Update entrypoints; added TLS 1/1.1 option; fixes #104

Signed-off-by: Matt Bentley <mbentley@mbentley.net>
mbentley · Jun 18, 2021 · d5e6d81 · d5e6d81
1 parent 2bacd93
commit d5e6d81
Show file tree

Hide file tree

Showing 12 changed files with 18 additions and 9 deletions.
diff --git a/Dockerfile.v3.2.x b/Dockerfile.v3.2.x
@@ -35,7 +35,7 @@ RUN \
   mkdir /opt/tplink/EAPController/logs /opt/tplink/EAPController/work &&\
   chown -R omada:omada /opt/tplink/EAPController/data /opt/tplink/EAPController/logs /opt/tplink/EAPController/work
 
-COPY entrypoint.sh /entrypoint.sh
+COPY entrypoint-3.2.sh /entrypoint.sh
 
 WORKDIR /opt/tplink/EAPController
 EXPOSE 8088 8043 27001/udp 27002 29810/udp 29811 29812 29813

diff --git a/Dockerfile.v3.2.x-arm64 b/Dockerfile.v3.2.x-arm64
@@ -42,7 +42,7 @@ RUN \
   echo "*** Fixing properties ***" &&\
   sed -i -e 's/ --nohttpinterface//g' /opt/tplink/EAPController/properties/mongodb.properties
 
-COPY entrypoint.sh /entrypoint.sh
+COPY entrypoint-3.2.sh /entrypoint.sh
 
 WORKDIR /opt/tplink/EAPController
 EXPOSE 8088 8043 27001/udp 27002 29810/udp 29811 29812 29813

diff --git a/Dockerfile.v3.2.x-armv7l b/Dockerfile.v3.2.x-armv7l
@@ -42,7 +42,7 @@ RUN \
   echo "*** Fixing properties ***" &&\
   sed -i -e 's/ --nohttpinterface//g' /opt/tplink/EAPController/properties/mongodb.properties
 
-COPY entrypoint.sh /entrypoint.sh
+COPY entrypoint-3.2.sh /entrypoint.sh
 
 WORKDIR /opt/tplink/EAPController
 EXPOSE 8088 8043 27001/udp 27002 29810/udp 29811 29812 29813

diff --git a/Dockerfile.v4.1.x b/Dockerfile.v4.1.x
@@ -34,7 +34,7 @@ RUN \
   mkdir /opt/tplink/EAPController/logs /opt/tplink/EAPController/work &&\
   chown -R omada:omada /opt/tplink/EAPController/data /opt/tplink/EAPController/logs /opt/tplink/EAPController/work
 
-COPY entrypoint-4.1.x.sh /entrypoint.sh
+COPY entrypoint-4.x.sh /entrypoint.sh
 COPY healthcheck.sh /healthcheck.sh
 
 WORKDIR /opt/tplink/EAPController/lib

diff --git a/Dockerfile.v4.1.x-armv7l b/Dockerfile.v4.1.x-armv7l
@@ -34,7 +34,7 @@ RUN \
   mkdir /opt/tplink/EAPController/logs /opt/tplink/EAPController/work &&\
   chown -R omada:omada /opt/tplink/EAPController/data /opt/tplink/EAPController/logs /opt/tplink/EAPController/work
 
-COPY entrypoint-4.1.x.sh /entrypoint.sh
+COPY entrypoint-4.x.sh /entrypoint.sh
 COPY healthcheck.sh /healthcheck.sh
 
 WORKDIR /opt/tplink/EAPController/lib

diff --git a/Dockerfile.v4.2.x b/Dockerfile.v4.2.x
@@ -9,12 +9,13 @@ ARG OMADA_URL="https://static.tp-link.com/2021/202102/20210209/${OMADA_TAR}"
 # valid values: amd64 (default) | arm64 | armv7l
 ARG ARCH=amd64
 
-COPY entrypoint-4.2.x.sh /entrypoint.sh
 COPY install.sh healthcheck.sh /
 
 # install omada controller (instructions taken from install.sh); then create a user & group and set the appropriate file system permissions
 RUN /install.sh && rm /install.sh
 
+COPY entrypoint-4.x.sh /entrypoint.sh
+
 WORKDIR /opt/tplink/EAPController/lib
 EXPOSE 8088 8043 8843 27001/udp 27002 29810/udp 29811 29812 29813
 HEALTHCHECK --start-period=5m CMD /healthcheck.sh

diff --git a/Dockerfile.v4.3.x b/Dockerfile.v4.3.x
@@ -9,12 +9,13 @@ ARG OMADA_URL="https://static.tp-link.com/2021/202105/20210507/${OMADA_TAR}"
 # valid values: amd64 (default) | arm64 | armv7l
 ARG ARCH=amd64
 
-COPY entrypoint-4.3.x.sh /entrypoint.sh
 COPY install.sh healthcheck.sh /
 
 # install omada controller (instructions taken from install.sh); then create a user & group and set the appropriate file system permissions
 RUN /install.sh && rm /install.sh
 
+COPY entrypoint-4.x.sh /entrypoint.sh
+
 WORKDIR /opt/tplink/EAPController/lib
 EXPOSE 8088 8043 8843 27001/udp 27002 29810/udp 29811 29812 29813
 HEALTHCHECK --start-period=5m CMD /healthcheck.sh

diff --git a/README.md b/README.md
@@ -275,6 +275,7 @@ docker run -d \
 | `SMALL_FILES` | `false` | `[true\|false]` | See [Small Files](#small-files) for more detail; deprecated in 4.1.x |
 | `SSL_CERT_NAME` | `tls.crt` | _any_ | Name of the public cert chain mounted to `/cert`; see [Custom Certificates](#custom-certificates) |
 | `SSL_KEY_NAME` | `tls.key` | _any_ | Name of the private cert mounted to `/cert`; see [Custom Certificates](#custom-certificates) |
+| `TLS_1_11_ENABLED` | `false` | `[true\|false]` | Re-enables TLS 1.0 & 1.1 if set to `true` for 4.1.x and above |
 | `TZ` | `Etc/UTC` | _\<many\>_ | See [Time Zones](#time-zones) for more detail |
 
 

diff --git a/entrypoint.sh → entrypoint-3.2.sh b/entrypoint.sh → entrypoint-3.2.sh
diff --git a/entrypoint-4.2.x.sh b/entrypoint-4.2.x.sh
diff --git a/entrypoint-4.3.x.sh b/entrypoint-4.3.x.sh
diff --git a/entrypoint-4.1.x.sh → entrypoint-4.x.sh b/entrypoint-4.1.x.sh → entrypoint-4.x.sh
@@ -14,6 +14,7 @@ SHOW_SERVER_LOGS="${SHOW_SERVER_LOGS:-true}"
 SHOW_MONGODB_LOGS="${SHOW_MONGODB_LOGS:-false}"
 SSL_CERT_NAME="${SSL_CERT_NAME:-tls.crt}"
 SSL_KEY_NAME="${SSL_KEY_NAME:-tls.key}"
+TLS_1_11_ENABLED="${TLS_1_11_ENABLED:-false}"
 
 # set default time zone and notify user of time zone
 echo "INFO: Time zone set to '${TZ}'"
@@ -114,6 +115,13 @@ then
     -srcstorepass tplink
 fi
 
+# re-enable disabled TLS versions 1.0 & 1.1
+if [ "${TLS_1_11_ENABLED}" = "true" ]
+then
+  echo "INFO: Re-enabling TLS 1.0 & 1.1"
+  sed -i 's#^jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1,#jdk.tls.disabledAlgorithms=SSLv3,#' /etc/java-8-openjdk/security/java.security
+fi
+
 # see if any of these files exist; if so, do not start as they are from older versions
 if [ -f /opt/tplink/EAPController/data/db/tpeap.0 ] || [ -f /opt/tplink/EAPController/data/db/tpeap.1 ] || [ -f /opt/tplink/EAPController/data/db/tpeap.ns ]
 then