From 8e1034771af5ecc9acce6e9966ac077ec2ea36c7 Mon Sep 17 00:00:00 2001 From: Romuald du Song Date: Mon, 4 Feb 2019 23:01:16 +0100 Subject: [PATCH 01/24] use setting security_ciphers_compatibility to define security configurations --- data/hooks/conf_regen/03-ssh | 8 +++++++- data/hooks/conf_regen/15-nginx | 6 ++++++ data/templates/nginx/server.tpl.conf | 20 ++++++++++++-------- data/templates/ssh/sshd_config | 15 +++++++++++---- 4 files changed, 36 insertions(+), 13 deletions(-) diff --git a/data/hooks/conf_regen/03-ssh b/data/hooks/conf_regen/03-ssh index 9de527518..330166f08 100755 --- a/data/hooks/conf_regen/03-ssh +++ b/data/hooks/conf_regen/03-ssh @@ -12,7 +12,7 @@ do_pre_regen() { [[ ! -f /etc/yunohost/from_script ]] || return 0 cd /usr/share/yunohost/templates/ssh - + # do not listen to IPv6 if unavailable [[ -f /proc/net/if_inet6 ]] && ipv6_enabled=true || ipv6_enabled=false @@ -23,8 +23,14 @@ do_pre_regen() { ssh_keys="$ssh_keys $(ls /etc/ssh/ssh_host_dsa_key 2>/dev/null || true)" fi + # Support different strategy for security configurations + if [[ -n "$(yunohost settings get 'security.ciphers.compatibility')" ]]; then + security_ciphers_compatibility="$(yunohost settings get 'security.ciphers.compatibility')" + fi + export ssh_keys export ipv6_enabled + export security_ciphers_compatibility ynh_render_template "sshd_config" "${pending_dir}/etc/ssh/sshd_config" } diff --git a/data/hooks/conf_regen/15-nginx b/data/hooks/conf_regen/15-nginx index 461c10c0c..97543dcfa 100755 --- a/data/hooks/conf_regen/15-nginx +++ b/data/hooks/conf_regen/15-nginx @@ -36,6 +36,11 @@ do_pre_regen() { main_domain=$(cat /etc/yunohost/current_host) domain_list=$(sudo yunohost domain list --output-as plain --quiet) + # Support different strategy for security configurations + if [[ -n "$(yunohost settings get 'security.ciphers.compatibility')" ]]; then + security_ciphers_compatibility="$(yunohost settings get 'security.ciphers.compatibility')" + fi + # add domain conf files for domain in $domain_list; do domain_conf_dir="${nginx_conf_dir}/${domain}.d" @@ -44,6 +49,7 @@ do_pre_regen() { mkdir -p "$mail_autoconfig_dir" # NGINX server configuration + export security_ciphers_compatibility export domain export domain_cert_ca=$(yunohost domain cert-status $domain --json \ | jq ".certificates.\"$domain\".CA_type" \ diff --git a/data/templates/nginx/server.tpl.conf b/data/templates/nginx/server.tpl.conf index 0c221f188..50ee1b9b8 100644 --- a/data/templates/nginx/server.tpl.conf +++ b/data/templates/nginx/server.tpl.conf @@ -29,6 +29,15 @@ server { ssl_session_timeout 5m; ssl_session_cache shared:SSL:50m; + {%- if security_ciphers_compatibility == "modern" -%} + # Ciphers with modern compatibility + # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.6.2&openssl=1.0.1t&hsts=yes&profile=modern + # Uncomment the following to use modern ciphers, but remove compatibility with some old clients (android < 5.0, Internet Explorer < 10, ...) + ssl_protocols TLSv1.2; + ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; + ssl_prefer_server_ciphers on; + + {%- else -%} # As suggested by Mozilla : https://wiki.mozilla.org/Security/Server_Side_TLS and https://en.wikipedia.org/wiki/Curve25519 ssl_ecdh_curve secp521r1:secp384r1:prime256v1; ssl_prefer_server_ciphers on; @@ -38,20 +47,15 @@ server { ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; - # Ciphers with modern compatibility - # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.6.2&openssl=1.0.1t&hsts=yes&profile=modern - # Uncomment the following to use modern ciphers, but remove compatibility with some old clients (android < 5.0, Internet Explorer < 10, ...) - #ssl_protocols TLSv1.2; - #ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; - # Uncomment the following directive after DH generation # > openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048 #ssl_dhparam /etc/ssl/private/dh2048.pem; + {%- endif -%} # Follows the Web Security Directives from the Mozilla Dev Lab and the Mozilla Obervatory + Partners # https://wiki.mozilla.org/Security/Guidelines/Web_Security - # https://observatory.mozilla.org/ - more_set_headers "Strict-Transport-Security : max-age=63072000; includeSubDomains; preload"; + # https://observatory.mozilla.org/ + more_set_headers "Strict-Transport-Security : max-age=63072000; includeSubDomains; preload"; more_set_headers "Content-Security-Policy : upgrade-insecure-requests"; more_set_headers "Content-Security-Policy-Report-Only : default-src https: data: 'unsafe-inline' 'unsafe-eval'"; more_set_headers "X-Content-Type-Options : nosniff"; diff --git a/data/templates/ssh/sshd_config b/data/templates/ssh/sshd_config index ed870e5dc..7194a309d 100644 --- a/data/templates/ssh/sshd_config +++ b/data/templates/ssh/sshd_config @@ -15,10 +15,17 @@ HostKey {{ key }}{% endfor %} # https://infosec.mozilla.org/guidelines/openssh # ############################################## -# Keys, ciphers and MACS -KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 -Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr -MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com +{%- if security_ciphers_compatibility == "intermediate" -%} + KexAlgorithms diffie-hellman-group-exchange-sha256 + Ciphers aes256-ctr,aes192-ctr,aes128-ctr + MACs hmac-sha2-512,hmac-sha2-256 +{%- else -%} + # By default use "modern" Mozilla configuration + # Keys, ciphers and MACS + KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 + Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr + MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com +{%- endif -%} # Use kernel sandbox mechanisms where possible in unprivileged processes UsePrivilegeSeparation sandbox From e0aaf6f8a160f7b2028635e9e1b7235eca6bc4c7 Mon Sep 17 00:00:00 2001 From: Romuald du Song Date: Sat, 9 Feb 2019 11:56:33 +0100 Subject: [PATCH 02/24] add trace for process check --- data/hooks/conf_regen/15-nginx | 1 + 1 file changed, 1 insertion(+) diff --git a/data/hooks/conf_regen/15-nginx b/data/hooks/conf_regen/15-nginx index 97543dcfa..f0ca11797 100755 --- a/data/hooks/conf_regen/15-nginx +++ b/data/hooks/conf_regen/15-nginx @@ -49,6 +49,7 @@ do_pre_regen() { mkdir -p "$mail_autoconfig_dir" # NGINX server configuration + echo "RDS Using security_ciphers_compatibility=$security_ciphers_compatibility" export security_ciphers_compatibility export domain export domain_cert_ca=$(yunohost domain cert-status $domain --json \ From f084de5a69e7edd353ab90b7bf999775bbd234e0 Mon Sep 17 00:00:00 2001 From: Romuald du Song Date: Sat, 9 Feb 2019 23:30:40 +0100 Subject: [PATCH 03/24] declare setting security.ciphers.compatibility --- locales/en.json | 1 + locales/fr.json | 1 + src/yunohost/settings.py | 1 + 3 files changed, 3 insertions(+) diff --git a/locales/en.json b/locales/en.json index 8528c2576..72a34fb57 100644 --- a/locales/en.json +++ b/locales/en.json @@ -202,6 +202,7 @@ "global_settings_setting_example_enum": "Example enum option", "global_settings_setting_example_int": "Example int option", "global_settings_setting_example_string": "Example string option", + "global_settings_setting_security_ciphers_compatibility": "Admin ciphers compatibility strategy", "global_settings_setting_security_password_admin_strength": "Admin password strength", "global_settings_setting_security_password_user_strength": "User password strength", "global_settings_unknown_setting_from_settings_file": "Unknown key in settings: '{setting_key:s}', discarding it and save it in /etc/yunohost/unkown_settings.json", diff --git a/locales/fr.json b/locales/fr.json index 7119039db..0c73cebcd 100644 --- a/locales/fr.json +++ b/locales/fr.json @@ -308,6 +308,7 @@ "global_settings_setting_example_int": "Exemple d’option de type entier", "global_settings_setting_example_string": "Exemple d’option de type chaîne", "global_settings_setting_example_enum": "Exemple d’option de type énumération", + "global_settings_setting_security_ciphers_compatibility": "Stratégie de compatibilité des ciphers", "global_settings_unknown_type": "Situation inattendue, la configuration {setting:s} semble avoir le type {unknown_type:s} mais ce n’est pas un type pris en charge par le système.", "global_settings_unknown_setting_from_settings_file": "Clef inconnue dans les configurations : {setting_key:s}, rejet de cette clef et sauvegarde de celle-ci dans /etc/yunohost/unkown_settings.json", "service_conf_new_managed_file": "Le fichier de configuration « {conf} » est désormais géré par le service {service}.", diff --git a/src/yunohost/settings.py b/src/yunohost/settings.py index bbfb3ca56..7826b620f 100644 --- a/src/yunohost/settings.py +++ b/src/yunohost/settings.py @@ -39,6 +39,7 @@ DEFAULTS = OrderedDict([ ("security.password.admin.strength", {"type": "int", "default": 1}), ("security.password.user.strength", {"type": "int", "default": 1}), ("service.ssh.allow_deprecated_dsa_hostkey", {"type": "bool", "default": False}), + ("security.ciphers.compatibility", {"type": "string", "default": "intermediate"}), ]) From e776c777e602f76f614659353d9e0f8d84acb387 Mon Sep 17 00:00:00 2001 From: Romuald du Song Date: Thu, 14 Feb 2019 21:17:13 +0100 Subject: [PATCH 04/24] remove strip whitespace syntax --- data/templates/nginx/server.tpl.conf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/data/templates/nginx/server.tpl.conf b/data/templates/nginx/server.tpl.conf index 50ee1b9b8..2d161d79c 100644 --- a/data/templates/nginx/server.tpl.conf +++ b/data/templates/nginx/server.tpl.conf @@ -29,7 +29,7 @@ server { ssl_session_timeout 5m; ssl_session_cache shared:SSL:50m; - {%- if security_ciphers_compatibility == "modern" -%} + {% if security_ciphers_compatibility == "modern" %} # Ciphers with modern compatibility # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.6.2&openssl=1.0.1t&hsts=yes&profile=modern # Uncomment the following to use modern ciphers, but remove compatibility with some old clients (android < 5.0, Internet Explorer < 10, ...) @@ -37,7 +37,7 @@ server { ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; ssl_prefer_server_ciphers on; - {%- else -%} + {% else %} # As suggested by Mozilla : https://wiki.mozilla.org/Security/Server_Side_TLS and https://en.wikipedia.org/wiki/Curve25519 ssl_ecdh_curve secp521r1:secp384r1:prime256v1; ssl_prefer_server_ciphers on; @@ -50,7 +50,7 @@ server { # Uncomment the following directive after DH generation # > openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048 #ssl_dhparam /etc/ssl/private/dh2048.pem; - {%- endif -%} + {% endif %} # Follows the Web Security Directives from the Mozilla Dev Lab and the Mozilla Obervatory + Partners # https://wiki.mozilla.org/Security/Guidelines/Web_Security From 3251189ab8529e34c455f38b2b88d60fe47b8208 Mon Sep 17 00:00:00 2001 From: Romuald du Song Date: Thu, 14 Feb 2019 21:26:25 +0100 Subject: [PATCH 05/24] what a cumbersome whitespace control --- data/templates/nginx/server.tpl.conf | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/data/templates/nginx/server.tpl.conf b/data/templates/nginx/server.tpl.conf index 2d161d79c..5f22c8df5 100644 --- a/data/templates/nginx/server.tpl.conf +++ b/data/templates/nginx/server.tpl.conf @@ -29,14 +29,13 @@ server { ssl_session_timeout 5m; ssl_session_cache shared:SSL:50m; - {% if security_ciphers_compatibility == "modern" %} + {% if security_ciphers_compatibility == "modern" -%} # Ciphers with modern compatibility # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.6.2&openssl=1.0.1t&hsts=yes&profile=modern # Uncomment the following to use modern ciphers, but remove compatibility with some old clients (android < 5.0, Internet Explorer < 10, ...) ssl_protocols TLSv1.2; ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; ssl_prefer_server_ciphers on; - {% else %} # As suggested by Mozilla : https://wiki.mozilla.org/Security/Server_Side_TLS and https://en.wikipedia.org/wiki/Curve25519 ssl_ecdh_curve secp521r1:secp384r1:prime256v1; @@ -64,7 +63,7 @@ server { more_set_headers "X-Permitted-Cross-Domain-Policies : none"; more_set_headers "X-Frame-Options : SAMEORIGIN"; - {% if domain_cert_ca == "Let's Encrypt" %} + {% if domain_cert_ca == "Let's Encrypt" -%} # OCSP settings ssl_stapling on; ssl_stapling_verify on; From a267e1bc74167f07bb521162f4e92b225336e89d Mon Sep 17 00:00:00 2001 From: Romuald du Song Date: Thu, 14 Feb 2019 21:28:56 +0100 Subject: [PATCH 06/24] what a cumbersome whitespace control --- data/templates/nginx/server.tpl.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/templates/nginx/server.tpl.conf b/data/templates/nginx/server.tpl.conf index 5f22c8df5..9d662b904 100644 --- a/data/templates/nginx/server.tpl.conf +++ b/data/templates/nginx/server.tpl.conf @@ -70,7 +70,7 @@ server { ssl_trusted_certificate /etc/yunohost/certs/{{ domain }}/crt.pem; resolver 127.0.0.1 127.0.1.1 valid=300s; resolver_timeout 5s; - {% endif %} + {%- endif %} access_by_lua_file /usr/share/ssowat/access.lua; From 7b01ccfefbc534c34b31dcb3367ebf629b01353c Mon Sep 17 00:00:00 2001 From: Romuald du Song Date: Thu, 14 Feb 2019 21:33:36 +0100 Subject: [PATCH 07/24] remove whitespace control attempt --- data/templates/nginx/server.tpl.conf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/data/templates/nginx/server.tpl.conf b/data/templates/nginx/server.tpl.conf index 9d662b904..e19bab970 100644 --- a/data/templates/nginx/server.tpl.conf +++ b/data/templates/nginx/server.tpl.conf @@ -29,7 +29,7 @@ server { ssl_session_timeout 5m; ssl_session_cache shared:SSL:50m; - {% if security_ciphers_compatibility == "modern" -%} + {% if security_ciphers_compatibility == "modern" %} # Ciphers with modern compatibility # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.6.2&openssl=1.0.1t&hsts=yes&profile=modern # Uncomment the following to use modern ciphers, but remove compatibility with some old clients (android < 5.0, Internet Explorer < 10, ...) @@ -63,14 +63,14 @@ server { more_set_headers "X-Permitted-Cross-Domain-Policies : none"; more_set_headers "X-Frame-Options : SAMEORIGIN"; - {% if domain_cert_ca == "Let's Encrypt" -%} + {% if domain_cert_ca == "Let's Encrypt" %} # OCSP settings ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /etc/yunohost/certs/{{ domain }}/crt.pem; resolver 127.0.0.1 127.0.1.1 valid=300s; resolver_timeout 5s; - {%- endif %} + {% endif %} access_by_lua_file /usr/share/ssowat/access.lua; From e9274ee44376cbdcb617f7aa9622d93f6672145a Mon Sep 17 00:00:00 2001 From: Romuald du Song Date: Thu, 14 Feb 2019 22:27:49 +0100 Subject: [PATCH 08/24] Handle yunohost admin nginx config --- .../templates/nginx/plain/yunohost_admin.conf | 21 +++++++++++-------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/data/templates/nginx/plain/yunohost_admin.conf b/data/templates/nginx/plain/yunohost_admin.conf index b6fabf8e3..7992b2de9 100644 --- a/data/templates/nginx/plain/yunohost_admin.conf +++ b/data/templates/nginx/plain/yunohost_admin.conf @@ -20,6 +20,14 @@ server { ssl_session_timeout 5m; ssl_session_cache shared:SSL:50m; + {% if security_ciphers_compatibility == "modern" %} + # Ciphers with modern compatibility + # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.6.2&openssl=1.0.1t&hsts=yes&profile=modern + # Uncomment the following to use modern ciphers, but remove compatibility with some old clients (android < 5.0, Internet Explorer < 10, ...) + ssl_protocols TLSv1.2; + ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; + ssl_prefer_server_ciphers on; + {% else %} # As suggested by Mozilla : https://wiki.mozilla.org/Security/Server_Side_TLS and https://en.wikipedia.org/wiki/Curve25519 ssl_ecdh_curve secp521r1:secp384r1:prime256v1; ssl_prefer_server_ciphers on; @@ -29,20 +37,15 @@ server { ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; - # Ciphers with modern compatibility - # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.6.2&openssl=1.0.1t&hsts=yes&profile=modern - # Uncomment the following to use modern ciphers, but remove compatibility with some old clients (android < 5.0, Internet Explorer < 10, ...) - #ssl_protocols TLSv1.2; - #ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; - # Uncomment the following directive after DH generation # > openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048 #ssl_dhparam /etc/ssl/private/dh2048.pem; - + {% endif %} + # Follows the Web Security Directives from the Mozilla Dev Lab and the Mozilla Obervatory + Partners # https://wiki.mozilla.org/Security/Guidelines/Web_Security - # https://observatory.mozilla.org/ - more_set_headers "Strict-Transport-Security : max-age=63072000; includeSubDomains; preload"; + # https://observatory.mozilla.org/ + more_set_headers "Strict-Transport-Security : max-age=63072000; includeSubDomains; preload"; more_set_headers "Referrer-Policy : 'same-origin'"; more_set_headers "Content-Security-Policy : upgrade-insecure-requests; object-src 'none'; script-src https: 'unsafe-eval'"; more_set_headers "X-Content-Type-Options : nosniff"; From 12d0e0e1de00463fb13c468ef1403e6761a3cda7 Mon Sep 17 00:00:00 2001 From: Romuald du Song Date: Thu, 14 Feb 2019 22:34:35 +0100 Subject: [PATCH 09/24] add instruction to rebuild yunohost-admin conf --- data/hooks/conf_regen/15-nginx | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/data/hooks/conf_regen/15-nginx b/data/hooks/conf_regen/15-nginx index f0ca11797..4c5bac331 100755 --- a/data/hooks/conf_regen/15-nginx +++ b/data/hooks/conf_regen/15-nginx @@ -41,6 +41,8 @@ do_pre_regen() { security_ciphers_compatibility="$(yunohost settings get 'security.ciphers.compatibility')" fi + export security_ciphers_compatibility + # add domain conf files for domain in $domain_list; do domain_conf_dir="${nginx_conf_dir}/${domain}.d" @@ -49,8 +51,6 @@ do_pre_regen() { mkdir -p "$mail_autoconfig_dir" # NGINX server configuration - echo "RDS Using security_ciphers_compatibility=$security_ciphers_compatibility" - export security_ciphers_compatibility export domain export domain_cert_ca=$(yunohost domain cert-status $domain --json \ | jq ".certificates.\"$domain\".CA_type" \ @@ -64,6 +64,7 @@ do_pre_regen() { || cp yunohost_local.conf "${domain_conf_dir}/yunohost_local.conf" done + ynh_render_template "plain/yunohost_admin.conf" "${nginx_conf_dir}/yunohost-admin.conf" # remove old domain conf files conf_files=$(ls -1 /etc/nginx/conf.d \ From ec52ded7776cc481c7563edce790a1c20d5ee09e Mon Sep 17 00:00:00 2001 From: Romuald du Song Date: Thu, 14 Feb 2019 22:38:28 +0100 Subject: [PATCH 10/24] don't conflict translation tool --- locales/fr.json | 1 - 1 file changed, 1 deletion(-) diff --git a/locales/fr.json b/locales/fr.json index 0c73cebcd..7119039db 100644 --- a/locales/fr.json +++ b/locales/fr.json @@ -308,7 +308,6 @@ "global_settings_setting_example_int": "Exemple d’option de type entier", "global_settings_setting_example_string": "Exemple d’option de type chaîne", "global_settings_setting_example_enum": "Exemple d’option de type énumération", - "global_settings_setting_security_ciphers_compatibility": "Stratégie de compatibilité des ciphers", "global_settings_unknown_type": "Situation inattendue, la configuration {setting:s} semble avoir le type {unknown_type:s} mais ce n’est pas un type pris en charge par le système.", "global_settings_unknown_setting_from_settings_file": "Clef inconnue dans les configurations : {setting_key:s}, rejet de cette clef et sauvegarde de celle-ci dans /etc/yunohost/unkown_settings.json", "service_conf_new_managed_file": "Le fichier de configuration « {conf} » est désormais géré par le service {service}.", From e8eff8729792d9ef27cf8b829687206c941cd987 Mon Sep 17 00:00:00 2001 From: Romuald du Song Date: Thu, 14 Feb 2019 22:49:13 +0100 Subject: [PATCH 11/24] switch to enum type to store cipher policy setting --- src/yunohost/settings.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/yunohost/settings.py b/src/yunohost/settings.py index 7826b620f..9b12647a6 100644 --- a/src/yunohost/settings.py +++ b/src/yunohost/settings.py @@ -39,7 +39,7 @@ DEFAULTS = OrderedDict([ ("security.password.admin.strength", {"type": "int", "default": 1}), ("security.password.user.strength", {"type": "int", "default": 1}), ("service.ssh.allow_deprecated_dsa_hostkey", {"type": "bool", "default": False}), - ("security.ciphers.compatibility", {"type": "string", "default": "intermediate"}), + ("security.ciphers.compatibility", {"type": "enum", "choices": "intermediate", "modern"}), ]) From a899102efc8a13fcf4c16bf31bb7769f4d820b23 Mon Sep 17 00:00:00 2001 From: Romuald du Song Date: Thu, 14 Feb 2019 22:57:24 +0100 Subject: [PATCH 12/24] don't share setting for nginx and ssh --- data/hooks/conf_regen/03-ssh | 6 +++--- data/templates/ssh/sshd_config | 6 +++--- locales/en.json | 3 ++- src/yunohost/settings.py | 1 + 4 files changed, 9 insertions(+), 7 deletions(-) diff --git a/data/hooks/conf_regen/03-ssh b/data/hooks/conf_regen/03-ssh index 330166f08..3a79de456 100755 --- a/data/hooks/conf_regen/03-ssh +++ b/data/hooks/conf_regen/03-ssh @@ -24,13 +24,13 @@ do_pre_regen() { fi # Support different strategy for security configurations - if [[ -n "$(yunohost settings get 'security.ciphers.compatibility')" ]]; then - security_ciphers_compatibility="$(yunohost settings get 'security.ciphers.compatibility')" + if [[ -n "$(yunohost settings get 'service.ssh.ciphers.compatibility')" ]]; then + ssh_ciphers_compatibility="$(yunohost settings get 'service.ssh.ciphers.compatibility')" fi export ssh_keys export ipv6_enabled - export security_ciphers_compatibility + export ssh_ciphers_compatibility ynh_render_template "sshd_config" "${pending_dir}/etc/ssh/sshd_config" } diff --git a/data/templates/ssh/sshd_config b/data/templates/ssh/sshd_config index 7194a309d..f27ca3ebe 100644 --- a/data/templates/ssh/sshd_config +++ b/data/templates/ssh/sshd_config @@ -15,17 +15,17 @@ HostKey {{ key }}{% endfor %} # https://infosec.mozilla.org/guidelines/openssh # ############################################## -{%- if security_ciphers_compatibility == "intermediate" -%} +{% if ssh_ciphers_compatibility == "intermediate" %} KexAlgorithms diffie-hellman-group-exchange-sha256 Ciphers aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512,hmac-sha2-256 -{%- else -%} +{% else %} # By default use "modern" Mozilla configuration # Keys, ciphers and MACS KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com -{%- endif -%} +{% endif %} # Use kernel sandbox mechanisms where possible in unprivileged processes UsePrivilegeSeparation sandbox diff --git a/locales/en.json b/locales/en.json index 72a34fb57..3f01cb08e 100644 --- a/locales/en.json +++ b/locales/en.json @@ -202,11 +202,12 @@ "global_settings_setting_example_enum": "Example enum option", "global_settings_setting_example_int": "Example int option", "global_settings_setting_example_string": "Example string option", - "global_settings_setting_security_ciphers_compatibility": "Admin ciphers compatibility strategy", + "global_settings_setting_security_ciphers_compatibility": "Admin ciphers compatibility strategy for the web", "global_settings_setting_security_password_admin_strength": "Admin password strength", "global_settings_setting_security_password_user_strength": "User password strength", "global_settings_unknown_setting_from_settings_file": "Unknown key in settings: '{setting_key:s}', discarding it and save it in /etc/yunohost/unkown_settings.json", "global_settings_setting_service_ssh_allow_deprecated_dsa_hostkey": "Allow the use of (deprecated) DSA hostkey for the SSH daemon configuration", + "global_settings_setting_service_ssh_ciphers_compatibility": "Admin ciphers compatibility strategy for SSH", "global_settings_unknown_type": "Unexpected situation, the setting {setting:s} appears to have the type {unknown_type:s} but it's not a type supported by the system.", "good_practices_about_admin_password": "You are now about to define a new administration password. The password should be at least 8 characters - though it is good practice to use longer password (i.e. a passphrase) and/or to use various kind of characters (uppercase, lowercase, digits and special characters).", "good_practices_about_user_password": "You are now about to define a new user password. The password should be at least 8 characters - though it is good practice to use longer password (i.e. a passphrase) and/or to use various kind of characters (uppercase, lowercase, digits and special characters).", diff --git a/src/yunohost/settings.py b/src/yunohost/settings.py index 9b12647a6..c3d4591b0 100644 --- a/src/yunohost/settings.py +++ b/src/yunohost/settings.py @@ -39,6 +39,7 @@ DEFAULTS = OrderedDict([ ("security.password.admin.strength", {"type": "int", "default": 1}), ("security.password.user.strength", {"type": "int", "default": 1}), ("service.ssh.allow_deprecated_dsa_hostkey", {"type": "bool", "default": False}), + ("service.ssh.ciphers.compatibility", {"type": "enum", "choices": "intermediate", "modern"}), ("security.ciphers.compatibility", {"type": "enum", "choices": "intermediate", "modern"}), ]) From 375b7d53b1fca626abdba882799692aa247ab1e8 Mon Sep 17 00:00:00 2001 From: Romuald du Song Date: Thu, 14 Feb 2019 23:00:52 +0100 Subject: [PATCH 13/24] fix enum syntax --- src/yunohost/settings.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/yunohost/settings.py b/src/yunohost/settings.py index c3d4591b0..1d60c3a6a 100644 --- a/src/yunohost/settings.py +++ b/src/yunohost/settings.py @@ -39,8 +39,10 @@ DEFAULTS = OrderedDict([ ("security.password.admin.strength", {"type": "int", "default": 1}), ("security.password.user.strength", {"type": "int", "default": 1}), ("service.ssh.allow_deprecated_dsa_hostkey", {"type": "bool", "default": False}), - ("service.ssh.ciphers.compatibility", {"type": "enum", "choices": "intermediate", "modern"}), - ("security.ciphers.compatibility", {"type": "enum", "choices": "intermediate", "modern"}), + ("service.ssh.ciphers.compatibility", {"type": "enum", "default": "modern", + "choices": ["intermediate", "modern"]}), + ("security.ciphers.compatibility", {"type": "enum", "default": "intermediate", + "choices": ["intermediate", "modern"]}), ]) From aaf6dba8d7c28ca43dedc88b0eec907b22ed2629 Mon Sep 17 00:00:00 2001 From: Romuald du Song Date: Thu, 14 Feb 2019 23:03:27 +0100 Subject: [PATCH 14/24] fix yunhost admin config filename --- data/hooks/conf_regen/15-nginx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/hooks/conf_regen/15-nginx b/data/hooks/conf_regen/15-nginx index 4c5bac331..c33f16cba 100755 --- a/data/hooks/conf_regen/15-nginx +++ b/data/hooks/conf_regen/15-nginx @@ -64,7 +64,7 @@ do_pre_regen() { || cp yunohost_local.conf "${domain_conf_dir}/yunohost_local.conf" done - ynh_render_template "plain/yunohost_admin.conf" "${nginx_conf_dir}/yunohost-admin.conf" + ynh_render_template "plain/yunohost_admin.conf" "${nginx_conf_dir}/yunohost_admin.conf" # remove old domain conf files conf_files=$(ls -1 /etc/nginx/conf.d \ From 5d48640f3c993d5a3d7c80a411531d4efc07892b Mon Sep 17 00:00:00 2001 From: Romuald du Song Date: Thu, 14 Feb 2019 23:12:59 +0100 Subject: [PATCH 15/24] Adapt comment to new context --- data/templates/nginx/server.tpl.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/templates/nginx/server.tpl.conf b/data/templates/nginx/server.tpl.conf index e19bab970..84c884055 100644 --- a/data/templates/nginx/server.tpl.conf +++ b/data/templates/nginx/server.tpl.conf @@ -32,7 +32,7 @@ server { {% if security_ciphers_compatibility == "modern" %} # Ciphers with modern compatibility # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.6.2&openssl=1.0.1t&hsts=yes&profile=modern - # Uncomment the following to use modern ciphers, but remove compatibility with some old clients (android < 5.0, Internet Explorer < 10, ...) + # The following configuration use modern ciphers, but remove compatibility with some old clients (android < 5.0, Internet Explorer < 10, ...) ssl_protocols TLSv1.2; ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; ssl_prefer_server_ciphers on; From 9aa6cb6ac5c23f1a5385d0bda513629a445bf8ee Mon Sep 17 00:00:00 2001 From: Romuald du Song Date: Thu, 21 Feb 2019 20:46:18 +0100 Subject: [PATCH 16/24] add hook to reconfigure nginx or ssh on settings change --- src/yunohost/settings.py | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/src/yunohost/settings.py b/src/yunohost/settings.py index 1d60c3a6a..96c73a79d 100644 --- a/src/yunohost/settings.py +++ b/src/yunohost/settings.py @@ -239,3 +239,14 @@ def _save_settings(settings, location=SETTINGS_PATH): settings_fd.write(result) except Exception as e: raise YunohostError('global_settings_cant_write_settings', reason=e) + +@post_change_hook("security.ciphers.compatibility") +def reconfigure_nginx(setting_name, old_value, new_value): + if old_value != new_value: + service_regen_conf("nginx") + +@post_change_hook("service.ssh.ciphers.compatibility") +def reconfigure_ssh(setting_name, old_value, new_value): + if old_value != new_value: + service_regen_conf("ssh") + From ac250e2549974adc2a610756f9bea2f8404b27d5 Mon Sep 17 00:00:00 2001 From: Romuald du Song Date: Thu, 21 Feb 2019 21:15:25 +0100 Subject: [PATCH 17/24] fix service_regen_conf syntax --- src/yunohost/settings.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/yunohost/settings.py b/src/yunohost/settings.py index 96c73a79d..d19b0cba3 100644 --- a/src/yunohost/settings.py +++ b/src/yunohost/settings.py @@ -7,6 +7,7 @@ from collections import OrderedDict from moulinette import m18n from yunohost.utils.error import YunohostError from moulinette.utils.log import getActionLogger +from yunohost.service import service_regen_conf logger = getActionLogger('yunohost.settings') @@ -243,10 +244,10 @@ def _save_settings(settings, location=SETTINGS_PATH): @post_change_hook("security.ciphers.compatibility") def reconfigure_nginx(setting_name, old_value, new_value): if old_value != new_value: - service_regen_conf("nginx") + service_regen_conf(names=['nginx'], force=True) @post_change_hook("service.ssh.ciphers.compatibility") def reconfigure_ssh(setting_name, old_value, new_value): if old_value != new_value: - service_regen_conf("ssh") + service_regen_conf(names=['ssh'], force=True) From e7d322b68ccf6bb13e103ace8b1ed81543984f91 Mon Sep 17 00:00:00 2001 From: Romuald du Song Date: Mon, 25 Feb 2019 18:29:46 +0100 Subject: [PATCH 18/24] don't enforce services reconfiguration generation unless you don't want to keep user meodifications --- src/yunohost/settings.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/yunohost/settings.py b/src/yunohost/settings.py index cb87f67ac..916e8b8c3 100644 --- a/src/yunohost/settings.py +++ b/src/yunohost/settings.py @@ -286,9 +286,9 @@ def trigger_post_change_hook(setting_name, old_value, new_value): @post_change_hook("security.ciphers.compatibility") def reconfigure_nginx(setting_name, old_value, new_value): if old_value != new_value: - service_regen_conf(names=['nginx'], force=True) + service_regen_conf(names=['nginx']) @post_change_hook("service.ssh.ciphers.compatibility") def reconfigure_ssh(setting_name, old_value, new_value): if old_value != new_value: - service_regen_conf(names=['ssh'], force=True) + service_regen_conf(names=['ssh']) From fee79820e097ebefb342bd53a16098661359b196 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Fri, 22 Mar 2019 16:15:11 +0100 Subject: [PATCH 19/24] Rename nginx and ssh compatibility setting for consistency --- data/hooks/conf_regen/03-ssh | 4 ++-- data/hooks/conf_regen/15-nginx | 4 ++-- src/yunohost/settings.py | 8 ++++---- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/data/hooks/conf_regen/03-ssh b/data/hooks/conf_regen/03-ssh index dbf9d69e3..0b58a461c 100755 --- a/data/hooks/conf_regen/03-ssh +++ b/data/hooks/conf_regen/03-ssh @@ -24,8 +24,8 @@ do_pre_regen() { fi # Support different strategy for security configurations - if [[ -n "$(yunohost settings get 'service.ssh.ciphers.compatibility')" ]]; then - ssh_ciphers_compatibility="$(yunohost settings get 'service.ssh.ciphers.compatibility')" + if [[ -n "$(yunohost settings get 'service.ssh.compatibility')" ]]; then + ssh_ciphers_compatibility="$(yunohost settings get 'service.ssh.compatibility')" fi export ssh_keys diff --git a/data/hooks/conf_regen/15-nginx b/data/hooks/conf_regen/15-nginx index 9a7579eeb..57446c081 100755 --- a/data/hooks/conf_regen/15-nginx +++ b/data/hooks/conf_regen/15-nginx @@ -37,8 +37,8 @@ do_pre_regen() { domain_list=$(sudo yunohost domain list --output-as plain --quiet) # Support different strategy for security configurations - if [[ -n "$(yunohost settings get 'security.ciphers.compatibility')" ]]; then - security_ciphers_compatibility="$(yunohost settings get 'security.ciphers.compatibility')" + if [[ -n "$(yunohost settings get 'security.nginx.compatibility')" ]]; then + security_ciphers_compatibility="$(yunohost settings get 'security.nginx.compatibility')" fi export security_ciphers_compatibility diff --git a/src/yunohost/settings.py b/src/yunohost/settings.py index 916e8b8c3..6277c8283 100644 --- a/src/yunohost/settings.py +++ b/src/yunohost/settings.py @@ -40,9 +40,9 @@ DEFAULTS = OrderedDict([ ("security.password.admin.strength", {"type": "int", "default": 1}), ("security.password.user.strength", {"type": "int", "default": 1}), ("service.ssh.allow_deprecated_dsa_hostkey", {"type": "bool", "default": False}), - ("service.ssh.ciphers.compatibility", {"type": "enum", "default": "modern", + ("security.ssh.compatibility", {"type": "enum", "default": "modern", "choices": ["intermediate", "modern"]}), - ("security.ciphers.compatibility", {"type": "enum", "default": "intermediate", + ("security.nginx.compatibility", {"type": "enum", "default": "intermediate", "choices": ["intermediate", "modern"]}), ]) @@ -283,12 +283,12 @@ def trigger_post_change_hook(setting_name, old_value, new_value): # # =========================================== -@post_change_hook("security.ciphers.compatibility") +@post_change_hook("security.nginx.compatibility") def reconfigure_nginx(setting_name, old_value, new_value): if old_value != new_value: service_regen_conf(names=['nginx']) -@post_change_hook("service.ssh.ciphers.compatibility") +@post_change_hook("security.ssh.compatibility") def reconfigure_ssh(setting_name, old_value, new_value): if old_value != new_value: service_regen_conf(names=['ssh']) From dcff10f6f84d03c5f15cfa29cd4698cdcb365bd3 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Fri, 22 Mar 2019 16:31:45 +0100 Subject: [PATCH 20/24] Simplify setting usage in regenconf hooks --- data/hooks/conf_regen/03-ssh | 5 +---- data/hooks/conf_regen/15-nginx | 6 +----- data/templates/nginx/plain/yunohost_admin.conf | 2 +- data/templates/nginx/server.tpl.conf | 2 +- data/templates/ssh/sshd_config | 2 +- 5 files changed, 5 insertions(+), 12 deletions(-) diff --git a/data/hooks/conf_regen/03-ssh b/data/hooks/conf_regen/03-ssh index 0b58a461c..265c2f746 100755 --- a/data/hooks/conf_regen/03-ssh +++ b/data/hooks/conf_regen/03-ssh @@ -24,13 +24,10 @@ do_pre_regen() { fi # Support different strategy for security configurations - if [[ -n "$(yunohost settings get 'service.ssh.compatibility')" ]]; then - ssh_ciphers_compatibility="$(yunohost settings get 'service.ssh.compatibility')" - fi + export compatibility="$(yunohost settings get 'service.ssh.compatibility')" export ssh_keys export ipv6_enabled - export ssh_ciphers_compatibility ynh_render_template "sshd_config" "${pending_dir}/etc/ssh/sshd_config" } diff --git a/data/hooks/conf_regen/15-nginx b/data/hooks/conf_regen/15-nginx index 57446c081..60e719743 100755 --- a/data/hooks/conf_regen/15-nginx +++ b/data/hooks/conf_regen/15-nginx @@ -37,11 +37,7 @@ do_pre_regen() { domain_list=$(sudo yunohost domain list --output-as plain --quiet) # Support different strategy for security configurations - if [[ -n "$(yunohost settings get 'security.nginx.compatibility')" ]]; then - security_ciphers_compatibility="$(yunohost settings get 'security.nginx.compatibility')" - fi - - export security_ciphers_compatibility + export compatibility="$(yunohost settings get 'security.nginx.compatibility')" # add domain conf files for domain in $domain_list; do diff --git a/data/templates/nginx/plain/yunohost_admin.conf b/data/templates/nginx/plain/yunohost_admin.conf index 71ad22545..c785a63c4 100644 --- a/data/templates/nginx/plain/yunohost_admin.conf +++ b/data/templates/nginx/plain/yunohost_admin.conf @@ -20,7 +20,7 @@ server { ssl_session_timeout 5m; ssl_session_cache shared:SSL:50m; - {% if security_ciphers_compatibility == "modern" %} + {% if compatibility == "modern" %} # Ciphers with modern compatibility # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.6.2&openssl=1.0.1t&hsts=yes&profile=modern # Uncomment the following to use modern ciphers, but remove compatibility with some old clients (android < 5.0, Internet Explorer < 10, ...) diff --git a/data/templates/nginx/server.tpl.conf b/data/templates/nginx/server.tpl.conf index b25e38faa..26bc78b39 100644 --- a/data/templates/nginx/server.tpl.conf +++ b/data/templates/nginx/server.tpl.conf @@ -29,7 +29,7 @@ server { ssl_session_timeout 5m; ssl_session_cache shared:SSL:50m; - {% if security_ciphers_compatibility == "modern" %} + {% if compatibility == "modern" %} # Ciphers with modern compatibility # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.6.2&openssl=1.0.1t&hsts=yes&profile=modern # The following configuration use modern ciphers, but remove compatibility with some old clients (android < 5.0, Internet Explorer < 10, ...) diff --git a/data/templates/ssh/sshd_config b/data/templates/ssh/sshd_config index f27ca3ebe..8dc0e8dfc 100644 --- a/data/templates/ssh/sshd_config +++ b/data/templates/ssh/sshd_config @@ -15,7 +15,7 @@ HostKey {{ key }}{% endfor %} # https://infosec.mozilla.org/guidelines/openssh # ############################################## -{% if ssh_ciphers_compatibility == "intermediate" %} +{% if compatibility == "intermediate" %} KexAlgorithms diffie-hellman-group-exchange-sha256 Ciphers aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512,hmac-sha2-256 From 219dd2590c7ae876ec194fb4522e86d48a618b0a Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Fri, 22 Mar 2019 17:12:38 +0100 Subject: [PATCH 21/24] Update settings descriptions --- locales/en.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/locales/en.json b/locales/en.json index e56b8e304..af3360b8a 100644 --- a/locales/en.json +++ b/locales/en.json @@ -210,12 +210,12 @@ "global_settings_setting_example_enum": "Example enum option", "global_settings_setting_example_int": "Example int option", "global_settings_setting_example_string": "Example string option", - "global_settings_setting_security_ciphers_compatibility": "Admin ciphers compatibility strategy for the web", + "global_settings_setting_security_nginx_compatibility": "Compatibility vs. security tradeoff for the web server nginx. Affects the ciphers (and other security-related aspects)", "global_settings_setting_security_password_admin_strength": "Admin password strength", "global_settings_setting_security_password_user_strength": "User password strength", + "global_settings_setting_security_ssh_compatibility": "Compatibility vs. security tradeoff for the SSH server. Affects the ciphers (and other security-related aspects)", "global_settings_unknown_setting_from_settings_file": "Unknown key in settings: '{setting_key:s}', discarding it and save it in /etc/yunohost/unkown_settings.json", "global_settings_setting_service_ssh_allow_deprecated_dsa_hostkey": "Allow the use of (deprecated) DSA hostkey for the SSH daemon configuration", - "global_settings_setting_service_ssh_ciphers_compatibility": "Admin ciphers compatibility strategy for SSH", "global_settings_unknown_type": "Unexpected situation, the setting {setting:s} appears to have the type {unknown_type:s} but it's not a type supported by the system.", "good_practices_about_admin_password": "You are now about to define a new administration password. The password should be at least 8 characters - though it is good practice to use longer password (i.e. a passphrase) and/or to use various kind of characters (uppercase, lowercase, digits and special characters).", "good_practices_about_user_password": "You are now about to define a new user password. The password should be at least 8 characters - though it is good practice to use longer password (i.e. a passphrase) and/or to use various kind of characters (uppercase, lowercase, digits and special characters).", From fefa44e0621fa6ee28515079df0755dc9e7d7e09 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Fri, 22 Mar 2019 17:14:48 +0100 Subject: [PATCH 22/24] Typo in previous commits --- data/hooks/conf_regen/03-ssh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/hooks/conf_regen/03-ssh b/data/hooks/conf_regen/03-ssh index 265c2f746..54b7c55b7 100755 --- a/data/hooks/conf_regen/03-ssh +++ b/data/hooks/conf_regen/03-ssh @@ -24,7 +24,7 @@ do_pre_regen() { fi # Support different strategy for security configurations - export compatibility="$(yunohost settings get 'service.ssh.compatibility')" + export compatibility="$(yunohost settings get 'security.ssh.compatibility')" export ssh_keys export ipv6_enabled From a86c379233e4305cda886d89b9aa254876a44c25 Mon Sep 17 00:00:00 2001 From: Romuald du Song Date: Sat, 23 Mar 2019 16:46:40 +0100 Subject: [PATCH 23/24] fix syntax in nodejs helper --- data/helpers.d/nodejs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/helpers.d/nodejs b/data/helpers.d/nodejs index 61a1414ef..1730990e7 100644 --- a/data/helpers.d/nodejs +++ b/data/helpers.d/nodejs @@ -99,7 +99,7 @@ ynh_install_nodejs () { # Install the requested version of nodejs uname=$(uname -m) - if [[ $uname =~ aarch64 || $uname =~ arm64]] + if [[ $uname =~ aarch64 || $uname =~ arm64 ]] then n $nodejs_version --arch=arm64 else From cd9fcd265d99e52d4da02f5546483d802c074c98 Mon Sep 17 00:00:00 2001 From: Romuald du Song Date: Sat, 23 Mar 2019 16:54:47 +0100 Subject: [PATCH 24/24] fix conflict --- data/helpers.d/nodejs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/helpers.d/nodejs b/data/helpers.d/nodejs index 1730990e7..098ed4410 100644 --- a/data/helpers.d/nodejs +++ b/data/helpers.d/nodejs @@ -99,7 +99,7 @@ ynh_install_nodejs () { # Install the requested version of nodejs uname=$(uname -m) - if [[ $uname =~ aarch64 || $uname =~ arm64 ]] + if [[ $uname =~ aarch64 || $uname =~ arm64 ]] then n $nodejs_version --arch=arm64 else