* Sat Jan 18 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-13.sme

- use esmith::ssl to set ciphers and protocol [SME: 12821] improve cipher order to get strongers first drop SSLv2
2025-01-18 15:29:38 -05:00
parent 1bfad8c651
commit 57202723f1
5 changed files with 18 additions and 12 deletions
--- a/root/etc/e-smith/db/configuration/defaults/httpd-e-smith/SSLv2
+++ b/root/etc/e-smith/db/configuration/defaults/httpd-e-smith/SSLv2
@@ -1 +0,0 @@
-disabled
--- a/root/etc/e-smith/db/configuration/migrate/apache
+++ b/root/etc/e-smith/db/configuration/migrate/apache
@@ -0,0 +1,5 @@
+{
+ # delete old httpd-e-smith apache properties
+ $DB->get('httpd-e-smith')->delete_prop($_) for ( qw(SSLv2 ) ); 
+
+}
--- a/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL10SSLCipherSuite
+++ b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL10SSLCipherSuite
@@ -1,5 +1,6 @@
 {
+    use esmith::ssl;
    # When updating CipherSuite both e-smith-apache and smeserver-qpsmtpd templates should be updated.
    $OUT  = "SSLCipherSuite ";
-    $OUT .= $modSSL{CipherSuite} || 'ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:HIGH@STRENGTH:!SSLv2:!ADH:!aNULL:!MD5:!RC4';
+    $OUT .= $modSSL{CipherSuite} || $smeCiphers;
 }
--- a/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL30SSLProtocol
+++ b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL30SSLProtocol
@@ -1,9 +1,5 @@
 {
+    use esmith::ssl;
    # Specify which SSL Protocols to accept for this context
-    $OUT .= "SSLProtocol all";
-    $OUT .= " -SSLv2" unless (${'httpd-e-smith'}{'SSLv2'} || 'disabled') eq 'enabled';
-    $OUT .= " -SSLv3" unless (${'httpd-e-smith'}{'SSLv3'} || 'disabled') eq 'enabled';
-    $OUT .= " -TLSv1" unless (${'httpd-e-smith'}{'TLSv1'} || 'disabled') eq 'enabled';
-    $OUT .= " -TLSv1.1" unless (${'httpd-e-smith'}{'TLSv1.1'} || 'disabled') eq 'enabled';
-    $OUT .= " -TLSv1.2" unless (${'httpd-e-smith'}{'TLSv1.2'} || 'enabled') eq 'enabled';
+    $OUT .= "SSLProtocol ". SSLprotoApache() ;
 }
--- a/smeserver-apache.spec
+++ b/smeserver-apache.spec
@@ -4,7 +4,7 @@ Summary: smeserver server and gateway - apache module
 %define name smeserver-apache
 Name: %{name}
 %define version 11.0.0
-%define release 12
+%define release 13
 Version: %{version}
 Release: %{release}%{?dist}
 License: GPL
@@ -74,6 +74,11 @@ if [ $1 -gt 1 ] ; then
 fi

 %changelog
+* Sat Jan 18 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-13.sme
+- use esmith::ssl to set ciphers and protocol [SME: 12821]
+  improve cipher order to get strongers first
+  drop SSLv2
+
 * Thu Jan 02 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-12.sme
 - fix OCSP Stapling support [SME: 12819]
 - fix .well-known/security.txt [SME: 12818]