lamp: disable old TLS versions

Signed-off-by: nachoparker <nacho@ownyourbits.com>
nextcloud · Mar 23, 2020 · 0a97f77 · 0a97f77
1 parent 84e6b4e
commit 0a97f77
Show file tree

Hide file tree

Showing 3 changed files with 35 additions and 5 deletions.
diff --git a/changelog.md b/changelog.md
@@ -1,7 +1,9 @@
 
-[v1.23.1](https://github.com/nextcloud/nextcloudpi/commit/317c2aa) (2020-03-15) ncp-web: check for possibly missing index
+[v1.23.2](https://github.com/nextcloud/nextcloudpi/commit/0d9680d) (2020-03-22) lamp: disable old TLS versions
 
-[v1.23.0](https://github.com/nextcloud/nextcloudpi/commit/d108fad) (2020-03-13) upgrade to NC18.0.2
+[v1.23.1](https://github.com/nextcloud/nextcloudpi/commit/84e6b4e) (2020-03-15) ncp-web: check for possibly missing index
+
+[v1.23.0 ](https://github.com/nextcloud/nextcloudpi/commit/d108fad) (2020-03-13) upgrade to NC18.0.2
 
 [v1.22.3 ](https://github.com/nextcloud/nextcloudpi/commit/c09dfd9) (2020-03-02) nc-snapshot-auto: read datadir location during execution
 
@@ -11,7 +13,7 @@
 
 [v1.22.0 ](https://github.com/nextcloud/nextcloudpi/commit/9304c86) (2020-03-03) Add nc-trusted-proxies (#1094)
 
-[v1.21.0](https://github.com/nextcloud/nextcloudpi/commit/4a51c1f) (2020-02-28) upgrade to NC18.0.1
+[v1.21.0 ](https://github.com/nextcloud/nextcloudpi/commit/4a51c1f) (2020-02-28) upgrade to NC18.0.1
 
 [v1.20.11](https://github.com/nextcloud/nextcloudpi/commit/f066b03) (2020-02-27) redis: make sure we have the right permissions for conf file
 

diff --git a/lamp.sh b/lamp.sh
@@ -50,7 +50,7 @@ install()
     # CONFIGURE APACHE
     ##########################################
 
-  cat >/etc/apache2/conf-available/http2.conf <<EOF
+  cat > /etc/apache2/conf-available/http2.conf <<EOF
 Protocols h2 h2c http/1.1
 
 # HTTP2 configuration
@@ -62,7 +62,7 @@ H2PushPriority  image/png               after   32
 H2PushPriority  application/javascript  interleaved
 
 # SSL/TLS Configuration
-SSLProtocol all -SSLv2 -SSLv3
+SSLProtocol -all +TLSv1.2
 SSLHonorCipherOrder on
 SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
 SSLCompression          off

diff --git a/updates/1.24.0.sh b/updates/1.24.0.sh
@@ -0,0 +1,28 @@
+#!/bin/bash
+
+set -e
+
+## BACKWARD FIXES ( for older images )
+
+source /usr/local/etc/library.sh # sets NCVER PHPVER RELEASE
+
+# all images
+
+# disable old TLS versions
+file=/etc/apache2/conf-available/http2.conf
+grep -q '^SSLProtocol all -SSLv2 -SSLv3' "${file}" && {
+  sed -i 's|^SSLProtocol .*|SSLProtocol -all +TLSv1.2|' "${file}"
+  bash -c "sleep 10 && service apache2 reload" &>/dev/null &
+}
+
+# docker images only
+[[ -f /.docker-image ]] && {
+  :
+}
+
+# for non docker images
+[[ ! -f /.docker-image ]] && {
+  :
+}
+
+exit 0