Merge branch 'nginx_TLSv1.3_detection' into 'develop'

Adds TLSv1.3 detection & support to Nginx

See merge request ispconfig/ispconfig3!1251

Author: Marius Burkard

server/conf/nginx_vhost.conf.master

@@ -18,7 +18,14 @@ server {
         listen <tmpl_var name='ip_address'>:<tmpl_var name='proxy_protocol_https'> ssl proxy_protocol;
 </tmpl_if>
 </tmpl_if>
-		ssl_protocols TLSv1.2;
+
+<tmpl_if name='tls1.3_supported' op='==' value='y'>
+<tmpl_var name="ssl_protocols">
+	ssl_protocols TLSv1.3 TLSv1.2;
+<tmpl_else>
+<tmpl_var name="ssl_protocols">
+	ssl_protocols TLSv1.2;
+</tmpl_if>
 		# ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
 		# ssl_prefer_server_ciphers on;
 <tmpl_if name='ipv6_enabled'>

server/lib/classes/system.inc.php

@@ -2142,6 +2142,52 @@ function getinitcommand($servicename, $action, $init_script_directory = '', $che
 		}
 	}
 
+        function getopensslversion($get_minor = false) {
+                global $app;
+                if($this->is_installed('openssl')) $cmd = 'openssl version';
+                else {
+			$app->log("Could not check OpenSSL version, openssl not found.", LOGLEVEL_DEBUG);
+                        return '1.0.1';
+                }
+
+		exec($cmd, $output, $return_var);
+                if($return_var != 0 || !$output[0]) {
+			$app->log("Could not check OpenSSL version, openssl did not return any data.", LOGLEVEL_WARN);
+                        return '1.0.1';
+                }
+                if(preg_match('/OpenSSL\s*(\d+)(\.(\d+)(\.(\d+))*)?(\D|$)/i', $output[0], $matches)) {
+			return $matches[1] . (isset($matches[3]) ? '.' . $matches[3] : '') . (isset($matches[5]) && $get_minor == true ? '.' . $matches[5] : '');
+                } else {
+			$app->log("Could not check OpenSSL version, did not find version string in openssl output.", LOGLEVEL_WARN);
+			return '1.0.1';
+                }
+
+	}
+
+	function getnginxversion($get_minor = false) {
+		global $app;
+
+		if($this->is_installed('nginx')) $cmd = 'nginx -v 2>&1';
+		else {
+                        $app->log("Could not check Nginx version, nginx not found.", LOGLEVEL_DEBUG);
+                        return false;
+                }
+
+		exec($cmd, $output, $return_var);
+
+		if($return_var != 0 || !$output[0]) {
+                        $app->log("Could not check Nginx version, nginx did not return any data.", LOGLEVEL_WARN);
+                        return false;
+		}
+
+		if(preg_match('/nginx version: nginx\/\s*(\d+)(\.(\d+)(\.(\d+))*)?(\D|$)/i', $output[0], $matches)) {
+			return $matches[1] . (isset($matches[3]) ? '.' . $matches[3] : '') . (isset($matches[5]) && $get_minor == true ? '.' . $matches[5] : '');
+                } else {
+                        $app->log("Could not check Nginx version, did not find version string in nginx output.", LOGLEVEL_WARN);
+                        return false;
+                }
+	}
+
 	function getapacheversion($get_minor = false) {
 		global $app;
 

server/plugins-available/nginx_plugin.inc.php

@@ -1621,6 +1621,18 @@ function update($event_name, $data) {
 		// set logging variable
 		$vhost_data['logging'] = $web_config['logging'];
 
+                // Provide TLS 1.3 support if Nginx version is >= 1.13.0 and when it was linked against OpenSSL(>=1.1.1) at build time.
+		$output = $app->system->exec_safe('nginx -V 2>&1');
+
+		if(preg_match('/built with OpenSSL\s*(\d+)(\.(\d+)(\.(\d+))*)?(\D|$)/i', $output[0], $matches)) {
+                        $nginx_openssl_ver = $matches[1] . (isset($matches[3]) ? '.' . $matches[3] : '') . (isset($matches[5]) ? '.' . $matches[5] : '');
+		}
+
+		if((version_compare($app->system->getnginxversion(true), '1.13.0', '>=') && version_compare($nginx_openssl_ver, '1.1.1', '>='))) {
+			$app->log('Enable TLS 1.3 for: '.$domain, LOGLEVEL_DEBUG);
+			$vhost_data['tls1.3_supported'] = 'y';
+		}
+
 		$tpl->setVar($vhost_data);
 
 		$server_alias = array();