Commit 99dac4ab authored by Ad Schellevis's avatar Ad Schellevis

(webconfigurator) optionally limit ciphers. closes https://github.com/opnsense/core/issues/1301

parent 5f7fa590
...@@ -1276,8 +1276,11 @@ EOD; ...@@ -1276,8 +1276,11 @@ EOD;
// Harden SSL a bit for PCI conformance testing // Harden SSL a bit for PCI conformance testing
$lighty_config .= "ssl.use-sslv2 = \"disable\"\n"; $lighty_config .= "ssl.use-sslv2 = \"disable\"\n";
if (empty($config['system']['webgui']['ssl-ciphers'])) {
$lighty_config .= 'ssl.cipher-list = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"' . PHP_EOL; $lighty_config .= 'ssl.cipher-list = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"' . PHP_EOL;
} else {
$lighty_config .= 'ssl.cipher-list = "'.$config['system']['webgui']['ssl-ciphers'].'"' . PHP_EOL;
}
if(!(empty($ca) || (strlen(trim($ca)) == 0))) { if(!(empty($ca) || (strlen(trim($ca)) == 0))) {
$lighty_config .= "ssl.ca-file = \"/var/etc/{$ca_location}\"\n\n"; $lighty_config .= "ssl.ca-file = \"/var/etc/{$ca_location}\"\n\n";
......
Value,Description,DTLS-OK,Reference
"0x00,0x00",TLS_NULL_WITH_NULL_NULL,Y,[RFC5246]
"0x00,0x01",TLS_RSA_WITH_NULL_MD5,Y,[RFC5246]
"0x00,0x02",TLS_RSA_WITH_NULL_SHA,Y,[RFC5246]
"0x00,0x03",TLS_RSA_EXPORT_WITH_RC4_40_MD5,N,[RFC4346][RFC6347]
"0x00,0x04",TLS_RSA_WITH_RC4_128_MD5,N,[RFC5246][RFC6347]
"0x00,0x05",TLS_RSA_WITH_RC4_128_SHA,N,[RFC5246][RFC6347]
"0x00,0x06",TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5,Y,[RFC4346]
"0x00,0x07",TLS_RSA_WITH_IDEA_CBC_SHA,Y,[RFC5469]
"0x00,0x08",TLS_RSA_EXPORT_WITH_DES40_CBC_SHA,Y,[RFC4346]
"0x00,0x09",TLS_RSA_WITH_DES_CBC_SHA,Y,[RFC5469]
"0x00,0x0A",TLS_RSA_WITH_3DES_EDE_CBC_SHA,Y,[RFC5246]
"0x00,0x0B",TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,Y,[RFC4346]
"0x00,0x0C",TLS_DH_DSS_WITH_DES_CBC_SHA,Y,[RFC5469]
"0x00,0x0D",TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA,Y,[RFC5246]
"0x00,0x0E",TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,Y,[RFC4346]
"0x00,0x0F",TLS_DH_RSA_WITH_DES_CBC_SHA,Y,[RFC5469]
"0x00,0x10",TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA,Y,[RFC5246]
"0x00,0x11",TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,Y,[RFC4346]
"0x00,0x12",TLS_DHE_DSS_WITH_DES_CBC_SHA,Y,[RFC5469]
"0x00,0x13",TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,Y,[RFC5246]
"0x00,0x14",TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,Y,[RFC4346]
"0x00,0x15",TLS_DHE_RSA_WITH_DES_CBC_SHA,Y,[RFC5469]
"0x00,0x16",TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,Y,[RFC5246]
"0x00,0x17",TLS_DH_anon_EXPORT_WITH_RC4_40_MD5,N,[RFC4346][RFC6347]
"0x00,0x18",TLS_DH_anon_WITH_RC4_128_MD5,N,[RFC5246][RFC6347]
"0x00,0x19",TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA,Y,[RFC4346]
"0x00,0x1A",TLS_DH_anon_WITH_DES_CBC_SHA,Y,[RFC5469]
"0x00,0x1B",TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,Y,[RFC5246]
"0x00,0x1C-1D",Reserved to avoid conflicts with SSLv3,,[RFC5246]
"0x00,0x1E",TLS_KRB5_WITH_DES_CBC_SHA,Y,[RFC2712]
"0x00,0x1F",TLS_KRB5_WITH_3DES_EDE_CBC_SHA,Y,[RFC2712]
"0x00,0x20",TLS_KRB5_WITH_RC4_128_SHA,N,[RFC2712][RFC6347]
"0x00,0x21",TLS_KRB5_WITH_IDEA_CBC_SHA,Y,[RFC2712]
"0x00,0x22",TLS_KRB5_WITH_DES_CBC_MD5,Y,[RFC2712]
"0x00,0x23",TLS_KRB5_WITH_3DES_EDE_CBC_MD5,Y,[RFC2712]
"0x00,0x24",TLS_KRB5_WITH_RC4_128_MD5,N,[RFC2712][RFC6347]
"0x00,0x25",TLS_KRB5_WITH_IDEA_CBC_MD5,Y,[RFC2712]
"0x00,0x26",TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA,Y,[RFC2712]
"0x00,0x27",TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA,Y,[RFC2712]
"0x00,0x28",TLS_KRB5_EXPORT_WITH_RC4_40_SHA,N,[RFC2712][RFC6347]
"0x00,0x29",TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5,Y,[RFC2712]
"0x00,0x2A",TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5,Y,[RFC2712]
"0x00,0x2B",TLS_KRB5_EXPORT_WITH_RC4_40_MD5,N,[RFC2712][RFC6347]
"0x00,0x2C",TLS_PSK_WITH_NULL_SHA,Y,[RFC4785]
"0x00,0x2D",TLS_DHE_PSK_WITH_NULL_SHA,Y,[RFC4785]
"0x00,0x2E",TLS_RSA_PSK_WITH_NULL_SHA,Y,[RFC4785]
"0x00,0x2F",TLS_RSA_WITH_AES_128_CBC_SHA,Y,[RFC5246]
"0x00,0x30",TLS_DH_DSS_WITH_AES_128_CBC_SHA,Y,[RFC5246]
"0x00,0x31",TLS_DH_RSA_WITH_AES_128_CBC_SHA,Y,[RFC5246]
"0x00,0x32",TLS_DHE_DSS_WITH_AES_128_CBC_SHA,Y,[RFC5246]
"0x00,0x33",TLS_DHE_RSA_WITH_AES_128_CBC_SHA,Y,[RFC5246]
"0x00,0x34",TLS_DH_anon_WITH_AES_128_CBC_SHA,Y,[RFC5246]
"0x00,0x35",TLS_RSA_WITH_AES_256_CBC_SHA,Y,[RFC5246]
"0x00,0x36",TLS_DH_DSS_WITH_AES_256_CBC_SHA,Y,[RFC5246]
"0x00,0x37",TLS_DH_RSA_WITH_AES_256_CBC_SHA,Y,[RFC5246]
"0x00,0x38",TLS_DHE_DSS_WITH_AES_256_CBC_SHA,Y,[RFC5246]
"0x00,0x39",TLS_DHE_RSA_WITH_AES_256_CBC_SHA,Y,[RFC5246]
"0x00,0x3A",TLS_DH_anon_WITH_AES_256_CBC_SHA,Y,[RFC5246]
"0x00,0x3B",TLS_RSA_WITH_NULL_SHA256,Y,[RFC5246]
"0x00,0x3C",TLS_RSA_WITH_AES_128_CBC_SHA256,Y,[RFC5246]
"0x00,0x3D",TLS_RSA_WITH_AES_256_CBC_SHA256,Y,[RFC5246]
"0x00,0x3E",TLS_DH_DSS_WITH_AES_128_CBC_SHA256,Y,[RFC5246]
"0x00,0x3F",TLS_DH_RSA_WITH_AES_128_CBC_SHA256,Y,[RFC5246]
"0x00,0x40",TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,Y,[RFC5246]
"0x00,0x41",TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,Y,[RFC5932]
"0x00,0x42",TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA,Y,[RFC5932]
"0x00,0x43",TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA,Y,[RFC5932]
"0x00,0x44",TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,Y,[RFC5932]
"0x00,0x45",TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,Y,[RFC5932]
"0x00,0x46",TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,Y,[RFC5932]
"0x00,0x47-4F","Reserved to avoid conflicts with
deployed implementations",,[Pasi_Eronen]
"0x00,0x50-58",Reserved to avoid conflicts,,"[Pasi Eronen, <pasi.eronen&nokia.com>, 2008-04-04. 2008-04-04]"
"0x00,0x59-5C","Reserved to avoid conflicts with
deployed implementations",,[Pasi_Eronen]
"0x00,0x5D-5F",Unassigned,,
"0x00,0x60-66","Reserved to avoid conflicts with
widely deployed implementations",,[Pasi_Eronen]
"0x00,0x67",TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,Y,[RFC5246]
"0x00,0x68",TLS_DH_DSS_WITH_AES_256_CBC_SHA256,Y,[RFC5246]
"0x00,0x69",TLS_DH_RSA_WITH_AES_256_CBC_SHA256,Y,[RFC5246]
"0x00,0x6A",TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,Y,[RFC5246]
"0x00,0x6B",TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,Y,[RFC5246]
"0x00,0x6C",TLS_DH_anon_WITH_AES_128_CBC_SHA256,Y,[RFC5246]
"0x00,0x6D",TLS_DH_anon_WITH_AES_256_CBC_SHA256,Y,[RFC5246]
"0x00,0x6E-83",Unassigned,,
"0x00,0x84",TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,Y,[RFC5932]
"0x00,0x85",TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA,Y,[RFC5932]
"0x00,0x86",TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA,Y,[RFC5932]
"0x00,0x87",TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,Y,[RFC5932]
"0x00,0x88",TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,Y,[RFC5932]
"0x00,0x89",TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA,Y,[RFC5932]
"0x00,0x8A",TLS_PSK_WITH_RC4_128_SHA,N,[RFC4279][RFC6347]
"0x00,0x8B",TLS_PSK_WITH_3DES_EDE_CBC_SHA,Y,[RFC4279]
"0x00,0x8C",TLS_PSK_WITH_AES_128_CBC_SHA,Y,[RFC4279]
"0x00,0x8D",TLS_PSK_WITH_AES_256_CBC_SHA,Y,[RFC4279]
"0x00,0x8E",TLS_DHE_PSK_WITH_RC4_128_SHA,N,[RFC4279][RFC6347]
"0x00,0x8F",TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA,Y,[RFC4279]
"0x00,0x90",TLS_DHE_PSK_WITH_AES_128_CBC_SHA,Y,[RFC4279]
"0x00,0x91",TLS_DHE_PSK_WITH_AES_256_CBC_SHA,Y,[RFC4279]
"0x00,0x92",TLS_RSA_PSK_WITH_RC4_128_SHA,N,[RFC4279][RFC6347]
"0x00,0x93",TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA,Y,[RFC4279]
"0x00,0x94",TLS_RSA_PSK_WITH_AES_128_CBC_SHA,Y,[RFC4279]
"0x00,0x95",TLS_RSA_PSK_WITH_AES_256_CBC_SHA,Y,[RFC4279]
"0x00,0x96",TLS_RSA_WITH_SEED_CBC_SHA,Y,[RFC4162]
"0x00,0x97",TLS_DH_DSS_WITH_SEED_CBC_SHA,Y,[RFC4162]
"0x00,0x98",TLS_DH_RSA_WITH_SEED_CBC_SHA,Y,[RFC4162]
"0x00,0x99",TLS_DHE_DSS_WITH_SEED_CBC_SHA,Y,[RFC4162]
"0x00,0x9A",TLS_DHE_RSA_WITH_SEED_CBC_SHA,Y,[RFC4162]
"0x00,0x9B",TLS_DH_anon_WITH_SEED_CBC_SHA,Y,[RFC4162]
"0x00,0x9C",TLS_RSA_WITH_AES_128_GCM_SHA256,Y,[RFC5288]
"0x00,0x9D",TLS_RSA_WITH_AES_256_GCM_SHA384,Y,[RFC5288]
"0x00,0x9E",TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,Y,[RFC5288]
"0x00,0x9F",TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,Y,[RFC5288]
"0x00,0xA0",TLS_DH_RSA_WITH_AES_128_GCM_SHA256,Y,[RFC5288]
"0x00,0xA1",TLS_DH_RSA_WITH_AES_256_GCM_SHA384,Y,[RFC5288]
"0x00,0xA2",TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,Y,[RFC5288]
"0x00,0xA3",TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,Y,[RFC5288]
"0x00,0xA4",TLS_DH_DSS_WITH_AES_128_GCM_SHA256,Y,[RFC5288]
"0x00,0xA5",TLS_DH_DSS_WITH_AES_256_GCM_SHA384,Y,[RFC5288]
"0x00,0xA6",TLS_DH_anon_WITH_AES_128_GCM_SHA256,Y,[RFC5288]
"0x00,0xA7",TLS_DH_anon_WITH_AES_256_GCM_SHA384,Y,[RFC5288]
"0x00,0xA8",TLS_PSK_WITH_AES_128_GCM_SHA256,Y,[RFC5487]
"0x00,0xA9",TLS_PSK_WITH_AES_256_GCM_SHA384,Y,[RFC5487]
"0x00,0xAA",TLS_DHE_PSK_WITH_AES_128_GCM_SHA256,Y,[RFC5487]
"0x00,0xAB",TLS_DHE_PSK_WITH_AES_256_GCM_SHA384,Y,[RFC5487]
"0x00,0xAC",TLS_RSA_PSK_WITH_AES_128_GCM_SHA256,Y,[RFC5487]
"0x00,0xAD",TLS_RSA_PSK_WITH_AES_256_GCM_SHA384,Y,[RFC5487]
"0x00,0xAE",TLS_PSK_WITH_AES_128_CBC_SHA256,Y,[RFC5487]
"0x00,0xAF",TLS_PSK_WITH_AES_256_CBC_SHA384,Y,[RFC5487]
"0x00,0xB0",TLS_PSK_WITH_NULL_SHA256,Y,[RFC5487]
"0x00,0xB1",TLS_PSK_WITH_NULL_SHA384,Y,[RFC5487]
"0x00,0xB2",TLS_DHE_PSK_WITH_AES_128_CBC_SHA256,Y,[RFC5487]
"0x00,0xB3",TLS_DHE_PSK_WITH_AES_256_CBC_SHA384,Y,[RFC5487]
"0x00,0xB4",TLS_DHE_PSK_WITH_NULL_SHA256,Y,[RFC5487]
"0x00,0xB5",TLS_DHE_PSK_WITH_NULL_SHA384,Y,[RFC5487]
"0x00,0xB6",TLS_RSA_PSK_WITH_AES_128_CBC_SHA256,Y,[RFC5487]
"0x00,0xB7",TLS_RSA_PSK_WITH_AES_256_CBC_SHA384,Y,[RFC5487]
"0x00,0xB8",TLS_RSA_PSK_WITH_NULL_SHA256,Y,[RFC5487]
"0x00,0xB9",TLS_RSA_PSK_WITH_NULL_SHA384,Y,[RFC5487]
"0x00,0xBA",TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,Y,[RFC5932]
"0x00,0xBB",TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256,Y,[RFC5932]
"0x00,0xBC",TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256,Y,[RFC5932]
"0x00,0xBD",TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256,Y,[RFC5932]
"0x00,0xBE",TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,Y,[RFC5932]
"0x00,0xBF",TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256,Y,[RFC5932]
"0x00,0xC0",TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,Y,[RFC5932]
"0x00,0xC1",TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256,Y,[RFC5932]
"0x00,0xC2",TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256,Y,[RFC5932]
"0x00,0xC3",TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256,Y,[RFC5932]
"0x00,0xC4",TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,Y,[RFC5932]
"0x00,0xC5",TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,Y,[RFC5932]
"0x00,0xC6-FE",Unassigned,,
"0x00,0xFF",TLS_EMPTY_RENEGOTIATION_INFO_SCSV,Y,[RFC5746]
"0x01-55,*",Unassigned,,
"0x56,0x00",TLS_FALLBACK_SCSV,Y,[RFC7507]
"0x56,0x01-0xC0,0x00",Unassigned,,
"0xC0,0x01",TLS_ECDH_ECDSA_WITH_NULL_SHA,Y,[RFC4492]
"0xC0,0x02",TLS_ECDH_ECDSA_WITH_RC4_128_SHA,N,[RFC4492][RFC6347]
"0xC0,0x03",TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,Y,[RFC4492]
"0xC0,0x04",TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,Y,[RFC4492]
"0xC0,0x05",TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,Y,[RFC4492]
"0xC0,0x06",TLS_ECDHE_ECDSA_WITH_NULL_SHA,Y,[RFC4492]
"0xC0,0x07",TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,N,[RFC4492][RFC6347]
"0xC0,0x08",TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,Y,[RFC4492]
"0xC0,0x09",TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,Y,[RFC4492]
"0xC0,0x0A",TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,Y,[RFC4492]
"0xC0,0x0B",TLS_ECDH_RSA_WITH_NULL_SHA,Y,[RFC4492]
"0xC0,0x0C",TLS_ECDH_RSA_WITH_RC4_128_SHA,N,[RFC4492][RFC6347]
"0xC0,0x0D",TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,Y,[RFC4492]
"0xC0,0x0E",TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,Y,[RFC4492]
"0xC0,0x0F",TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,Y,[RFC4492]
"0xC0,0x10",TLS_ECDHE_RSA_WITH_NULL_SHA,Y,[RFC4492]
"0xC0,0x11",TLS_ECDHE_RSA_WITH_RC4_128_SHA,N,[RFC4492][RFC6347]
"0xC0,0x12",TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,Y,[RFC4492]
"0xC0,0x13",TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,Y,[RFC4492]
"0xC0,0x14",TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,Y,[RFC4492]
"0xC0,0x15",TLS_ECDH_anon_WITH_NULL_SHA,Y,[RFC4492]
"0xC0,0x16",TLS_ECDH_anon_WITH_RC4_128_SHA,N,[RFC4492][RFC6347]
"0xC0,0x17",TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA,Y,[RFC4492]
"0xC0,0x18",TLS_ECDH_anon_WITH_AES_128_CBC_SHA,Y,[RFC4492]
"0xC0,0x19",TLS_ECDH_anon_WITH_AES_256_CBC_SHA,Y,[RFC4492]
"0xC0,0x1A",TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA,Y,[RFC5054]
"0xC0,0x1B",TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA,Y,[RFC5054]
"0xC0,0x1C",TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA,Y,[RFC5054]
"0xC0,0x1D",TLS_SRP_SHA_WITH_AES_128_CBC_SHA,Y,[RFC5054]
"0xC0,0x1E",TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA,Y,[RFC5054]
"0xC0,0x1F",TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA,Y,[RFC5054]
"0xC0,0x20",TLS_SRP_SHA_WITH_AES_256_CBC_SHA,Y,[RFC5054]
"0xC0,0x21",TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA,Y,[RFC5054]
"0xC0,0x22",TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA,Y,[RFC5054]
"0xC0,0x23",TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,Y,[RFC5289]
"0xC0,0x24",TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,Y,[RFC5289]
"0xC0,0x25",TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,Y,[RFC5289]
"0xC0,0x26",TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,Y,[RFC5289]
"0xC0,0x27",TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,Y,[RFC5289]
"0xC0,0x28",TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,Y,[RFC5289]
"0xC0,0x29",TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,Y,[RFC5289]
"0xC0,0x2A",TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,Y,[RFC5289]
"0xC0,0x2B",TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,Y,[RFC5289]
"0xC0,0x2C",TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,Y,[RFC5289]
"0xC0,0x2D",TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,Y,[RFC5289]
"0xC0,0x2E",TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,Y,[RFC5289]
"0xC0,0x2F",TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,Y,[RFC5289]
"0xC0,0x30",TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,Y,[RFC5289]
"0xC0,0x31",TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,Y,[RFC5289]
"0xC0,0x32",TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,Y,[RFC5289]
"0xC0,0x33",TLS_ECDHE_PSK_WITH_RC4_128_SHA,N,[RFC5489][RFC6347]
"0xC0,0x34",TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA,Y,[RFC5489]
"0xC0,0x35",TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA,Y,[RFC5489]
"0xC0,0x36",TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA,Y,[RFC5489]
"0xC0,0x37",TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256,Y,[RFC5489]
"0xC0,0x38",TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384,Y,[RFC5489]
"0xC0,0x39",TLS_ECDHE_PSK_WITH_NULL_SHA,Y,[RFC5489]
"0xC0,0x3A",TLS_ECDHE_PSK_WITH_NULL_SHA256,Y,[RFC5489]
"0xC0,0x3B",TLS_ECDHE_PSK_WITH_NULL_SHA384,Y,[RFC5489]
"0xC0,0x3C",TLS_RSA_WITH_ARIA_128_CBC_SHA256,Y,[RFC6209]
"0xC0,0x3D",TLS_RSA_WITH_ARIA_256_CBC_SHA384,Y,[RFC6209]
"0xC0,0x3E",TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256,Y,[RFC6209]
"0xC0,0x3F",TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384,Y,[RFC6209]
"0xC0,0x40",TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256,Y,[RFC6209]
"0xC0,0x41",TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384,Y,[RFC6209]
"0xC0,0x42",TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256,Y,[RFC6209]
"0xC0,0x43",TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384,Y,[RFC6209]
"0xC0,0x44",TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256,Y,[RFC6209]
"0xC0,0x45",TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384,Y,[RFC6209]
"0xC0,0x46",TLS_DH_anon_WITH_ARIA_128_CBC_SHA256,Y,[RFC6209]
"0xC0,0x47",TLS_DH_anon_WITH_ARIA_256_CBC_SHA384,Y,[RFC6209]
"0xC0,0x48",TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256,Y,[RFC6209]
"0xC0,0x49",TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384,Y,[RFC6209]
"0xC0,0x4A",TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256,Y,[RFC6209]
"0xC0,0x4B",TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384,Y,[RFC6209]
"0xC0,0x4C",TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256,Y,[RFC6209]
"0xC0,0x4D",TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384,Y,[RFC6209]
"0xC0,0x4E",TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256,Y,[RFC6209]
"0xC0,0x4F",TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384,Y,[RFC6209]
"0xC0,0x50",TLS_RSA_WITH_ARIA_128_GCM_SHA256,Y,[RFC6209]
"0xC0,0x51",TLS_RSA_WITH_ARIA_256_GCM_SHA384,Y,[RFC6209]
"0xC0,0x52",TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256,Y,[RFC6209]
"0xC0,0x53",TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384,Y,[RFC6209]
"0xC0,0x54",TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256,Y,[RFC6209]
"0xC0,0x55",TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384,Y,[RFC6209]
"0xC0,0x56",TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256,Y,[RFC6209]
"0xC0,0x57",TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384,Y,[RFC6209]
"0xC0,0x58",TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256,Y,[RFC6209]
"0xC0,0x59",TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384,Y,[RFC6209]
"0xC0,0x5A",TLS_DH_anon_WITH_ARIA_128_GCM_SHA256,Y,[RFC6209]
"0xC0,0x5B",TLS_DH_anon_WITH_ARIA_256_GCM_SHA384,Y,[RFC6209]
"0xC0,0x5C",TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256,Y,[RFC6209]
"0xC0,0x5D",TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384,Y,[RFC6209]
"0xC0,0x5E",TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256,Y,[RFC6209]
"0xC0,0x5F",TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384,Y,[RFC6209]
"0xC0,0x60",TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256,Y,[RFC6209]
"0xC0,0x61",TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384,Y,[RFC6209]
"0xC0,0x62",TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256,Y,[RFC6209]
"0xC0,0x63",TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384,Y,[RFC6209]
"0xC0,0x64",TLS_PSK_WITH_ARIA_128_CBC_SHA256,Y,[RFC6209]
"0xC0,0x65",TLS_PSK_WITH_ARIA_256_CBC_SHA384,Y,[RFC6209]
"0xC0,0x66",TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256,Y,[RFC6209]
"0xC0,0x67",TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384,Y,[RFC6209]
"0xC0,0x68",TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256,Y,[RFC6209]
"0xC0,0x69",TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384,Y,[RFC6209]
"0xC0,0x6A",TLS_PSK_WITH_ARIA_128_GCM_SHA256,Y,[RFC6209]
"0xC0,0x6B",TLS_PSK_WITH_ARIA_256_GCM_SHA384,Y,[RFC6209]
"0xC0,0x6C",TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256,Y,[RFC6209]
"0xC0,0x6D",TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384,Y,[RFC6209]
"0xC0,0x6E",TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256,Y,[RFC6209]
"0xC0,0x6F",TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384,Y,[RFC6209]
"0xC0,0x70",TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256,Y,[RFC6209]
"0xC0,0x71",TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384,Y,[RFC6209]
"0xC0,0x72",TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,Y,[RFC6367]
"0xC0,0x73",TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,Y,[RFC6367]
"0xC0,0x74",TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,Y,[RFC6367]
"0xC0,0x75",TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,Y,[RFC6367]
"0xC0,0x76",TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,Y,[RFC6367]
"0xC0,0x77",TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384,Y,[RFC6367]
"0xC0,0x78",TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256,Y,[RFC6367]
"0xC0,0x79",TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384,Y,[RFC6367]
"0xC0,0x7A",TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256,Y,[RFC6367]
"0xC0,0x7B",TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384,Y,[RFC6367]
"0xC0,0x7C",TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256,Y,[RFC6367]
"0xC0,0x7D",TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384,Y,[RFC6367]
"0xC0,0x7E",TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256,Y,[RFC6367]
"0xC0,0x7F",TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384,Y,[RFC6367]
"0xC0,0x80",TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256,Y,[RFC6367]
"0xC0,0x81",TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384,Y,[RFC6367]
"0xC0,0x82",TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256,Y,[RFC6367]
"0xC0,0x83",TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384,Y,[RFC6367]
"0xC0,0x84",TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256,Y,[RFC6367]
"0xC0,0x85",TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384,Y,[RFC6367]
"0xC0,0x86",TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256,Y,[RFC6367]
"0xC0,0x87",TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384,Y,[RFC6367]
"0xC0,0x88",TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256,Y,[RFC6367]
"0xC0,0x89",TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384,Y,[RFC6367]
"0xC0,0x8A",TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256,Y,[RFC6367]
"0xC0,0x8B",TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384,Y,[RFC6367]
"0xC0,0x8C",TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256,Y,[RFC6367]
"0xC0,0x8D",TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384,Y,[RFC6367]
"0xC0,0x8E",TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256,Y,[RFC6367]
"0xC0,0x8F",TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384,Y,[RFC6367]
"0xC0,0x90",TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256,Y,[RFC6367]
"0xC0,0x91",TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384,Y,[RFC6367]
"0xC0,0x92",TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256,Y,[RFC6367]
"0xC0,0x93",TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384,Y,[RFC6367]
"0xC0,0x94",TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256,Y,[RFC6367]
"0xC0,0x95",TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384,Y,[RFC6367]
"0xC0,0x96",TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256,Y,[RFC6367]
"0xC0,0x97",TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384,Y,[RFC6367]
"0xC0,0x98",TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256,Y,[RFC6367]
"0xC0,0x99",TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384,Y,[RFC6367]
"0xC0,0x9A",TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256,Y,[RFC6367]
"0xC0,0x9B",TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384,Y,[RFC6367]
"0xC0,0x9C",TLS_RSA_WITH_AES_128_CCM,Y,[RFC6655]
"0xC0,0x9D",TLS_RSA_WITH_AES_256_CCM,Y,[RFC6655]
"0xC0,0x9E",TLS_DHE_RSA_WITH_AES_128_CCM,Y,[RFC6655]
"0xC0,0x9F",TLS_DHE_RSA_WITH_AES_256_CCM,Y,[RFC6655]
"0xC0,0xA0",TLS_RSA_WITH_AES_128_CCM_8,Y,[RFC6655]
"0xC0,0xA1",TLS_RSA_WITH_AES_256_CCM_8,Y,[RFC6655]
"0xC0,0xA2",TLS_DHE_RSA_WITH_AES_128_CCM_8,Y,[RFC6655]
"0xC0,0xA3",TLS_DHE_RSA_WITH_AES_256_CCM_8,Y,[RFC6655]
"0xC0,0xA4",TLS_PSK_WITH_AES_128_CCM,Y,[RFC6655]
"0xC0,0xA5",TLS_PSK_WITH_AES_256_CCM,Y,[RFC6655]
"0xC0,0xA6",TLS_DHE_PSK_WITH_AES_128_CCM,Y,[RFC6655]
"0xC0,0xA7",TLS_DHE_PSK_WITH_AES_256_CCM,Y,[RFC6655]
"0xC0,0xA8",TLS_PSK_WITH_AES_128_CCM_8,Y,[RFC6655]
"0xC0,0xA9",TLS_PSK_WITH_AES_256_CCM_8,Y,[RFC6655]
"0xC0,0xAA",TLS_PSK_DHE_WITH_AES_128_CCM_8,Y,[RFC6655]
"0xC0,0xAB",TLS_PSK_DHE_WITH_AES_256_CCM_8,Y,[RFC6655]
"0xC0,0xAC",TLS_ECDHE_ECDSA_WITH_AES_128_CCM,Y,[RFC7251]
"0xC0,0xAD",TLS_ECDHE_ECDSA_WITH_AES_256_CCM,Y,[RFC7251]
"0xC0,0xAE",TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,Y,[RFC7251]
"0xC0,0xAF",TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,Y,[RFC7251]
"0xC0,0xB0-FF",Unassigned,,
"0xC1-CB,*",Unassigned,,
"0xCC,0x00-A7",Unassigned,,
"0xCC,0xA8",TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,Y,[RFC7905]
"0xCC,0xA9",TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,Y,[RFC7905]
"0xCC,0xAA",TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,Y,[RFC7905]
"0xCC,0xAB",TLS_PSK_WITH_CHACHA20_POLY1305_SHA256,Y,[RFC7905]
"0xCC,0xAC",TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256,Y,[RFC7905]
"0xCC,0xAD",TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256,Y,[RFC7905]
"0xCC,0xAE",TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256,Y,[RFC7905]
"0xCC,0xAF-FF",Unassigned,,
"0xCD-FD,*",Unassigned,,
"0xFE,0x00-FD",Unassigned,,
"0xFE,0xFE-FF","Reserved to avoid conflicts with
widely deployed implementations",,[Pasi_Eronen]
"0xFF,0x00-FF",Reserved for Private Use,,[RFC5246]
#!/usr/local/bin/python2.7
"""
Copyright (c) 2016 Ad Schellevis
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
--------------------------------------------------------------------------------------
return all available ciphers
"""
import tempfile
import subprocess
import os
import sys
import ujson
import csv
if __name__ == '__main__':
# source http://www.iana.org/assignments/tls-parameters/tls-parameters-4.csv
rfc5246_file = '%s/rfc5246_cipher_suites.csv' % os.path.dirname(os.path.realpath(__file__))
rfc5246 = dict()
if os.path.isfile(rfc5246_file):
with open(rfc5246_file, 'rb') as csvfile:
for row in csv.reader(csvfile, delimiter=',', quotechar='"'):
rfc5246[row[0]] = {'description': row[1]}
result = {}
with tempfile.NamedTemporaryFile() as output_stream:
subprocess.call(['/usr/bin/openssl', 'ciphers', '-V'], stdout=output_stream, stderr=open(os.devnull, 'wb'))
output_stream.seek(0)
for line in output_stream.read().strip().split('\n'):
parts = line.strip().split()
if len(parts) > 1:
cipher_id = parts[0]
cipher_key = parts[2]
item = {'version': parts[3], 'id': cipher_id, 'description': ''}
for part in parts[4:]:
item[part.split('=')[0]] = part.split('=')[-1]
if cipher_id in rfc5246:
item['description'] = rfc5246[cipher_id]['description']
result[cipher_key] = item
print ujson.dumps(result)
...@@ -3,3 +3,9 @@ command:/usr/local/opnsense/scripts/systemhealth/activity.py ...@@ -3,3 +3,9 @@ command:/usr/local/opnsense/scripts/systemhealth/activity.py
parameters:%s parameters:%s
type:script_output type:script_output
message:show system activity message:show system activity
[ssl.ciphers]
command:/usr/local/opnsense/scripts/system/ssl_ciphers.py
parameters:
type:script_output
message:list ssl ciphers
...@@ -39,6 +39,11 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { ...@@ -39,6 +39,11 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
$pconfig['webguiproto'] = $config['system']['webgui']['protocol']; $pconfig['webguiproto'] = $config['system']['webgui']['protocol'];
$pconfig['webguiport'] = $config['system']['webgui']['port']; $pconfig['webguiport'] = $config['system']['webgui']['port'];
$pconfig['ssl-certref'] = $config['system']['webgui']['ssl-certref']; $pconfig['ssl-certref'] = $config['system']['webgui']['ssl-certref'];
if (!empty($config['system']['webgui']['ssl-ciphers'])) {
$pconfig['ssl-ciphers'] = explode(':', $config['system']['webgui']['ssl-ciphers']);
} else {
$pconfig['ssl-ciphers'] = array();
}
$pconfig['disablehttpredirect'] = isset($config['system']['webgui']['disablehttpredirect']); $pconfig['disablehttpredirect'] = isset($config['system']['webgui']['disablehttpredirect']);
$pconfig['disableconsolemenu'] = isset($config['system']['disableconsolemenu']); $pconfig['disableconsolemenu'] = isset($config['system']['disableconsolemenu']);
$pconfig['disableintegratedauth'] = !empty($config['system']['disableintegratedauth']); $pconfig['disableintegratedauth'] = !empty($config['system']['disableintegratedauth']);
...@@ -84,9 +89,15 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { ...@@ -84,9 +89,15 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
if (count($input_errors) ==0) { if (count($input_errors) ==0) {
// flag web ui for restart // flag web ui for restart
if (!empty($pconfig['ssl-ciphers'])) {
$newciphers = implode(':', $pconfig['ssl-ciphers']);
} else {
$newciphers = '';
}
if ($config['system']['webgui']['protocol'] != $pconfig['webguiproto'] || if ($config['system']['webgui']['protocol'] != $pconfig['webguiproto'] ||
$config['system']['webgui']['port'] != $pconfig['webguiport'] || $config['system']['webgui']['port'] != $pconfig['webguiport'] ||
$config['system']['webgui']['ssl-certref'] != $pconfig['ssl-certref'] || $config['system']['webgui']['ssl-certref'] != $pconfig['ssl-certref'] ||
$config['system']['webgui']['ssl-ciphers'] != $newciphers ||
($pconfig['disablehttpredirect'] == "yes") != !empty($config['system']['webgui']['disablehttpredirect']) ($pconfig['disablehttpredirect'] == "yes") != !empty($config['system']['webgui']['disablehttpredirect'])
) { ) {
$restart_webgui = true; $restart_webgui = true;
...@@ -97,6 +108,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { ...@@ -97,6 +108,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
$config['system']['webgui']['protocol'] = $pconfig['webguiproto']; $config['system']['webgui']['protocol'] = $pconfig['webguiproto'];
$config['system']['webgui']['port'] = $pconfig['webguiport']; $config['system']['webgui']['port'] = $pconfig['webguiport'];
$config['system']['webgui']['ssl-certref'] = $pconfig['ssl-certref']; $config['system']['webgui']['ssl-certref'] = $pconfig['ssl-certref'];
$config['system']['webgui']['ssl-ciphers'] = $newciphers;
if ($pconfig['disablehttpredirect'] == "yes") { if ($pconfig['disablehttpredirect'] == "yes") {
$config['system']['webgui']['disablehttpredirect'] = true; $config['system']['webgui']['disablehttpredirect'] = true;
...@@ -359,6 +371,24 @@ include("head.inc"); ...@@ -359,6 +371,24 @@ include("head.inc");
</div> </div>
</td> </td>
</tr> </tr>
<tr class="ssl_opts">
<td><a id="help_for_sslciphers" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("limit SSL Ciphers (advanced)"); ?></td>
<td>
<select name="ssl-ciphers[]" class="selectpicker" multiple="multiple" data-live-search="true" title="<?=gettext("leave default");?>">
<?php
$ciphers = json_decode(configd_run("system ssl ciphers"), true);
foreach ($ciphers as $cipher => $cipher_data):?>
<option value="<?=$cipher;?>" <?=in_array($cipher, $pconfig['ssl-ciphers']) ? 'selected="selected"' : '';?>>
<?=!empty($cipher_data['description']) ? $cipher_data['description'] : $cipher;?>
</option>
<?php
endforeach;?>
</select>
<div class="hidden" for="help_for_sslciphers">
<?=gettext("Limit SSL ciphers to selected ones, be **very** careful changing this option, invalid options could lead to an inaccessible user interface.");?>
</div>
</td>
</tr>
<tr> <tr>
<td><a id="help_for_webguiport" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("TCP port"); ?></td> <td><a id="help_for_webguiport" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("TCP port"); ?></td>
<td> <td>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment