fix tls1.3 in nginx

JSroka7 · JSroka7 · commit 8be19f199c45 · 2020-12-18T19:48:11.000+01:00
diff --git a/server/conf/nginx_vhost.conf.master b/server/conf/nginx_vhost.conf.master
@@ -19,11 +19,9 @@ server {
 </tmpl_if>
 </tmpl_if>
 
-<tmpl_if name='tls1.3_supported' op='==' value='y'>
-<tmpl_var name="ssl_protocols">
+<tmpl_if name='tls13_supported' op='==' value='y'>
 	ssl_protocols TLSv1.3 TLSv1.2;
 <tmpl_else>
-<tmpl_var name="ssl_protocols">
 	ssl_protocols TLSv1.2;
 </tmpl_if>
 		# ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
diff --git a/server/plugins-available/nginx_plugin.inc.php b/server/plugins-available/nginx_plugin.inc.php
@@ -1631,16 +1631,10 @@ function update($event_name, $data) {
 		// set logging variable
 		$vhost_data['logging'] = $web_config['logging'];
 
-                // Provide TLS 1.3 support if Nginx version is >= 1.13.0 and when it was linked against OpenSSL(>=1.1.1) at build time.
-		$output = $app->system->exec_safe('nginx -V 2>&1');
-
-		if(preg_match('/built with OpenSSL\s*(\d+)(\.(\d+)(\.(\d+))*)?(\D|$)/i', $output[0], $matches)) {
-                        $nginx_openssl_ver = $matches[1] . (isset($matches[3]) ? '.' . $matches[3] : '') . (isset($matches[5]) ? '.' . $matches[5] : '');
-		}
-
-		if((version_compare($app->system->getnginxversion(true), '1.13.0', '>=') && version_compare($nginx_openssl_ver, '1.1.1', '>='))) {
+         // Provide TLS 1.3 support if Nginx version is >= 1.13.0 and when it was linked against OpenSSL(>=1.1.1) at build time.
+		if((version_compare($app->system->getnginxversion(true), '1.13.0', '>=') && version_compare($app->system->getopensslversion(true), '1.1.1', '>='))) {
 			$app->log('Enable TLS 1.3 for: '.$domain, LOGLEVEL_DEBUG);
-			$vhost_data['tls1.3_supported'] = 'y';
+			$vhost_data['tls13_supported'] = "y";
 		}
 
 		$tpl->setVar($vhost_data);
