BEGIN DH PARAMETERS----- -MIICCAKCAgEA1G0VaCFVkFFPB0pL1Y6NtAlysfvZaAXXmmJ89Xy5wrNLEZfTdmqT -NmABAhr0DD6+1rcI5d4LriRLhTFf77COjW/+FelEA5BZBsoQDL6QsxWt4VoLT6uK -bKVkbtwKycz0uOU1areS5gWHF71KRmKgooOuY2yl7a75uLn4QYCS7hKLXsAIB8eC -63nl81T5gXOAc3hMiKrk8hKLUA6zkMfqWIpG06wvicaPlg8GyQavwGxONDNl/Y2r -XyRoh/4ja7Moz0tUCmZV+iKtGgq5wekJ1fCN3zhXPX6h6WujoYqzcCmPLFCuIuEa -kxRy9XaDTe8V40p1RDc4yMYQrl2hxrO8YPRBewigILYxEfe+51qE5Sb//UZszwNL -kIhW9ObfAkotXoH81xke4EN0RX+rVK1ZYbeBIDCn62ZqNsUVkMh5Otsh0TiK7SP9 -O14IflklQqpyYc+aHMNknhsN30MFV3aD/785QS8zcWUdSdQeZlbjjFgJ4Xpt+r3p -X6Vv8cwEh8qDHn2CaOfZtyTx2V3B2LU1sJZQ9ynVzlxy2clQcVboXPM1xNgzHSsd -bFgPMJUAq9VjLGrbN6a3NqWwXnQPMuczX1G3T690fKF55e/boIAXZD1hEZqKt1f0 -DuCwyf/D4CEGyHhHIdVm7f1kTaErWzSgqcc2wGsjFi3ABTG2byxTnSsCAQI= +MIICCAKCAgEAuyZ+CFkBpcDArpt1oXlt8OgPLw/YMgnz5l5DHTVLOy25ndDhwU9Z +IDmMAG6EDK/44duQ85G1e1j350Vj7dXQ55dDsr7+3hnEfv/sA/yak44fc6Sln8lZ +wnsEl0ehLdunUDdWhBhXip6gg0TjtwSTLu9jz5VMahN9bI9ffI7Jhndx4abjtNVi +Km+cb0ivuKxoy1odCvZCbEXQMYEx3iqER4XwfuryHdj6gz20WdpJdIYZSivArTL2 +ZsBrE1VO0HNboSX41FSkIT/H4gozvTczjefTec4787cKMoHPGNMcE6y4+I1G2m3Z +XZvSLkx4+STxqdpAxvUsmgCTkpYn8geHJd2OAN25pEhvOGnsbIuWW01bKO0nGNdO +HWlTDqYB2W86u9JAgr+3cMyTv2EMEOz7/YB3yzI91S5s+LeNDJJDVYRCBnLjB6G4 +zISLESIqORcYUNkW63XvNFKVSfeY+SYjVqrFw/N0CeleJIcrTfLKWqdNBxlZH1Ef +7xYpfH+o3se2yZSOMNKB6+hAlhUss3bKTkM68OFR4eWWFkAb0Nd4nNgED7WZpObd +ewYEY+7ZNCYhD7o+gZ/QDTaqun7UwQ1AvDpyoU3H9WdBzQ46MhIpb6R2T8vfY6TR +mEO6DZRBo1DKlfCEvyN/ybBTBRHdckFIT+OzRfoQAH4XCG5iujeEDZMCAQI= -----END DH PARAMETERS----- diff --git a/src/etc/inc/system.inc b/src/etc/inc/system.inc index c296f008b..f57133b1e 100644 --- a/src/etc/inc/system.inc +++ b/src/etc/inc/system.inc @@ -1172,26 +1172,7 @@ EOD; // Harden SSL a bit for PCI conformance testing $lighty_config .= "ssl.use-sslv2 = \"disable\"\n"; - /* Hifn accelerators do NOT work with the BEAST mitigation code. Do not allow it to be enabled if a Hifn card has been detected. */ - $fd = @fopen('/var/run/dmesg.boot', 'r'); - if ($fd) { - while (!feof($fd)) { - $dmesgl = fgets($fd); - if (preg_match("/^hifn.: (.*?),/", $dmesgl, $matches) && isset($config['system']['webgui']['beast_protection'])) { - unset($config['system']['webgui']['beast_protection']); - log_error("BEAST Protection disabled because a conflicting cryptographic accelerator card has been detected (" . $matches[1] . ")"); - break; - } - } - fclose($fd); - } - - if (isset($config['system']['webgui']['beast_protection'])) { - $lighty_config .= "ssl.honor-cipher-order = \"enable\"\n"; - $lighty_config .= "ssl.cipher-list = \"ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM\"\n"; - } else { - $lighty_config .= "ssl.cipher-list = \"DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:CAMELLIA256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:CAMELLIA128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:RC4-SHA:RC4-MD5:!aNULL:!eNULL:!3DES:@STRENGTH\"\n"; - } + $lighty_config .= 'ssl.cipher-list = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"' . PHP_EOL; if(!(empty($ca) || (strlen(trim($ca)) == 0))) $lighty_config .= "ssl.ca-file = \"/var/etc/{$ca_location}\"\n\n"; diff --git a/src/www/system_advanced_admin.php b/src/www/system_advanced_admin.php index 08c0ec800..063cab1b7 100644 --- a/src/www/system_advanced_admin.php +++ b/src/www/system_advanced_admin.php @@ -43,7 +43,6 @@ $pconfig['disableconsolemenu'] = isset($config['system']['disableconsolemenu']); $pconfig['noantilockout'] = isset($config['system']['webgui']['noantilockout']); $pconfig['nodnsrebindcheck'] = isset($config['system']['webgui']['nodnsrebindcheck']); $pconfig['nohttpreferercheck'] = isset($config['system']['webgui']['nohttpreferercheck']); -$pconfig['beast_protection'] = isset($config['system']['webgui']['beast_protection']); $pconfig['enable_xdebug'] = isset($config['system']['webgui']['enable_xdebug']) ; $pconfig['loginautocomplete'] = isset($config['system']['webgui']['loginautocomplete']); $pconfig['althostnames'] = $config['system']['webgui']['althostnames']; @@ -163,11 +162,6 @@ if ($_POST) { else unset($config['system']['webgui']['nohttpreferercheck']); - if ($_POST['beast_protection'] == "yes") - $config['system']['webgui']['beast_protection'] = true; - else - unset($config['system']['webgui']['beast_protection']); - if ($_POST['enable_xdebug'] == "yes") { $config['system']['webgui']['enable_xdebug'] = true; } else { @@ -255,21 +249,6 @@ if ($_POST) { } } -unset($hwcrypto); -$fd = @fopen('/var/run/dmesg.boot', 'r'); -if ($fd) { - while (!feof($fd)) { - $dmesgl = fgets($fd); - if (preg_match("/^hifn.: (.*?),/", $dmesgl, $matches)) { - unset($pconfig['beast_protection']); - $disable_beast_option = "disabled"; - $hwcrypto = $matches[1]; - break; - } - } - fclose($fd); -} - $pgtitle = array(gettext("System"),gettext("Settings"),gettext("Admin Access")); include("head.inc"); @@ -469,22 +448,6 @@ include("head.inc"); "webConfigurator access in certain corner cases such as using external scripts to interact with this system. More information on HTTP_REFERER is available from Wikipedia."); ?> - - - - /> - -
- -
- " . sprintf(gettext("This option has been automatically disabled because a conflicting cryptographic accelerator card has been detected (%s)."), $hwcrypto) . "

"; - } ?> - Wikipedia."); ?> - -