use setting security_ciphers_compatibility to define security configurations

2024-09-03 20:06:10 +02:00 · 2019-02-04 23:01:16 +01:00 · 2019-02-04 23:01:16 +01:00 · 8e1034771a
commit 8e1034771a
parent c849b4732a
4 changed files with 36 additions and 13 deletions
--- a/data/hooks/conf_regen/03-ssh
+++ b/data/hooks/conf_regen/03-ssh
@ -12,7 +12,7 @@ do_pre_regen() {
    [[ ! -f /etc/yunohost/from_script ]] || return 0

    cd /usr/share/yunohost/templates/ssh
-    
+
    # do not listen to IPv6 if unavailable
    [[ -f /proc/net/if_inet6 ]] && ipv6_enabled=true || ipv6_enabled=false

@ -23,8 +23,14 @@ do_pre_regen() {
        ssh_keys="$ssh_keys $(ls /etc/ssh/ssh_host_dsa_key 2>/dev/null || true)"
    fi

+    # Support different strategy for security configurations
+    if [[ -n "$(yunohost settings get 'security.ciphers.compatibility')" ]]; then
+        security_ciphers_compatibility="$(yunohost settings get 'security.ciphers.compatibility')"
+    fi
+
    export ssh_keys
    export ipv6_enabled
+    export security_ciphers_compatibility
    ynh_render_template "sshd_config" "${pending_dir}/etc/ssh/sshd_config"
 }

--- a/data/hooks/conf_regen/15-nginx
+++ b/data/hooks/conf_regen/15-nginx
@ -36,6 +36,11 @@ do_pre_regen() {
  main_domain=$(cat /etc/yunohost/current_host)
  domain_list=$(sudo yunohost domain list --output-as plain --quiet)

+  # Support different strategy for security configurations
+  if [[ -n "$(yunohost settings get 'security.ciphers.compatibility')" ]]; then
+      security_ciphers_compatibility="$(yunohost settings get 'security.ciphers.compatibility')"
+  fi
+
  # add domain conf files
  for domain in $domain_list; do
    domain_conf_dir="${nginx_conf_dir}/${domain}.d"
@ -44,6 +49,7 @@ do_pre_regen() {
    mkdir -p "$mail_autoconfig_dir"

    # NGINX server configuration
+    export security_ciphers_compatibility
    export domain
    export domain_cert_ca=$(yunohost domain cert-status $domain --json \
                            | jq ".certificates.\"$domain\".CA_type" \
--- a/data/templates/nginx/server.tpl.conf
+++ b/data/templates/nginx/server.tpl.conf
@ -29,6 +29,15 @@ server {
    ssl_session_timeout 5m;
    ssl_session_cache shared:SSL:50m;

+    {%- if security_ciphers_compatibility == "modern" -%}
+    # Ciphers with modern compatibility
+    # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.6.2&openssl=1.0.1t&hsts=yes&profile=modern
+    # Uncomment the following to use modern ciphers, but remove compatibility with some old clients (android < 5.0, Internet Explorer < 10, ...)
+    ssl_protocols TLSv1.2;
+    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+    ssl_prefer_server_ciphers on;
+
+    {%- else -%}
    # As suggested by Mozilla : https://wiki.mozilla.org/Security/Server_Side_TLS and https://en.wikipedia.org/wiki/Curve25519
    ssl_ecdh_curve secp521r1:secp384r1:prime256v1;
    ssl_prefer_server_ciphers on;
@ -38,20 +47,15 @@ server {
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';

-    # Ciphers with modern compatibility
-    # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.6.2&openssl=1.0.1t&hsts=yes&profile=modern
-    # Uncomment the following to use modern ciphers, but remove compatibility with some old clients (android < 5.0, Internet Explorer < 10, ...)
-    #ssl_protocols TLSv1.2;
-    #ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
-
    # Uncomment the following directive after DH generation
    # > openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048
    #ssl_dhparam /etc/ssl/private/dh2048.pem;
+    {%- endif -%}

    # Follows the Web Security Directives from the Mozilla Dev Lab and the Mozilla Obervatory + Partners
    # https://wiki.mozilla.org/Security/Guidelines/Web_Security
-    # https://observatory.mozilla.org/ 
-    more_set_headers "Strict-Transport-Security : max-age=63072000; includeSubDomains; preload"; 
+    # https://observatory.mozilla.org/
+    more_set_headers "Strict-Transport-Security : max-age=63072000; includeSubDomains; preload";
    more_set_headers "Content-Security-Policy : upgrade-insecure-requests";
    more_set_headers "Content-Security-Policy-Report-Only : default-src https: data: 'unsafe-inline' 'unsafe-eval'";
    more_set_headers "X-Content-Type-Options : nosniff";
--- a/data/templates/ssh/sshd_config
+++ b/data/templates/ssh/sshd_config
@ -15,10 +15,17 @@ HostKey {{ key }}{% endfor %}
 # https://infosec.mozilla.org/guidelines/openssh
 # ##############################################

-# Keys, ciphers and MACS
-KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
-Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
-MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
+{%- if security_ciphers_compatibility == "intermediate" -%}
+  KexAlgorithms diffie-hellman-group-exchange-sha256
+  Ciphers aes256-ctr,aes192-ctr,aes128-ctr
+  MACs hmac-sha2-512,hmac-sha2-256
+{%- else -%}
+  # By default use "modern" Mozilla configuration
+  # Keys, ciphers and MACS
+  KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
+  Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+  MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
+{%- endif -%}

 # Use kernel sandbox mechanisms where possible in unprivileged processes
 UsePrivilegeSeparation sandbox