From 57202723f1cbe10f462988204a5154bf537f851c Mon Sep 17 00:00:00 2001 From: Jean-Philippe Pialasse Date: Sat, 18 Jan 2025 15:29:38 -0500 Subject: [PATCH] * Sat Jan 18 2025 Jean-Philippe Pialasse 11.0.0-13.sme - use esmith::ssl to set ciphers and protocol [SME: 12821] improve cipher order to get strongers first drop SSLv2 --- .../db/configuration/defaults/httpd-e-smith/SSLv2 | 1 - root/etc/e-smith/db/configuration/migrate/apache | 5 +++++ .../etc/httpd/conf/httpd.conf/35SSL10SSLCipherSuite | 9 +++++---- .../etc/httpd/conf/httpd.conf/35SSL30SSLProtocol | 8 ++------ smeserver-apache.spec | 7 ++++++- 5 files changed, 18 insertions(+), 12 deletions(-) delete mode 100644 root/etc/e-smith/db/configuration/defaults/httpd-e-smith/SSLv2 create mode 100644 root/etc/e-smith/db/configuration/migrate/apache diff --git a/root/etc/e-smith/db/configuration/defaults/httpd-e-smith/SSLv2 b/root/etc/e-smith/db/configuration/defaults/httpd-e-smith/SSLv2 deleted file mode 100644 index 7a68b11..0000000 --- a/root/etc/e-smith/db/configuration/defaults/httpd-e-smith/SSLv2 +++ /dev/null @@ -1 +0,0 @@ -disabled diff --git a/root/etc/e-smith/db/configuration/migrate/apache b/root/etc/e-smith/db/configuration/migrate/apache new file mode 100644 index 0000000..fc7adf9 --- /dev/null +++ b/root/etc/e-smith/db/configuration/migrate/apache @@ -0,0 +1,5 @@ +{ + # delete old httpd-e-smith apache properties + $DB->get('httpd-e-smith')->delete_prop($_) for ( qw(SSLv2 ) ); + +} diff --git a/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL10SSLCipherSuite b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL10SSLCipherSuite index 1d49155..4f4e5dc 100644 --- a/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL10SSLCipherSuite +++ b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL10SSLCipherSuite @@ -1,5 +1,6 @@ -{ - # When updating CipherSuite both e-smith-apache and smeserver-qpsmtpd templates should be updated. - $OUT = "SSLCipherSuite "; - $OUT .= $modSSL{CipherSuite} || 'ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:HIGH@STRENGTH:!SSLv2:!ADH:!aNULL:!MD5:!RC4'; +{ + use esmith::ssl; + # When updating CipherSuite both e-smith-apache and smeserver-qpsmtpd templates should be updated. + $OUT = "SSLCipherSuite "; + $OUT .= $modSSL{CipherSuite} || $smeCiphers; } diff --git a/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL30SSLProtocol b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL30SSLProtocol index 1da6099..f73b00e 100644 --- a/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL30SSLProtocol +++ b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL30SSLProtocol @@ -1,9 +1,5 @@ { + use esmith::ssl; # Specify which SSL Protocols to accept for this context - $OUT .= "SSLProtocol all"; - $OUT .= " -SSLv2" unless (${'httpd-e-smith'}{'SSLv2'} || 'disabled') eq 'enabled'; - $OUT .= " -SSLv3" unless (${'httpd-e-smith'}{'SSLv3'} || 'disabled') eq 'enabled'; - $OUT .= " -TLSv1" unless (${'httpd-e-smith'}{'TLSv1'} || 'disabled') eq 'enabled'; - $OUT .= " -TLSv1.1" unless (${'httpd-e-smith'}{'TLSv1.1'} || 'disabled') eq 'enabled'; - $OUT .= " -TLSv1.2" unless (${'httpd-e-smith'}{'TLSv1.2'} || 'enabled') eq 'enabled'; + $OUT .= "SSLProtocol ". SSLprotoApache() ; } diff --git a/smeserver-apache.spec b/smeserver-apache.spec index 87f1415..ad89768 100644 --- a/smeserver-apache.spec +++ b/smeserver-apache.spec @@ -4,7 +4,7 @@ Summary: smeserver server and gateway - apache module %define name smeserver-apache Name: %{name} %define version 11.0.0 -%define release 12 +%define release 13 Version: %{version} Release: %{release}%{?dist} License: GPL @@ -74,6 +74,11 @@ if [ $1 -gt 1 ] ; then fi %changelog +* Sat Jan 18 2025 Jean-Philippe Pialasse 11.0.0-13.sme +- use esmith::ssl to set ciphers and protocol [SME: 12821] + improve cipher order to get strongers first + drop SSLv2 + * Thu Jan 02 2025 Jean-Philippe Pialasse 11.0.0-12.sme - fix OCSP Stapling support [SME: 12819] - fix .well-known/security.txt [SME: 12818]