Skip to content

Commit 99b4daf

Browse files
srozesroze
authored
Merge pull request #464 from continuouspipe/feature/tls-cipher-improvements
TLS cipher improvements
2 parents 887204d + 3523a9d commit 99b4daf

File tree

5 files changed

+45
-5
lines changed

5 files changed

+45
-5
lines changed

nginx/README.md

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -73,7 +73,9 @@ WEB_HTTPS_OFFLOADED | Whether the HTTPS traffic has been forwarded without SSL t
7373
WEB_HTTPS_ONLY | Whether to redirect all HTTP traffic to HTTPS | true/false | $WEB_HTTPS (deprecated: if $WEB_HTTPS=true then false)
7474
WEB_RESOLVER | DNS resolver for proxy_pass and ssl_stapling_verify | ip address |
7575
WEB_REVERSE_PROXIED | Whether to interpret X-Forwarded-Proto as the $custom_scheme and $custom_https emulation. | true/false | true
76-
WEB_SSL_CIPHERS | The enabled SSL/TLS server ciphers | the format understood by the OpenSSL library | ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
76+
WEB_SSL_CIPHERS | The enabled SSL/TLS server ciphers | the format understood by the OpenSSL library | ECDH+ECDSA+AESGCM:ECDH+aRSA+AESGCM:DH+AESGCM:ECDH+ECDSA+AES256:ECDH+aRSA+AES256:DH+AES256:ECDH+ECDSA+AES128:ECDH+aRSA+AES128:DH+AES:${SSL_CIPHERS_3DES_DH}:${SSL_CIPHERS_RSA}:!aNULL:!MD5:!DSS
77+
WEB_SSL_CIPHERS_SWEET32_FIX | Whether to disable 3DES ciphers found weak due to SWEET32 security flaw | true/false | false
78+
WEB_SSL_CIPHERS_RSA_FIX | Whether to disable RSA encryption ciphers found weak due to potential future Bleichenbacher Oracle Threat variations | true/false | false
7779
WEB_SSL_FULLCHAIN | The location of the SSL certificate and intermediate chain file | absolute filename | /etc/ssl/certs/fullchain.pem
7880
WEB_SSL_OCSP_STAPLING | Whether to enable TLS OCSP stapling | true/false | false
7981
WEB_SSL_PRIVKEY | The location of the SSL private key file | absolute filename | /etc/ssl/private/privkey.pem

nginx/usr/local/share/env/40-stack

Lines changed: 18 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -24,7 +24,24 @@ WEB_HTTPS_OFFLOADED="$(convert_to_boolean_string "${WEB_HTTPS_OFFLOADED:-false}"
2424
export WEB_HTTPS_OFFLOADED
2525
WEB_REVERSE_PROXIED="$(convert_to_boolean_string "${WEB_REVERSE_PROXIED:-true}")"
2626
export WEB_REVERSE_PROXIED
27-
export WEB_SSL_CIPHERS=${WEB_SSL_CIPHERS:-ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS}
27+
28+
if is_true "${WEB_SSL_CIPHERS_SWEET32_FIX:-}"; then
29+
SSL_CIPHERS_SWEET32_DH=""
30+
SSL_CIPHERS_SWEET32_RSA=""
31+
else
32+
SSL_CIPHERS_SWEET32_DH="ECDH+3DES:DH+3DES"
33+
SSL_CIPHERS_SWEET32_RSA="RSA+3DES"
34+
fi
35+
36+
if is_true "${WEB_SSL_CIPHERS_RSA_FIX:-}"; then
37+
SSL_CIPHERS_RSA=""
38+
else
39+
SSL_CIPHERS_RSA="RSA+AESGCM:RSA+AES:${SSL_CIPHERS_SWEET32_RSA}"
40+
fi
41+
42+
DEFAULT_SSL_CIPHERS="ECDH+ECDSA+AESGCM:ECDH+aRSA+AESGCM:DH+AESGCM:ECDH+ECDSA+AES256:ECDH+aRSA+AES256:DH+AES256:ECDH+ECDSA+AES128:ECDH+aRSA+AES128:DH+AES:${SSL_CIPHERS_SWEET32_DH}:${SSL_CIPHERS_RSA}:!aNULL:!MD5:!DSS"
43+
44+
export WEB_SSL_CIPHERS=${WEB_SSL_CIPHERS:-$DEFAULT_SSL_CIPHERS}
2845
export WEB_SSL_FULLCHAIN=${WEB_SSL_FULLCHAIN:-/etc/ssl/certs/fullchain.pem}
2946
export WEB_SSL_PRIVKEY=${WEB_SSL_PRIVKEY:-/etc/ssl/certs/privkey.pem}
3047
export WEB_SSL_PROTOCOLS=${WEB_SSL_PROTOCOLS:-TLSv1 TLSv1.1 TLSv1.2}

php/apache/README.md

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -127,7 +127,9 @@ WEB_HTTPS_OFFLOADED | Whether the HTTPS traffic has been forwarded without SSL t
127127
WEB_HTTPS_ONLY | Whether to redirect all HTTP traffic to HTTPS | true/false | $WEB_HTTPS (deprecated: if $WEB_HTTPS=true then false)
128128
WEB_INCLUDES | A space separated list of files in /etc/apache2/sites-enabled/ to include. ".conf" will be appended automatically. Globs are accepted. | space separated list of partial file names | 000-default-*
129129
WEB_REVERSE_PROXIED | Whether to interpret X-Forwarded-Proto as the $custom_scheme and $custom_https emulation. | true/false | true
130-
WEB_SSL_CIPHERS | The enabled SSL/TLS server ciphers | the format understood by the OpenSSL library | ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
130+
WEB_SSL_CIPHERS | The enabled SSL/TLS server ciphers | the format understood by the OpenSSL library | ECDH+ECDSA+AESGCM:ECDH+aRSA+AESGCM:DH+AESGCM:ECDH+ECDSA+AES256:ECDH+aRSA+AES256:DH+AES256:ECDH+ECDSA+AES128:ECDH+aRSA+AES128:DH+AES:${SSL_CIPHERS_3DES_DH}:${SSL_CIPHERS_RSA}:!aNULL:!MD5:!DSS
131+
WEB_SSL_CIPHERS_SWEET32_FIX | Whether to disable 3DES ciphers found weak due to SWEET32 security flaw | true/false | false
132+
WEB_SSL_CIPHERS_RSA_FIX | Whether to disable RSA encryption ciphers found weak due to potential future Bleichenbacher Oracle Threat variations | true/false | false
131133
WEB_SSL_FULLCHAIN | The location of the SSL certificate and intermediate chain file | absolute filename | /etc/ssl/certs/fullchain.pem
132134
WEB_SSL_OCSP_STAPLING | Whether to enable TLS OCSP stapling | true/false | false
133135
WEB_SSL_OCSP_STAPLING_CACHE | If OCSP staping enabled then is a mandatory setting to set where OSCP responses are cached | see Apache HTTPD SSLStaplingCache documentation |

php/nginx/README.md

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -134,7 +134,9 @@ WEB_HTTPS_ONLY | Whether to redirect all HTTP traffic to HTTPS | true/false
134134
WEB_HTTP2_TLS | Whether to enable HTTP2 over TLS on HTTPS port. If WEB_HTTPS_OFFLOADED enabled then this is ignored as TLS is not used | true/false | true
135135
WEB_HTTP2_PLAINTEXT_NONBC | Whether to enable HTTP2 over plaintext on HTTP port (or HTTPS if WEB_HTTPS_OFFLOADED enabled). Nginx doesn't support h2c for plain HTTP protocol so will not support HTTP 1.1/1.0 if enabled | true/false | false
136136
WEB_REVERSE_PROXIED | Whether to interpret X-Forwarded-Proto as the $custom_scheme and $custom_https emulation. | true/false | true
137-
WEB_SSL_CIPHERS | The enabled SSL/TLS server ciphers | the format understood by the OpenSSL library | ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
137+
WEB_SSL_CIPHERS | The enabled SSL/TLS server ciphers | the format understood by the OpenSSL library | ECDH+ECDSA+AESGCM:ECDH+aRSA+AESGCM:DH+AESGCM:ECDH+ECDSA+AES256:ECDH+aRSA+AES256:DH+AES256:ECDH+ECDSA+AES128:ECDH+aRSA+AES128:DH+AES:${SSL_CIPHERS_3DES_DH}:${SSL_CIPHERS_RSA}:!aNULL:!MD5:!DSS
138+
WEB_SSL_CIPHERS_SWEET32_FIX | Whether to disable 3DES ciphers found weak due to SWEET32 security flaw | true/false | false
139+
WEB_SSL_CIPHERS_RSA_FIX | Whether to disable RSA encryption ciphers found weak due to potential future Bleichenbacher Oracle Threat variations | true/false | false
138140
WEB_SSL_FULLCHAIN | The location of the SSL certificate and intermediate chain file | absolute filename | /etc/ssl/certs/fullchain.pem
139141
WEB_SSL_OCSP_STAPLING | Whether to enable TLS OCSP stapling | true/false | false
140142
WEB_SSL_PRIVKEY | The location of the SSL private key file | absolute filename | /etc/ssl/private/privkey.pem

php/shared/usr/local/share/env/40-stack

Lines changed: 18 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -56,7 +56,24 @@ WEB_HTTPS_OFFLOADED="$(convert_to_boolean_string "${WEB_HTTPS_OFFLOADED:-false}"
5656
export WEB_HTTPS_OFFLOADED
5757
WEB_REVERSE_PROXIED="$(convert_to_boolean_string "${WEB_REVERSE_PROXIED:-true}")"
5858
export WEB_REVERSE_PROXIED
59-
export WEB_SSL_CIPHERS=${WEB_SSL_CIPHERS:-ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS}
59+
60+
if is_true "${WEB_SSL_CIPHERS_SWEET32_FIX:-}"; then
61+
SSL_CIPHERS_SWEET32_DH=""
62+
SSL_CIPHERS_SWEET32_RSA=""
63+
else
64+
SSL_CIPHERS_SWEET32_DH="ECDH+3DES:DH+3DES"
65+
SSL_CIPHERS_SWEET32_RSA="RSA+3DES"
66+
fi
67+
68+
if is_true "${WEB_SSL_CIPHERS_RSA_FIX:-}"; then
69+
SSL_CIPHERS_RSA=""
70+
else
71+
SSL_CIPHERS_RSA="RSA+AESGCM:RSA+AES:${SSL_CIPHERS_SWEET32_RSA}"
72+
fi
73+
74+
DEFAULT_SSL_CIPHERS="ECDH+ECDSA+AESGCM:ECDH+aRSA+AESGCM:DH+AESGCM:ECDH+ECDSA+AES256:ECDH+aRSA+AES256:DH+AES256:ECDH+ECDSA+AES128:ECDH+aRSA+AES128:DH+AES:${SSL_CIPHERS_SWEET32_DH}:${SSL_CIPHERS_RSA}:!aNULL:!MD5:!DSS"
75+
76+
export WEB_SSL_CIPHERS=${WEB_SSL_CIPHERS:-$DEFAULT_SSL_CIPHERS}
6077
export WEB_SSL_FULLCHAIN=${WEB_SSL_FULLCHAIN:-/etc/ssl/certs/fullchain.pem}
6178
export WEB_SSL_PRIVKEY=${WEB_SSL_PRIVKEY:-/etc/ssl/certs/privkey.pem}
6279
export WEB_SSL_SESSION_CACHE=${WEB_SSL_SESSION_CACHE:-none}

0 commit comments

Comments
 (0)