Skip to content

Commit 9ffe217

Browse files
committed
added extra checks for TLS 1.3 availability
1 parent 541b7f0 commit 9ffe217

File tree

3 files changed

+48
-8
lines changed

3 files changed

+48
-8
lines changed

server/conf/nginx_vhost.conf.master

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -19,10 +19,12 @@ server {
1919
</tmpl_if>
2020
</tmpl_if>
2121

22-
<tmpl_if name='openssl_version' op='>=' value='1.1.1' format='version'>
23-
<tmpl_var name="ssl_comment">ssl_protocols TLSv1.3 TLSv1.2;
22+
<tmpl_if name='tls13_available' op='>=' value='1.1.1' format='version'>
23+
<tmpl_var name="ssl_protocols">
24+
ssl_protocols TLSv1.3 TLSv1.2;
2425
<tmpl_else>
25-
<tmpl_var name="ssl_comment">ssl_protocols TLSv1.2;
26+
<tmpl_var name="ssl_protocols">
27+
ssl_protocols TLSv1.2;
2628
</tmpl_if>
2729
# ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
2830
# ssl_prefer_server_ciphers on;

server/lib/classes/system.inc.php

Lines changed: 27 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2094,7 +2094,8 @@ function getopensslversion($get_minor = false) {
20942094
$app->log("Could not check OpenSSL version, openssl not found.", LOGLEVEL_DEBUG);
20952095
return '1.0.1';
20962096
}
2097-
exec($cmd, $output, $return_var);
2097+
2098+
exec($cmd, $output, $return_var);
20982099
if($return_var != 0 || !$output[0]) {
20992100
$app->log("Could not check OpenSSL version, openssl did not return any data.", LOGLEVEL_WARN);
21002101
return '1.0.1';
@@ -2106,7 +2107,31 @@ function getopensslversion($get_minor = false) {
21062107
return '1.0.1';
21072108
}
21082109

2109-
}
2110+
}
2111+
2112+
function getnginxversion($get_minor = false) {
2113+
global $app;
2114+
2115+
if($this->is_installed('nginx')) $cmd = 'nginx -v 2>&1';
2116+
else {
2117+
$app->log("Could not check Nginx version, nginx not found.", LOGLEVEL_DEBUG);
2118+
return false;
2119+
}
2120+
2121+
exec($cmd, $output, $return_var);
2122+
2123+
if($return_var != 0 || !$output[0]) {
2124+
$app->log("Could not check Nginx version, nginx did not return any data.", LOGLEVEL_WARN);
2125+
return false;
2126+
}
2127+
2128+
if(preg_match('/nginx version: nginx\/\s*(\d+)(\.(\d+)(\.(\d+))*)?(\D|$)/i', $output[0], $matches)) {
2129+
return $matches[1] . (isset($matches[3]) ? '.' . $matches[3] : '') . (isset($matches[5]) && $get_minor == true ? '.' . $matches[5] : '');
2130+
} else {
2131+
$app->log("Could not check Nginx version, did not find version string in nginx output.", LOGLEVEL_WARN);
2132+
return false;
2133+
}
2134+
}
21102135

21112136
function getapacheversion($get_minor = false) {
21122137
global $app;

server/plugins-available/nginx_plugin.inc.php

Lines changed: 16 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1621,10 +1621,23 @@ function update($event_name, $data) {
16211621
// set logging variable
16221622
$vhost_data['logging'] = $web_config['logging'];
16231623

1624-
$app->log("Found OpenSSL version: " . $app->system->getopensslversion($get_minor = true), LOGLEVEL_DEBUG);
1624+
// check if OpenSSL and Nginx supports TLS 1.3
1625+
//$app->log("Found OpenSSL version: " . $app->system->getopensslversion($get_minor = true), LOGLEVEL_DEBUG);
1626+
$nginx_version = $app->system->getnginxversion(true);
1627+
$openssl_version = $app->system->getopensslversion(true);
16251628

1626-
$vhost_data['openssl_version'] = $app->system->getopensslversion($get_minor = true);
1627-
1629+
$app->system->exec_safe('nginx -V 2>&1', $output, $return_var);
1630+
1631+
if(preg_match('/built with OpenSSL\s*(\d+)(\.(\d+)(\.(\d+))*)?(\D|$)/i', $output[0], $matches)) {
1632+
$nginx_openssl_ver = $matches[1] . (isset($matches[3]) ? '.' . $matches[3] : '') . (isset($matches[5]) ? '.' . $matches[5] : '');
1633+
}
1634+
1635+
if(version_compare($app->system->getopensslversion(true), $nginx_openssl_ver, '>=')) {
1636+
if((version_compare($app->system->getnginxversion(true), '1.13.0', '>=') && version_compare($app->system->getopensslversion(true), '1.1.1', '>='))) {
1637+
$app->log('Enable TLS 1.3 for: '.$domain, LOGLEVEL_DEBUG);
1638+
$vhost_data['tls13_available'] = $app->system->getopensslversion(true);
1639+
}
1640+
}
16281641
$tpl->setVar($vhost_data);
16291642

16301643
$server_alias = array();

0 commit comments

Comments
 (0)