Commit ca18801b authored by Franco Fichtner's avatar Franco Fichtner

crypto: address a few potential loopholes for #logjam

o Regenerate all dhparam files.  (Looksie, we don't have under 1024!)

o Make beast mitigation the default, been around since 2011.

o Tweak the cipher settings via recommendations below.

Open points are the zapping of 1024 bit dhparam and how we should
handle dhparam shipping in the future.  Please write in to discuss.  :)

Taken from: https://weakdh.org/sysadmin.html
parent ee4486d8
-----BEGIN DH PARAMETERS----- -----BEGIN DH PARAMETERS-----
MIGHAoGBAINPWm4z+KHppuzSZFjreaLrKdI/wkP0ojutrSlkiszXsGkbU6++GB1C MIGHAoGBANl0O/jYGYAnQRtxvQ97D2bt7nraWGbn877Fy7+/7DWhLVAR8tgAUaXo
7ZH2ZVpSIo4z31XyQnlraIkyY2pAItxqN8ozWaz84QLSHcwVcWKDEU7ZP0ISyTep Z5usvCot++T2FCryeGwQjXirwy1sahSZFKUQ6kG5n09fVOY9oI8HQ1SsTjemEetG
alnFPGG8nJBSzxch+7H3HOfM68y6kfMtFDWuZtYj/9Zw4W42fVDLAgEC Aqa0VbcVvll2K0nY1p8OJPGlEWmeBi21OSv5ZYjnxigvc38brIw7AgEC
-----END DH PARAMETERS----- -----END DH PARAMETERS-----
-----BEGIN DH PARAMETERS----- -----BEGIN DH PARAMETERS-----
MIIBCAKCAQEAmWwXhRjeqPYl1TvXeKZt5W8MHe0keJK7wC+uPMxpGFVXlvPnWdN+ MIIBCAKCAQEA7RQUrHIRzq0Xvaq+08JJ/oMwnWnKMDh7yKArgyBG71Bi5Gl/EeJl
W/GyimtD2rHYWF1gyr5IbhiEkXSAuTCnwokwz9XiNQ3hKY/iwTPDo0Go8beB5Ezr glIUtEsW5nHjrbQhaJf9oC2G/zTK7xrtuURTcQVxQjA1xXAYMrAeMFV+vYKgoHj6
wz8DibSIv93Va5C+fHzwosuwTAqaOgpOzPqSmVS/UmUATssxOuCK6Crv7YyA5knW brkqW0ivb3tSNUAZOMzAToXDZtCo4dhee9ZU+ZrdOpTTTpxX0S4kGGgN4qdCiDJm
v0JsJK3VfloeXq/p4skn/KRgL2twO5puJvZWGycMd3cv9+afsWjES/ItwzEHNSEG IzUp8WUl8prnhdFzDlVmYfzep8gXdvFsCYOczpjV66godQWtSaO6+ntCEg2DK1o+
sPen/kNDB4nH+WFKdXnP3fUAqPZCxiqaBC+UnuHngm7Se4smc7DeJkUsed7NLIeg W7EM8yN85yzy8MLbpc6oYzoaASSQGdYUuMtzVvaHKGueEv2bjUJ7CMSZXkd2z3c7
zDZ0a3bKZ3UB0lcLGbqXIhh74TtFQ1egmwIBAg== d56EajFmu8xlsUnvmXi3831RwBJH20LcewIBAg==
-----END DH PARAMETERS----- -----END DH PARAMETERS-----
-----BEGIN DH PARAMETERS----- -----BEGIN DH PARAMETERS-----
MIICCAKCAgEA1G0VaCFVkFFPB0pL1Y6NtAlysfvZaAXXmmJ89Xy5wrNLEZfTdmqT MIICCAKCAgEAuyZ+CFkBpcDArpt1oXlt8OgPLw/YMgnz5l5DHTVLOy25ndDhwU9Z
NmABAhr0DD6+1rcI5d4LriRLhTFf77COjW/+FelEA5BZBsoQDL6QsxWt4VoLT6uK IDmMAG6EDK/44duQ85G1e1j350Vj7dXQ55dDsr7+3hnEfv/sA/yak44fc6Sln8lZ
bKVkbtwKycz0uOU1areS5gWHF71KRmKgooOuY2yl7a75uLn4QYCS7hKLXsAIB8eC wnsEl0ehLdunUDdWhBhXip6gg0TjtwSTLu9jz5VMahN9bI9ffI7Jhndx4abjtNVi
63nl81T5gXOAc3hMiKrk8hKLUA6zkMfqWIpG06wvicaPlg8GyQavwGxONDNl/Y2r Km+cb0ivuKxoy1odCvZCbEXQMYEx3iqER4XwfuryHdj6gz20WdpJdIYZSivArTL2
XyRoh/4ja7Moz0tUCmZV+iKtGgq5wekJ1fCN3zhXPX6h6WujoYqzcCmPLFCuIuEa ZsBrE1VO0HNboSX41FSkIT/H4gozvTczjefTec4787cKMoHPGNMcE6y4+I1G2m3Z
kxRy9XaDTe8V40p1RDc4yMYQrl2hxrO8YPRBewigILYxEfe+51qE5Sb//UZszwNL XZvSLkx4+STxqdpAxvUsmgCTkpYn8geHJd2OAN25pEhvOGnsbIuWW01bKO0nGNdO
kIhW9ObfAkotXoH81xke4EN0RX+rVK1ZYbeBIDCn62ZqNsUVkMh5Otsh0TiK7SP9 HWlTDqYB2W86u9JAgr+3cMyTv2EMEOz7/YB3yzI91S5s+LeNDJJDVYRCBnLjB6G4
O14IflklQqpyYc+aHMNknhsN30MFV3aD/785QS8zcWUdSdQeZlbjjFgJ4Xpt+r3p zISLESIqORcYUNkW63XvNFKVSfeY+SYjVqrFw/N0CeleJIcrTfLKWqdNBxlZH1Ef
X6Vv8cwEh8qDHn2CaOfZtyTx2V3B2LU1sJZQ9ynVzlxy2clQcVboXPM1xNgzHSsd 7xYpfH+o3se2yZSOMNKB6+hAlhUss3bKTkM68OFR4eWWFkAb0Nd4nNgED7WZpObd
bFgPMJUAq9VjLGrbN6a3NqWwXnQPMuczX1G3T690fKF55e/boIAXZD1hEZqKt1f0 ewYEY+7ZNCYhD7o+gZ/QDTaqun7UwQ1AvDpyoU3H9WdBzQ46MhIpb6R2T8vfY6TR
DuCwyf/D4CEGyHhHIdVm7f1kTaErWzSgqcc2wGsjFi3ABTG2byxTnSsCAQI= mEO6DZRBo1DKlfCEvyN/ybBTBRHdckFIT+OzRfoQAH4XCG5iujeEDZMCAQI=
-----END DH PARAMETERS----- -----END DH PARAMETERS-----
...@@ -1172,26 +1172,7 @@ EOD; ...@@ -1172,26 +1172,7 @@ EOD;
// Harden SSL a bit for PCI conformance testing // Harden SSL a bit for PCI conformance testing
$lighty_config .= "ssl.use-sslv2 = \"disable\"\n"; $lighty_config .= "ssl.use-sslv2 = \"disable\"\n";
/* Hifn accelerators do NOT work with the BEAST mitigation code. Do not allow it to be enabled if a Hifn card has been detected. */ $lighty_config .= 'ssl.cipher-list = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"' . PHP_EOL;
$fd = @fopen('/var/run/dmesg.boot', 'r');
if ($fd) {
while (!feof($fd)) {
$dmesgl = fgets($fd);
if (preg_match("/^hifn.: (.*?),/", $dmesgl, $matches) && isset($config['system']['webgui']['beast_protection'])) {
unset($config['system']['webgui']['beast_protection']);
log_error("BEAST Protection disabled because a conflicting cryptographic accelerator card has been detected (" . $matches[1] . ")");
break;
}
}
fclose($fd);
}
if (isset($config['system']['webgui']['beast_protection'])) {
$lighty_config .= "ssl.honor-cipher-order = \"enable\"\n";
$lighty_config .= "ssl.cipher-list = \"ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM\"\n";
} else {
$lighty_config .= "ssl.cipher-list = \"DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:CAMELLIA256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:CAMELLIA128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:RC4-SHA:RC4-MD5:!aNULL:!eNULL:!3DES:@STRENGTH\"\n";
}
if(!(empty($ca) || (strlen(trim($ca)) == 0))) if(!(empty($ca) || (strlen(trim($ca)) == 0)))
$lighty_config .= "ssl.ca-file = \"/var/etc/{$ca_location}\"\n\n"; $lighty_config .= "ssl.ca-file = \"/var/etc/{$ca_location}\"\n\n";
......
...@@ -43,7 +43,6 @@ $pconfig['disableconsolemenu'] = isset($config['system']['disableconsolemenu']); ...@@ -43,7 +43,6 @@ $pconfig['disableconsolemenu'] = isset($config['system']['disableconsolemenu']);
$pconfig['noantilockout'] = isset($config['system']['webgui']['noantilockout']); $pconfig['noantilockout'] = isset($config['system']['webgui']['noantilockout']);
$pconfig['nodnsrebindcheck'] = isset($config['system']['webgui']['nodnsrebindcheck']); $pconfig['nodnsrebindcheck'] = isset($config['system']['webgui']['nodnsrebindcheck']);
$pconfig['nohttpreferercheck'] = isset($config['system']['webgui']['nohttpreferercheck']); $pconfig['nohttpreferercheck'] = isset($config['system']['webgui']['nohttpreferercheck']);
$pconfig['beast_protection'] = isset($config['system']['webgui']['beast_protection']);
$pconfig['enable_xdebug'] = isset($config['system']['webgui']['enable_xdebug']) ; $pconfig['enable_xdebug'] = isset($config['system']['webgui']['enable_xdebug']) ;
$pconfig['loginautocomplete'] = isset($config['system']['webgui']['loginautocomplete']); $pconfig['loginautocomplete'] = isset($config['system']['webgui']['loginautocomplete']);
$pconfig['althostnames'] = $config['system']['webgui']['althostnames']; $pconfig['althostnames'] = $config['system']['webgui']['althostnames'];
...@@ -163,11 +162,6 @@ if ($_POST) { ...@@ -163,11 +162,6 @@ if ($_POST) {
else else
unset($config['system']['webgui']['nohttpreferercheck']); unset($config['system']['webgui']['nohttpreferercheck']);
if ($_POST['beast_protection'] == "yes")
$config['system']['webgui']['beast_protection'] = true;
else
unset($config['system']['webgui']['beast_protection']);
if ($_POST['enable_xdebug'] == "yes") { if ($_POST['enable_xdebug'] == "yes") {
$config['system']['webgui']['enable_xdebug'] = true; $config['system']['webgui']['enable_xdebug'] = true;
} else { } else {
...@@ -255,21 +249,6 @@ if ($_POST) { ...@@ -255,21 +249,6 @@ if ($_POST) {
} }
} }
unset($hwcrypto);
$fd = @fopen('/var/run/dmesg.boot', 'r');
if ($fd) {
while (!feof($fd)) {
$dmesgl = fgets($fd);
if (preg_match("/^hifn.: (.*?),/", $dmesgl, $matches)) {
unset($pconfig['beast_protection']);
$disable_beast_option = "disabled";
$hwcrypto = $matches[1];
break;
}
}
fclose($fd);
}
$pgtitle = array(gettext("System"),gettext("Settings"),gettext("Admin Access")); $pgtitle = array(gettext("System"),gettext("Settings"),gettext("Admin Access"));
include("head.inc"); include("head.inc");
...@@ -469,22 +448,6 @@ include("head.inc"); ...@@ -469,22 +448,6 @@ include("head.inc");
"webConfigurator access in certain corner cases such as using external scripts to interact with this system. More information on HTTP_REFERER is available from <a target='_blank' href='http://en.wikipedia.org/wiki/HTTP_referrer'>Wikipedia</a>."); ?> "webConfigurator access in certain corner cases such as using external scripts to interact with this system. More information on HTTP_REFERER is available from <a target='_blank' href='http://en.wikipedia.org/wiki/HTTP_referrer'>Wikipedia</a>."); ?>
</td> </td>
</tr> </tr>
<tr>
<td width="22%" valign="top" class="vncell"><?=gettext("BEAST Attack Protection"); ?></td>
<td width="78%" class="vtable">
<input name="beast_protection" type="checkbox" id="beast_protection" value="yes" <?php if ($pconfig['beast_protection']) echo "checked=\"checked\""; ?> <?= $disable_beast_option ?>/>
<strong><?=gettext("Mitigate the BEAST SSL Attack"); ?></strong>
<br />
<?php echo gettext("When this is checked, the webConfigurator can mitigate BEAST SSL attacks. ") ?>
<br />
<?php if ($disable_beast_option) {
echo "<br />" . sprintf(gettext("This option has been automatically disabled because a conflicting cryptographic accelerator card has been detected (%s)."), $hwcrypto) . "<br /><br />";
} ?>
<?php echo gettext("This option is off by default because Hifn accelerators do NOT work with this option, and the GUI will not function. " .
"It is possible that other accelerators have a similar problem that is not yet known/documented. " .
"More information on BEAST is available from <a target='_blank' href='https://en.wikipedia.org/wiki/Transport_Layer_Security#BEAST_attack'>Wikipedia</a>."); ?>
</td>
</tr>
<tr> <tr>
<td width="22%" valign="top" class="vncell"><?=gettext("Enable XDebug"); ?></td> <td width="22%" valign="top" class="vncell"><?=gettext("Enable XDebug"); ?></td>
<td width="78%" class="vtable"> <td width="78%" class="vtable">
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment