crypto: address a few potential loopholes for #logjam

o Regenerate all dhparam files. (Looksie, we don't have under 1024!) o Make beast mitigation the default, been around since 2011. o Tweak the cipher settings via recommendations below. Open points are the zapping of 1024 bit dhparam and how we should handle dhparam shipping in the future. Please write in to discuss. :) Taken from: https://weakdh.org/sysadmin.html

crypto: address a few potential loopholes for #logjam
o Regenerate all dhparam files. (Looksie, we don't have under 1024!) o Make beast mitigation the default, been around since 2011. o Tweak the cipher settings via recommendations below. Open points are the zapping of 1024 bit dhparam and how we should handle dhparam shipping in the future. Please write in to discuss. :) Taken from: https://weakdh.org/sysadmin.html
ca18801b · Franco Fichtner · ee4486d8 · ca18801b · ca18801b · ca18801b
Commit ca18801b authored May 22, 2015 by Franco Fichtner
5 changed files
--- a/src/etc/dh-parameters.1024
+++ b/src/etc/dh-parameters.1024
 -----BEGIN DH PARAMETERS-----
-MIGHAoGBAINPWm4z+KHppuzSZFjreaLrKdI/wkP0ojutrSlkiszXsGkbU6++GB1C
-7ZH2ZVpSIo4z31XyQnlraIkyY2pAItxqN8ozWaz84QLSHcwVcWKDEU7ZP0ISyTep
-alnFPGG8nJBSzxch+7H3HOfM68y6kfMtFDWuZtYj/9Zw4W42fVDLAgEC
+MIGHAoGBANl0O/jYGYAnQRtxvQ97D2bt7nraWGbn877Fy7+/7DWhLVAR8tgAUaXo
+Z5usvCot++T2FCryeGwQjXirwy1sahSZFKUQ6kG5n09fVOY9oI8HQ1SsTjemEetG
+Aqa0VbcVvll2K0nY1p8OJPGlEWmeBi21OSv5ZYjnxigvc38brIw7AgEC
 -----END DH PARAMETERS-----
--- a/src/etc/dh-parameters.2048
+++ b/src/etc/dh-parameters.2048
 -----BEGIN DH PARAMETERS-----
-MIIBCAKCAQEAmWwXhRjeqPYl1TvXeKZt5W8MHe0keJK7wC+uPMxpGFVXlvPnWdN+
-W/GyimtD2rHYWF1gyr5IbhiEkXSAuTCnwokwz9XiNQ3hKY/iwTPDo0Go8beB5Ezr
-wz8DibSIv93Va5C+fHzwosuwTAqaOgpOzPqSmVS/UmUATssxOuCK6Crv7YyA5knW
-v0JsJK3VfloeXq/p4skn/KRgL2twO5puJvZWGycMd3cv9+afsWjES/ItwzEHNSEG
-sPen/kNDB4nH+WFKdXnP3fUAqPZCxiqaBC+UnuHngm7Se4smc7DeJkUsed7NLIeg
-zDZ0a3bKZ3UB0lcLGbqXIhh74TtFQ1egmwIBAg==
+MIIBCAKCAQEA7RQUrHIRzq0Xvaq+08JJ/oMwnWnKMDh7yKArgyBG71Bi5Gl/EeJl
+glIUtEsW5nHjrbQhaJf9oC2G/zTK7xrtuURTcQVxQjA1xXAYMrAeMFV+vYKgoHj6
+brkqW0ivb3tSNUAZOMzAToXDZtCo4dhee9ZU+ZrdOpTTTpxX0S4kGGgN4qdCiDJm
+IzUp8WUl8prnhdFzDlVmYfzep8gXdvFsCYOczpjV66godQWtSaO6+ntCEg2DK1o+
+W7EM8yN85yzy8MLbpc6oYzoaASSQGdYUuMtzVvaHKGueEv2bjUJ7CMSZXkd2z3c7
+d56EajFmu8xlsUnvmXi3831RwBJH20LcewIBAg==
 -----END DH PARAMETERS-----
--- a/src/etc/dh-parameters.4096
+++ b/src/etc/dh-parameters.4096
 -----BEGIN DH PARAMETERS-----
-MIICCAKCAgEA1G0VaCFVkFFPB0pL1Y6NtAlysfvZaAXXmmJ89Xy5wrNLEZfTdmqT
-NmABAhr0DD6+1rcI5d4LriRLhTFf77COjW/+FelEA5BZBsoQDL6QsxWt4VoLT6uK
-bKVkbtwKycz0uOU1areS5gWHF71KRmKgooOuY2yl7a75uLn4QYCS7hKLXsAIB8eC
-63nl81T5gXOAc3hMiKrk8hKLUA6zkMfqWIpG06wvicaPlg8GyQavwGxONDNl/Y2r
-XyRoh/4ja7Moz0tUCmZV+iKtGgq5wekJ1fCN3zhXPX6h6WujoYqzcCmPLFCuIuEa
-kxRy9XaDTe8V40p1RDc4yMYQrl2hxrO8YPRBewigILYxEfe+51qE5Sb//UZszwNL
-kIhW9ObfAkotXoH81xke4EN0RX+rVK1ZYbeBIDCn62ZqNsUVkMh5Otsh0TiK7SP9
-O14IflklQqpyYc+aHMNknhsN30MFV3aD/785QS8zcWUdSdQeZlbjjFgJ4Xpt+r3p
-X6Vv8cwEh8qDHn2CaOfZtyTx2V3B2LU1sJZQ9ynVzlxy2clQcVboXPM1xNgzHSsd
-bFgPMJUAq9VjLGrbN6a3NqWwXnQPMuczX1G3T690fKF55e/boIAXZD1hEZqKt1f0
-DuCwyf/D4CEGyHhHIdVm7f1kTaErWzSgqcc2wGsjFi3ABTG2byxTnSsCAQI=
+MIICCAKCAgEAuyZ+CFkBpcDArpt1oXlt8OgPLw/YMgnz5l5DHTVLOy25ndDhwU9Z
+IDmMAG6EDK/44duQ85G1e1j350Vj7dXQ55dDsr7+3hnEfv/sA/yak44fc6Sln8lZ
+wnsEl0ehLdunUDdWhBhXip6gg0TjtwSTLu9jz5VMahN9bI9ffI7Jhndx4abjtNVi
+Km+cb0ivuKxoy1odCvZCbEXQMYEx3iqER4XwfuryHdj6gz20WdpJdIYZSivArTL2
+ZsBrE1VO0HNboSX41FSkIT/H4gozvTczjefTec4787cKMoHPGNMcE6y4+I1G2m3Z
+XZvSLkx4+STxqdpAxvUsmgCTkpYn8geHJd2OAN25pEhvOGnsbIuWW01bKO0nGNdO
+HWlTDqYB2W86u9JAgr+3cMyTv2EMEOz7/YB3yzI91S5s+LeNDJJDVYRCBnLjB6G4
+zISLESIqORcYUNkW63XvNFKVSfeY+SYjVqrFw/N0CeleJIcrTfLKWqdNBxlZH1Ef
+7xYpfH+o3se2yZSOMNKB6+hAlhUss3bKTkM68OFR4eWWFkAb0Nd4nNgED7WZpObd
+ewYEY+7ZNCYhD7o+gZ/QDTaqun7UwQ1AvDpyoU3H9WdBzQ46MhIpb6R2T8vfY6TR
+mEO6DZRBo1DKlfCEvyN/ybBTBRHdckFIT+OzRfoQAH4XCG5iujeEDZMCAQI=
 -----END DH PARAMETERS-----
--- a/src/etc/inc/system.inc
+++ b/src/etc/inc/system.inc
@@ -1172,26 +1172,7 @@ EOD;
 		// Harden SSL a bit for PCI conformance testing
 		$lighty_config .= "ssl.use-sslv2 = \"disable\"\n";

-		/* Hifn accelerators do NOT work with the BEAST mitigation code. Do not allow it to be enabled if a Hifn card has been detected. */
-		$fd = @fopen('/var/run/dmesg.boot', 'r');
-		if ($fd) {
-			while (!feof($fd)) {
-				$dmesgl = fgets($fd);
-				if (preg_match("/^hifn.: (.*?),/", $dmesgl, $matches) && isset($config['system']['webgui']['beast_protection'])) {
-						unset($config['system']['webgui']['beast_protection']);
-						log_error("BEAST Protection disabled because a conflicting cryptographic accelerator card has been detected (" . $matches[1] . ")");
-					break;
-				}
-			}
-			fclose($fd);
-		}
-
-		if (isset($config['system']['webgui']['beast_protection'])) {
-			$lighty_config .= "ssl.honor-cipher-order = \"enable\"\n";
-			$lighty_config .= "ssl.cipher-list = \"ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM\"\n";
-		} else {
-			$lighty_config .= "ssl.cipher-list = \"DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:CAMELLIA256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:CAMELLIA128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:RC4-SHA:RC4-MD5:!aNULL:!eNULL:!3DES:@STRENGTH\"\n";
-		}
+		$lighty_config .= 'ssl.cipher-list = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"' . PHP_EOL;

 		if(!(empty($ca) || (strlen(trim($ca)) == 0)))
 			$lighty_config .= "ssl.ca-file = \"/var/etc/{$ca_location}\"\n\n";

--- a/src/www/system_advanced_admin.php
+++ b/src/www/system_advanced_admin.php
@@ -43,7 +43,6 @@ $pconfig['disableconsolemenu'] = isset($config['system']['disableconsolemenu']);
 $pconfig['noantilockout'] = isset($config['system']['webgui']['noantilockout']);
 $pconfig['nodnsrebindcheck'] = isset($config['system']['webgui']['nodnsrebindcheck']);
 $pconfig['nohttpreferercheck'] = isset($config['system']['webgui']['nohttpreferercheck']);
-$pconfig['beast_protection'] = isset($config['system']['webgui']['beast_protection']);
 $pconfig['enable_xdebug'] = isset($config['system']['webgui']['enable_xdebug']) ;
 $pconfig['loginautocomplete'] = isset($config['system']['webgui']['loginautocomplete']);
 $pconfig['althostnames'] = $config['system']['webgui']['althostnames'];
@@ -163,11 +162,6 @@ if ($_POST) {
 		else
 			unset($config['system']['webgui']['nohttpreferercheck']);

-		if ($_POST['beast_protection'] == "yes")
-			$config['system']['webgui']['beast_protection'] = true;
-		else
-			unset($config['system']['webgui']['beast_protection']);
-
 		if ($_POST['enable_xdebug'] == "yes") {
 			$config['system']['webgui']['enable_xdebug'] = true;
 		} else {
@@ -255,21 +249,6 @@ if ($_POST) {
 	}
 }

-unset($hwcrypto);
-$fd = @fopen('/var/run/dmesg.boot', 'r');
-if ($fd) {
-	while (!feof($fd)) {
-		$dmesgl = fgets($fd);
-		if (preg_match("/^hifn.: (.*?),/", $dmesgl, $matches)) {
-				unset($pconfig['beast_protection']);
-				$disable_beast_option = "disabled";
-				$hwcrypto = $matches[1];
-			break;
-		}
-	}
-	fclose($fd);
-}
-
 $pgtitle = array(gettext("System"),gettext("Settings"),gettext("Admin Access"));
 include("head.inc");

@@ -469,22 +448,6 @@ include("head.inc");
 										"webConfigurator access in certain corner cases such as using external scripts to interact with this system. More information on HTTP_REFERER is available from <a target='_blank' href='http://en.wikipedia.org/wiki/HTTP_referrer'>Wikipedia</a>."); ?>
 									</td>
 								</tr>
-								<tr>
-									<td width="22%" valign="top" class="vncell"><?=gettext("BEAST Attack Protection"); ?></td>
-									<td width="78%" class="vtable">
-										<input name="beast_protection" type="checkbox" id="beast_protection" value="yes" <?php if ($pconfig['beast_protection']) echo "checked=\"checked\""; ?> <?= $disable_beast_option ?>/>
-										<strong><?=gettext("Mitigate the BEAST SSL Attack"); ?></strong>
-										<br />
-										<?php echo gettext("When this is checked, the webConfigurator can mitigate BEAST SSL attacks. ") ?>
-										<br />
-										<?php	if ($disable_beast_option) {
-												echo "<br />" . sprintf(gettext("This option has been automatically disabled because a conflicting cryptographic accelerator card has been detected (%s)."), $hwcrypto) . "<br /><br />";
-											} ?>
-										<?php echo gettext("This option is off by default because Hifn accelerators do NOT work with this option, and the GUI will not function. " .
-										"It is possible that other accelerators have a similar problem that is not yet known/documented. " .
-										"More information on BEAST is available from <a target='_blank' href='https://en.wikipedia.org/wiki/Transport_Layer_Security#BEAST_attack'>Wikipedia</a>."); ?>
-									</td>
-								</tr>
 								<tr>
 									<td width="22%" valign="top" class="vncell"><?=gettext("Enable XDebug"); ?></td>
 									<td width="78%" class="vtable">