Permalink
Commits on Oct 20, 2018
  1. update inc/nginx_patch.inc for 123.09beta01

    centminmod committed Oct 20, 2018
    - patch nginx 1.15.5/1.15.6 for max TLS protocol fix https://trac.nginx.org/nginx/ticket/1654. When configured with ssl_protocols TLSv1 TLSv1.1 TLSv1.2; nginx should not support TLSv1.3 but it still does if using OpenSSL 1.1.1 with TLS 1.3 support. This patch fixes this bug.
  2. update inc/openssl_install.inc OpenSSL 1.1.1 optional patch

    centminmod committed Oct 20, 2018
    - experimental OpenSSL 1.1.1 patch to backport TLS 1.3 draft 23, 26, 27 and 28 support when persistent config file /etc/centminmod/custom_config.inc set to OPENSSL_TLSONETHREE_BACKPORTDRAFTS='y' prior to nginx recompiles via centmin.sh menu option 4
Commits on Oct 19, 2018
  1. update inc/wpsetup.inc

    centminmod committed Oct 19, 2018
    - update the log file name to include the domain name
    - default answer for installing cyberchimps responsive wp theme = n
    - raise number of characters generated for pure-ftpd virtual ftp password
  2. add OpenSSL 1.1.1 patches in 123.09beta01

    centminmod committed Oct 19, 2018
    - fix ocsp app memory leak
    - safer memory cleanup
Commits on Oct 5, 2018
Commits on Oct 4, 2018
  1. Add -ffat-lto-objects optional support for Nginx compiles in 123.09be…

    centminmod committed Oct 4, 2018
    …ta01
    
    - Add -ffat-lto-objects optional support for Nginx. Disabled by default. Can optionally be enabled via NGINXOPENSSL_FATLTO_OBJECTS='y' set in persistent config file /etc/centminmod/custom_config.inc prior to centmin.sh menu option 4 Nginx recompiles. Added for experimental testing only as it can slow down Nginx compile/install times by a factor  of up to 6x  times and use heaps of memory.
Commits on Oct 2, 2018
Commits on Oct 1, 2018
  1. reorder chacha20 ssl_ciphers in 123.09beta01

    centminmod committed Oct 1, 2018
    Reorder chacha20 ssl ciphers in ssl_ciphers list to work with bassie's OpenSSL 1.1.1 Prioritize ChaCha20 patch https://community.centminmod.com/threads/new-patch-prioritize-chacha-feature-openssl-1-1-1.15708/#post-67228 New Nginx vhosts created will have this update automatically applied. While existing Centmin Mod Nginx HTTPS based domain.com.ssl.conf ssl_ciphers listing will need to be manually changed to below
    
    [CODEB]
    ssl_ciphers TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
    [/CODEB]
  2. add OpenSSL 1.1.1 ChaCha20 Prioritization patch in 123.09beta01

    centminmod committed Oct 1, 2018
    - add bassie's OpenSSL 1.1.1 Prioritize ChaCha20 Cipher Patch which is disabled by default with PRIORITIZE_CHACHA_OPENSSL='n'. You can enable it when you set in persistent config file /etc/centminmod/custom_config.inc the variable PRIORITIZE_CHACHA_OPENSSL='y' prior to centmin.sh menu option 4 Nginx recompiles
Commits on Sep 30, 2018
Commits on Sep 26, 2018
  1. typo fix

    centminmod committed Sep 26, 2018
  2. nginx 1.15.4 openssl 1.1.1 renegotiation security bug fix

    centminmod committed Sep 26, 2018
    For Centmin Mod 123.09beta01+ and newer testssl tests fail the Secure Client-Initiated Renegotiation test so this patch for Nginx is for a security bug fix for OpenSSL 1.1.1 built Nginx 1.15.4+
  3. fix NGINX_DYNAMICTLS='y' routine for Nginx 1.15.4 in 123.09beta01

    centminmod committed Sep 26, 2018
    Nginx 1.15.4 breaks nginx dynamic TLS patch support when persistent config file /etc/centminmod/custom_config.inc is set with NGINX_DYNAMICTLS='y'. This option is disabled by default with NGINX_DYNAMICTLS='n'. This commit locks current nginx dynamic TLS patch to Nginx versions 1.11.4 to 1.15.3 and future update will add nginx 1.15.4 dynamic TLS patch compatibility.
  4. OpenSSL 1.1.1 default in 123.09beta01

    centminmod committed Sep 26, 2018
    OpenSSL 1.1.1 default with TLS 1.3 RFC final version support for Nginx 1.15.4+ https://community.centminmod.com/threads/openssl-1-1-1-released-with-tls-1-3-support.15592/
  5. nginx 1.15.4 default in 123.09beta01

    centminmod committed Sep 26, 2018
    nginx 1.15.4 adds TLS 1.3 0-RTT Early Data session resumption support when Nginx built with OpenSSL 1.1.1 https://community.centminmod.com/threads/nginx-announce-nginx-1-15-4.15672/
  6. add NGINX_PRIORITIZECHACHA patch routine support

    centminmod committed Sep 26, 2018
    - Add NGINX_PRIORITIZECHACHA='n' variable support disabled by default unless set in persistent config file /etc/centminmod/custom_config.inc as NGINX_PRIORITIZECHACHA='y' and OpenSSL 1.1.1+ and Nginx 1.15.4+ are detected. Current patch doesn't work but the routine is put in place so that when a working patch is is available https://community.centminmod.com/threads/nginx-announce-nginx-1-15-4.15672/#post-67042
Commits on Sep 22, 2018
  1. update inc/openssl_install.inc tls1.3 fix max psk length

    centminmod committed Sep 22, 2018
    for openssl 1.1.1 tls1.3 fix max psk length
Commits on Sep 21, 2018
  1. update inc/openssl_install.inc OpenSSL 1.1.1 patches

    centminmod committed Sep 21, 2018
    - patches OpenSSL 1.1.1 for SNI fix breaking handshakes and reset TLS 1.3 ciphers in SSL_CTX_set_ssl_version fixes
Commits on Sep 20, 2018
  1. update inc/csftweaks.inc in 123.09beta01

    centminmod committed Sep 20, 2018
    Whitelist some IPs for sites/downloads which centmin mod LEMP stack install relies on i.e. CSF Firewall updates, nginx downloads and centminmod.com downloads
Commits on Sep 18, 2018
  1. update 123.09beta01 nginx + boringssl compatibility for centos 6

    centminmod committed Sep 18, 2018
    CentOS 6 gcc 4.4.7 compiler version too low for BoringSSL compilation so enable devtoolset-7 gcc 7.3.1+ compiler when BORINGSSL_SWITCH='y' is set in persistent config file /etc/centminmod/custom_config.inc for Nginx + BoringSSL compiles.
Commits on Sep 14, 2018
  1. update inc/csftweaks.inc

    centminmod committed Sep 14, 2018
    block additional known shodan.io scanner/crawler IPs by default
Commits on Sep 13, 2018
Commits on Sep 11, 2018
  1. fix curl typo

    centminmod committed Sep 11, 2018
Commits on Sep 6, 2018
  1. update nginx pagespeed module github master & branch download links

    centminmod committed Sep 6, 2018
    Unfortunately using NGINX_PAGESPEEDGITMASTER='y' to build ngx_pagespeed from github master is broken https://community.centminmod.com/threads/i-cant-upgrade-nginx_ngx_pagespeed.15583/#post-66676, so stick with default release versions which do not set NGINX_PAGESPEEDGITMASTER='y' (which is 123.09beta01 default)
Commits on Sep 4, 2018
  1. update addons/ffmpeg.sh add FFMPEG_DEBUG variable in 123.09beta01

    centminmod committed Sep 4, 2018
    - allow new variable to control whether ffmpeg binary is compiled with/without debug flag
  2. update addons/ffmpeg.sh opencv & facebook transform360

    centminmod committed Sep 4, 2018
    - Add optional ffmpeg opencv support via ENABLE_OPENCV='n' - disabled by default. https://opencv.org/
    - Prep for for Facebook transform360 not 100% working yet so disabled by default. https://github.com/facebook/transform360