Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
O
OpnSense
Project
Project
Details
Activity
Releases
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Kulya
OpnSense
Commits
99dac4ab
Commit
99dac4ab
authored
Dec 27, 2016
by
Ad Schellevis
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
(webconfigurator) optionally limit ciphers. closes
https://github.com/opnsense/core/issues/1301
parent
5f7fa590
Changes
5
Expand all
Hide whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
452 additions
and
2 deletions
+452
-2
system.inc
src/etc/inc/system.inc
+5
-2
rfc5246_cipher_suites.csv
src/opnsense/scripts/system/rfc5246_cipher_suites.csv
+349
-0
ssl_ciphers.py
src/opnsense/scripts/system/ssl_ciphers.py
+62
-0
actions_system.conf
src/opnsense/service/conf/actions.d/actions_system.conf
+6
-0
system_advanced_admin.php
src/www/system_advanced_admin.php
+30
-0
No files found.
src/etc/inc/system.inc
View file @
99dac4ab
...
...
@@ -1276,8 +1276,11 @@ EOD;
// Harden SSL a bit for PCI conformance testing
$lighty_config
.=
"ssl.use-sslv2 =
\"
disable
\"\n
"
;
$lighty_config
.=
'ssl.cipher-list = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"'
.
PHP_EOL
;
if
(
empty
(
$config
[
'system'
][
'webgui'
][
'ssl-ciphers'
]))
{
$lighty_config
.=
'ssl.cipher-list = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"'
.
PHP_EOL
;
}
else
{
$lighty_config
.=
'ssl.cipher-list = "'
.
$config
[
'system'
][
'webgui'
][
'ssl-ciphers'
]
.
'"'
.
PHP_EOL
;
}
if
(
!
(
empty
(
$ca
)
||
(
strlen
(
trim
(
$ca
))
==
0
)))
{
$lighty_config
.=
"ssl.ca-file =
\"
/var/etc/
{
$ca_location
}
\"\n\n
"
;
...
...
src/opnsense/scripts/system/rfc5246_cipher_suites.csv
0 → 100644
View file @
99dac4ab
This diff is collapsed.
Click to expand it.
src/opnsense/scripts/system/ssl_ciphers.py
0 → 100755
View file @
99dac4ab
#!/usr/local/bin/python2.7
"""
Copyright (c) 2016 Ad Schellevis
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
--------------------------------------------------------------------------------------
return all available ciphers
"""
import
tempfile
import
subprocess
import
os
import
sys
import
ujson
import
csv
if
__name__
==
'__main__'
:
# source http://www.iana.org/assignments/tls-parameters/tls-parameters-4.csv
rfc5246_file
=
'
%
s/rfc5246_cipher_suites.csv'
%
os
.
path
.
dirname
(
os
.
path
.
realpath
(
__file__
))
rfc5246
=
dict
()
if
os
.
path
.
isfile
(
rfc5246_file
):
with
open
(
rfc5246_file
,
'rb'
)
as
csvfile
:
for
row
in
csv
.
reader
(
csvfile
,
delimiter
=
','
,
quotechar
=
'"'
):
rfc5246
[
row
[
0
]]
=
{
'description'
:
row
[
1
]}
result
=
{}
with
tempfile
.
NamedTemporaryFile
()
as
output_stream
:
subprocess
.
call
([
'/usr/bin/openssl'
,
'ciphers'
,
'-V'
],
stdout
=
output_stream
,
stderr
=
open
(
os
.
devnull
,
'wb'
))
output_stream
.
seek
(
0
)
for
line
in
output_stream
.
read
()
.
strip
()
.
split
(
'
\n
'
):
parts
=
line
.
strip
()
.
split
()
if
len
(
parts
)
>
1
:
cipher_id
=
parts
[
0
]
cipher_key
=
parts
[
2
]
item
=
{
'version'
:
parts
[
3
],
'id'
:
cipher_id
,
'description'
:
''
}
for
part
in
parts
[
4
:]:
item
[
part
.
split
(
'='
)[
0
]]
=
part
.
split
(
'='
)[
-
1
]
if
cipher_id
in
rfc5246
:
item
[
'description'
]
=
rfc5246
[
cipher_id
][
'description'
]
result
[
cipher_key
]
=
item
print
ujson
.
dumps
(
result
)
src/opnsense/service/conf/actions.d/actions_system.conf
View file @
99dac4ab
...
...
@@ -3,3 +3,9 @@ command:/usr/local/opnsense/scripts/systemhealth/activity.py
parameters
:%
s
type
:
script_output
message
:
show
system
activity
[
ssl
.
ciphers
]
command
:/
usr
/
local
/
opnsense
/
scripts
/
system
/
ssl_ciphers
.
py
parameters
:
type
:
script_output
message
:
list
ssl
ciphers
src/www/system_advanced_admin.php
View file @
99dac4ab
...
...
@@ -39,6 +39,11 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
$pconfig
[
'webguiproto'
]
=
$config
[
'system'
][
'webgui'
][
'protocol'
];
$pconfig
[
'webguiport'
]
=
$config
[
'system'
][
'webgui'
][
'port'
];
$pconfig
[
'ssl-certref'
]
=
$config
[
'system'
][
'webgui'
][
'ssl-certref'
];
if
(
!
empty
(
$config
[
'system'
][
'webgui'
][
'ssl-ciphers'
]))
{
$pconfig
[
'ssl-ciphers'
]
=
explode
(
':'
,
$config
[
'system'
][
'webgui'
][
'ssl-ciphers'
]);
}
else
{
$pconfig
[
'ssl-ciphers'
]
=
array
();
}
$pconfig
[
'disablehttpredirect'
]
=
isset
(
$config
[
'system'
][
'webgui'
][
'disablehttpredirect'
]);
$pconfig
[
'disableconsolemenu'
]
=
isset
(
$config
[
'system'
][
'disableconsolemenu'
]);
$pconfig
[
'disableintegratedauth'
]
=
!
empty
(
$config
[
'system'
][
'disableintegratedauth'
]);
...
...
@@ -84,9 +89,15 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
if
(
count
(
$input_errors
)
==
0
)
{
// flag web ui for restart
if
(
!
empty
(
$pconfig
[
'ssl-ciphers'
]))
{
$newciphers
=
implode
(
':'
,
$pconfig
[
'ssl-ciphers'
]);
}
else
{
$newciphers
=
''
;
}
if
(
$config
[
'system'
][
'webgui'
][
'protocol'
]
!=
$pconfig
[
'webguiproto'
]
||
$config
[
'system'
][
'webgui'
][
'port'
]
!=
$pconfig
[
'webguiport'
]
||
$config
[
'system'
][
'webgui'
][
'ssl-certref'
]
!=
$pconfig
[
'ssl-certref'
]
||
$config
[
'system'
][
'webgui'
][
'ssl-ciphers'
]
!=
$newciphers
||
(
$pconfig
[
'disablehttpredirect'
]
==
"yes"
)
!=
!
empty
(
$config
[
'system'
][
'webgui'
][
'disablehttpredirect'
])
)
{
$restart_webgui
=
true
;
...
...
@@ -97,6 +108,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
$config
[
'system'
][
'webgui'
][
'protocol'
]
=
$pconfig
[
'webguiproto'
];
$config
[
'system'
][
'webgui'
][
'port'
]
=
$pconfig
[
'webguiport'
];
$config
[
'system'
][
'webgui'
][
'ssl-certref'
]
=
$pconfig
[
'ssl-certref'
];
$config
[
'system'
][
'webgui'
][
'ssl-ciphers'
]
=
$newciphers
;
if
(
$pconfig
[
'disablehttpredirect'
]
==
"yes"
)
{
$config
[
'system'
][
'webgui'
][
'disablehttpredirect'
]
=
true
;
...
...
@@ -359,6 +371,24 @@ include("head.inc");
</div>
</td>
</tr>
<tr
class=
"ssl_opts"
>
<td><a
id=
"help_for_sslciphers"
href=
"#"
class=
"showhelp"
><i
class=
"fa fa-info-circle"
></i></a>
<?=
gettext
(
"limit SSL Ciphers (advanced)"
);
?>
</td>
<td>
<select
name=
"ssl-ciphers[]"
class=
"selectpicker"
multiple=
"multiple"
data-live-search=
"true"
title=
"
<?=
gettext
(
"leave default"
);
?>
"
>
<?php
$ciphers
=
json_decode
(
configd_run
(
"system ssl ciphers"
),
true
);
foreach
(
$ciphers
as
$cipher
=>
$cipher_data
)
:?>
<
option
value
=
"<?=
$cipher
;?>"
<?=
in_array
(
$cipher
,
$pconfig
[
'ssl-ciphers'
])
?
'selected="selected"'
:
''
;
?>
>
<?=
!
empty
(
$cipher_data
[
'description'
])
?
$cipher_data
[
'description'
]
:
$cipher
;
?>
</option>
<?php
endforeach
;
?>
</select>
<div
class=
"hidden"
for=
"help_for_sslciphers"
>
<?=
gettext
(
"Limit SSL ciphers to selected ones, be **very** careful changing this option, invalid options could lead to an inaccessible user interface."
);
?>
</div>
</td>
</tr>
<tr>
<td><a
id=
"help_for_webguiport"
href=
"#"
class=
"showhelp"
><i
class=
"fa fa-info-circle"
></i></a>
<?=
gettext
(
"TCP port"
);
?>
</td>
<td>
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment