smeserver/smeserver-apache
6
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

* Sat Jan 18 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-13.sme

Browse Source 
- use esmith::ssl to set ciphers and protocol [SME: 12821]
  improve cipher order to get strongers first
  drop SSLv2
This commit is contained in:
Jean-Philippe Pialasse 2025-01-18 15:29:38 -05:00
parent 1bfad8c651
commit 57202723f1
5 changed files with 18 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
root/etc/e-smith/db/configuration/defaults/httpd-e-smith/SSLv2
View File

@ -1 +0,0 @@
disabled

5
root/etc/e-smith/db/configuration/migrate/apache Normal file
View File

@ -0,0 +1,5 @@
{
# delete old httpd-e-smith apache properties
$DB->get('httpd-e-smith')->delete_prop($_) for ( qw(SSLv2 ) );
}

9
root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL10SSLCipherSuite
View File

@ -1,5 +1,6 @@
{ {
# When updating CipherSuite both e-smith-apache and smeserver-qpsmtpd templates should be updated. use esmith::ssl;
$OUT = "SSLCipherSuite "; # When updating CipherSuite both e-smith-apache and smeserver-qpsmtpd templates should be updated.
$OUT .= $modSSL{CipherSuite} || 'ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:HIGH@STRENGTH:!SSLv2:!ADH:!aNULL:!MD5:!RC4'; $OUT = "SSLCipherSuite ";
$OUT .= $modSSL{CipherSuite} || $smeCiphers;
} }

8
root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL30SSLProtocol
View File

@ -1,9 +1,5 @@
{ {
use esmith::ssl;
# Specify which SSL Protocols to accept for this context # Specify which SSL Protocols to accept for this context
$OUT .= "SSLProtocol all"; $OUT .= "SSLProtocol ". SSLprotoApache() ;
$OUT .= " -SSLv2" unless (${'httpd-e-smith'}{'SSLv2'} || 'disabled') eq 'enabled';
$OUT .= " -SSLv3" unless (${'httpd-e-smith'}{'SSLv3'} || 'disabled') eq 'enabled';
$OUT .= " -TLSv1" unless (${'httpd-e-smith'}{'TLSv1'} || 'disabled') eq 'enabled';
$OUT .= " -TLSv1.1" unless (${'httpd-e-smith'}{'TLSv1.1'} || 'disabled') eq 'enabled';
$OUT .= " -TLSv1.2" unless (${'httpd-e-smith'}{'TLSv1.2'} || 'enabled') eq 'enabled';
} }

7
smeserver-apache.spec
View File

@ -4,7 +4,7 @@ Summary: smeserver server and gateway - apache module
%define name smeserver-apache %define name smeserver-apache
Name: %{name} Name: %{name}
%define version 11.0.0 %define version 11.0.0
%define release 12 %define release 13
Version: %{version} Version: %{version}
Release: %{release}%{?dist} Release: %{release}%{?dist}
License: GPL License: GPL
@ -74,6 +74,11 @@ if [ $1 -gt 1 ] ; then
fi fi
%changelog %changelog
* Sat Jan 18 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-13.sme
- use esmith::ssl to set ciphers and protocol [SME: 12821]
improve cipher order to get strongers first
drop SSLv2
* Thu Jan 02 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-12.sme * Thu Jan 02 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-12.sme
- fix OCSP Stapling support [SME: 12819] - fix OCSP Stapling support [SME: 12819]
- fix .well-known/security.txt [SME: 12818] - fix .well-known/security.txt [SME: 12818]