Merge pull request #241 from doktornotor/patch-1

pfsense · Dec 27, 2016 · 0175b82 · 0175b82
2 parents b73b6d6 + 2cb8bcf
commit 0175b82
Show file tree

Hide file tree

Showing 7 changed files with 116 additions and 122 deletions.
diff --git a/www/pfSense-pkg-squid/Makefile b/www/pfSense-pkg-squid/Makefile
@@ -1,7 +1,7 @@
 # $FreeBSD$
 
 PORTNAME=	pfSense-pkg-squid
-PORTVERSION=	0.4.28
+PORTVERSION=	0.4.29
 CATEGORIES=	www
 MASTER_SITES=	# empty
 DISTFILES=	# empty

diff --git a/www/pfSense-pkg-squid/files/usr/local/pkg/squid.inc b/www/pfSense-pkg-squid/files/usr/local/pkg/squid.inc
@@ -503,6 +503,9 @@ function squid_install_command() {
 	install_cron_job("/usr/local/pkg/swapstate_check.php clean;", false);
 	install_cron_job("/bin/rm /var/squid/cache/swap.state;", false);
 
+	/* NT Domain authentication has been removed */
+	unlink_if_exists(SQUID_CONFBASE . '/msntauth.conf');
+
 }
 
 function squid_deinstall_command() {
@@ -636,6 +639,14 @@ function squid_upgrade_config() {
 		$settingsauth['no_auth_hosts'] = base64_encode(implode("\n", explode(",", $settingsauth['no_auth_hosts'])));
 		$config['installedpackages']['squidauth']['config'][0]['no_auth_hosts'] = $settingsauth['no_auth_hosts'];
 	}
+	/* NT Domain authentication has been removed - Bug #7017 */
+	if (!empty($settingsauth['auth_method'])) {
+		if (preg_match("/msnt/i", $settingsauth['auth_method'])) {
+			$msnt_msg = "NT Domain authentication has been removed - see Bug #7017! Use LDAP for AD authentication.";
+			file_notice("squid", $msnt_msg, "Packages", "");
+			log_error("[squid] {$msnt_msg}");
+		}
+	}
 
 	/* migrate cache settings */
 	if (!empty($settingscache['donotcache']) && strstr($settingscache['donotcache'], ",")) {
@@ -1101,13 +1112,6 @@ function squid_validate_auth($post, &$input_errors) {
 					$input_errors[] = "'RADIUS secret' is required.";
 				}
 				break;
-			case 'msnt':
-				foreach (explode(",", trim($post['msnt_secondary'])) as $server) {
-					if (!empty($server) && !is_ipaddr($server) && !is_domain($server)) {
-						$input_errors[] = "The host '$server' is not a valid IP address or domain name";
-					}
-				}
-				break;
 		}
 
 		$no_auth = explode("\n", $post['no_auth_hosts']);
@@ -1148,19 +1152,41 @@ function squid_resync_general() {
 				}
 				// force squid user permission on /var/squid/lib/ssl_db/
 				squid_chown_recursive(SQUID_SSL_DB, SQUID_UID, SQUID_GID);
-				// cert, key, version, cipher, options, clientca, cafile, capath, crlfile, dhparams, sslflags, sslcontext
+				// cert, key, version, cipher, options, clientca, cafile, capath, crlfile, tls-dh, sslflags, sslcontext
 				$crt_pk = SQUID_CONFBASE . "/serverkey.pem";
 				$crt_capath = SQUID_LOCALBASE . "/share/certs/";
-				/* XXX: Bug #4453
-				 * http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit#Modern_DH.2Fciphers_usage
+				$sslproxy_options = "NO_SSLv2,NO_SSLv3";
+				/* XXX: Bug #4453, Bug #6592, Feature #6593
+				 * http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit#Modern_DH.2FEDH_ciphers_usage
 				 */
-				//$sslproxy_cipher = "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS";
-				$sslproxy_cipher = "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS";
-				$sslproxy_dhparams = "/etc/dh-parameters.2048";
-				$sslproxy_options = "NO_SSLv2,NO_SSLv3,SINGLE_DH_USE";
+				if (!empty($settings['sslproxy_compatibility_mode']) && ($settings['sslproxy_compatibility_mode'] == 'modern')) {
+					// Modern cipher suites
+					$sslproxy_cipher = "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS";
+					$sslproxy_options .= ",NO_TLSv1";
+				} else {
+					// Use intermediate cipher suites by default to match port versions <0.4.29 behavior on upgrade
+					$sslproxy_cipher = "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS";
+				}
+				if (!empty($settings["dhparams_size"])) {
+					if ($settings['dhparams_size'] == '4096') {
+						$sslproxy_dhparams = "tls-dh=prime256v1:/etc/dh-parameters.4096";
+					} elseif ($settings['dhparams_size'] == '2048') {
+						$sslproxy_dhparams = "tls-dh=prime256v1:/etc/dh-parameters.2048";
+					} elseif ($settings['dhparams_size'] == '1024') {
+						$sslproxy_dhparams = "tls-dh=prime256v1:/etc/dh-parameters.1024";
+					}
+					$sslproxy_options .= ",SINGLE_DH_USE,SINGLE_ECDH_USE";
+				} elseif (file_exists("/etc/dh-parameters.2048")) {
+					// Fallback options for defaults on install
+					$sslproxy_dhparams = "tls-dh=prime256v1:/etc/dh-parameters.2048";
+					$sslproxy_options .= ",SINGLE_DH_USE,SINGLE_ECDH_USE";
+				} else {
+					// Should never get here
+					$sslproxy_dhparams = "";
+				}
 				file_put_contents($crt_pk, base64_decode($srv_cert['prv']) . base64_decode($srv_cert['crt']));
 				$sslcrtd_children = ($settings['sslcrtd_children'] ? $settings['sslcrtd_children'] : 5);
-				$ssl_interception .= "ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=" . ($sslcrtd_children*2) . "MB cert={$crt_pk} capath={$crt_capath} cipher={$sslproxy_cipher} dhparams={$sslproxy_dhparams} options={$sslproxy_options}\n";
+				$ssl_interception .= "ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=" . ($sslcrtd_children*2) . "MB cert={$crt_pk} capath={$crt_capath} cipher={$sslproxy_cipher} {$sslproxy_dhparams} options={$sslproxy_options}\n";
 				$interception_checks = "sslcrtd_program " . SQUID_LOCALBASE . "/libexec/squid/ssl_crtd -s " . SQUID_SSL_DB . " -M 4MB -b 2048\n";
 				$interception_checks .= "sslcrtd_children {$sslcrtd_children}\n";
 				$interception_checks .= "sslproxy_capath {$crt_capath}\n";
@@ -1858,10 +1884,6 @@ function squid_resync_auth() {
 				$conf .= "external_acl_type check_cp {$helpers_num} ttl={$auth_ttl} %SRC " . SQUID_BASE . "/bin/check_ip.php\n";
 				$conf .= "acl password external check_cp\n";
 				break;
-			case 'msnt':
-				$conf .= "auth_param basic program " . SQUID_LOCALBASE . "/libexec/squid/basic_msnt_auth\n";
-				squid_resync_msnt();
-				break;
 		}
 		if ($auth_method != 'cp') {
 		$conf .= <<< EOD
@@ -1931,24 +1953,6 @@ function squid_resync_users() {
 	chmod(SQUID_PASSWD, 0600);
 }
 
-/* Proxy server: NT Domain configuration handler */
-function squid_resync_msnt() {
-	global $config;
-
-	if (is_array($config['installedpackages']['squidauth'])) {
-		$settings = $config['installedpackages']['squidauth']['config'][0];
-	} else {
-		$settings = array();
-	}
-	$pdcserver = $settings['auth_server'];
-	$bdcserver = str_replace(',', ' ', $settings['msnt_secondary']);
-	$ntdomain = $settings['auth_ntdomain'];
-
-	file_put_contents(SQUID_CONFBASE . "/msntauth.conf", "server {$pdcserver} {$bdcserver} {$ntdomain}");
-	chown(SQUID_CONFBASE . "/msntauth.conf", SQUID_UID);
-	chmod(SQUID_CONFBASE . "/msntauth.conf", 0600);
-}
-
 /* Wrapper function to sync whole Squid configuration */
 function squid_resync($via_rpc = "no") {
 	global $config;

diff --git a/www/pfSense-pkg-squid/files/usr/local/pkg/squid.xml b/www/pfSense-pkg-squid/files/usr/local/pkg/squid.xml
@@ -8,7 +8,7 @@
  * squid.xml
  *
  * part of pfSense (https://www.pfsense.org)
- * Copyright (c) 2015 Rubicon Communications, LLC (Netgate)
+ * Copyright (c) 2015-2016 Rubicon Communications, LLC (Netgate)
  * Copyright (c) 2012-2014 Marcello Coutinho
  * All rights reserved.
  *
@@ -102,14 +102,6 @@
 			<url>/pkg_edit.php?xml=squid_sync.xml</url>
 		</tab>
 	</tabs>
-	<!-- START INC files -->
-	<!-- END INC files -->
-	<!-- START XML files -->
-	<!-- END XML files -->
-	<!-- START additional PHP files -->
-	<!-- END additional PHP files -->
-	<!-- START executable CLI scripts -->
-	<!-- END executable CLI scripts -->
 	<advanced_options>enabled</advanced_options>
 	<fields>
 		<field>
@@ -194,9 +186,7 @@
 			<fielddescr>Patch Captive Portal</fielddescr>
 			<description>
 				<![CDATA[
-				<strong><span class="errmsg">This feature was removed</span></strong> - see <a href="https://redmine.pfsense.org/issues/5594">Bug #5594</a> for details!<br/>
-				If you were using this feature, double-check '/etc/inc/captiveportal.inc' content for sanity.<br/>
-				Get a <a href="https://github.com/pfsense/pfsense/blob/master/src/etc/inc/captiveportal.inc">sane copy of the file from pfSense GitHub repository</a> if needed.
+				<strong><span class="errmsg">This feature was removed</span></strong> - see <a href="https://redmine.pfsense.org/issues/5594">Bug #5594</a> for details!
 				]]>
 			</description>
 			<type>info</type>
@@ -339,6 +329,43 @@
 			<size>5</size>
 			<default_value>3129</default_value>
 		</field>
+		<field>
+			<fielddescr>SSL Proxy Compatibility Mode</fielddescr>
+			<fieldname>sslproxy_compatibility_mode</fieldname>
+			<description>
+				<![CDATA[
+				The compatibility mode determines which cipher suites and TLS versions are supported.<br/>
+				Modern is the default, intended for modern clients only (post FF 27, Chrome 22, IE 11 etc.) and also disables HIGH ciphers and TLS v1.0.<br/>
+				If you need to support older clients, use the Intermediate setting.<br/><br/>
+				<strong><span class="errmsg">Warning: </span>Clients like IE 6 and Java 6 are not supported anymore!</strong>
+				]]>
+			</description>
+			<type>select</type>
+			<options>
+				<option><name>Modern</name><value>modern</value></option>
+				<option><name>Intermediate</name><value>intermediate</value>
+				</option>
+			</options>
+			<size>1</size>
+			<default_value>modern</default_value>
+		</field>
+		<field>
+			<fielddescr>DHParams Key Size</fielddescr>
+			<fieldname>dhparams_size</fieldname>
+			<description>
+				<![CDATA[
+				DH parameters are used for temporary/ephemeral DH key exchanges. They improve security by enabling the use of DHE ciphers.<br/>
+				]]>
+			</description>
+			<type>select</type>
+			<options>
+				<option><name>1024 (not recommended)</name><value>1024</value></option>
+				<option><name>2048 (default)</name><value>2048</value></option>
+				<option><name>4096 (very secure)</name><value>4096</value></option>
+			</options>
+			<size>1</size>
+			<default_value>2048</default_value>
+		</field>
 		<field>
 			<fielddescr>CA</fielddescr>
 			<fieldname>dca</fieldname>

diff --git a/www/pfSense-pkg-squid/files/usr/local/pkg/squid_auth.xml b/www/pfSense-pkg-squid/files/usr/local/pkg/squid_auth.xml
@@ -89,7 +89,6 @@
 				<option><name>LDAP</name><value>ldap</value></option>
 				<option><name>RADIUS</name><value>radius</value></option>
 				<option><name>Captive Portal</name><value>cp</value></option>
-				<option><name>NT Domain</name><value>msnt</value></option>
 			</options>
 			<onchange>on_auth_method_changed()</onchange>
 		</field>
@@ -216,24 +215,6 @@
 			<size>40</size>
 			<default_value>(&amp;(objectClass=person)(uid=%s))</default_value>
 		</field>
-		<field>
-			<name>Squid Authentication NT Domain Settings</name>
-			<type>listtopic</type>
-		</field>
-		<field>
-			<fielddescr>NT Domain</fielddescr>
-			<fieldname>auth_ntdomain</fieldname>
-			<description>Enter the NT domain here.</description>
-			<type>input</type>
-			<size>60</size>
-		</field>
-		<field>
-			<fielddescr>Secondary NT Servers</fielddescr>
-			<fieldname>msnt_secondary</fieldname>
-			<description>Enter comma-separated list of secondary servers to be used for NT domain authentication here.</description>
-			<type>input</type>
-			<size>60</size>
-		</field>
 		<field>
 			<name>Squid Authentication RADIUS Settings</name>
 			<type>listtopic</type>
@@ -261,7 +242,7 @@
 	<custom_php_after_head_command>
 		<![CDATA[
 		$transparent_proxy = ($config['installedpackages']['squid']['config'][0]['transparent_proxy'] == 'on');
-		if ($transparent_proxy and preg_match("/(local|ldap|radius|msnt|ntlm)/", $config['installedpackages']['squidauth']['config'][0]['auth_method'])) {
+		if ($transparent_proxy and preg_match("/(local|ldap|radius|ntlm)/", $config['installedpackages']['squidauth']['config'][0]['auth_method'])) {
 			$input_errors[] = "Authentication cannot be enabled while transparent proxy mode is enabled";
 		}
 		squid_print_javascript_auth();

diff --git a/www/pfSense-pkg-squid/files/usr/local/pkg/squid_js.inc b/www/pfSense-pkg-squid/files/usr/local/pkg/squid_js.inc
@@ -44,14 +44,13 @@ function squid_print_javascript_auth() {
 	$auth_method = $settingsauth['auth_method'];
 
 	// No authentication for transparent proxy
-	if ($transparent_proxy and preg_match("/(local|ldap|radius|msnt|ntlm)/", $auth_method)) {
+	if ($transparent_proxy and preg_match("/(local|ldap|radius|ntlm)/", $auth_method)) {
 		$javascript = <<< EOD
 <script type="text/javascript">
 //<![CDATA[
 function on_auth_method_changed() {
 	$('#auth_method').prop("disabled", true);
 	$('#auth_server').prop("disabled", true);
-	$('#auth_ntdomain').prop("disabled", true);
 	$('#auth_server_port').prop("disabled", true);
 	$('#ldap_user').prop("disabled", true);
 	$('#ldap_version').prop("disabled", true);
@@ -60,7 +59,6 @@ function on_auth_method_changed() {
 	$('#ldap_pass').prop("disabled", true);
 	$('#ldap_basedomain').prop("disabled", true);
 	$('#radius_secret').prop("disabled", true);
-	$('#msnt_secondary').prop("disabled", true);
 	$('#auth_prompt').prop("disabled", true);
 	$('#auth_processes').prop("disabled", true);
 	$('#auth_ttl').prop("disabled", true);
@@ -83,15 +81,13 @@ function on_auth_method_changed() {
 	if (auth_method == 'none') {
 		$('#auth_server').prop("disabled", true);
 		$('#auth_server_port').prop("disabled", true);
-		$('#auth_ntdomain').prop("disabled", true);
 		$('#ldap_user').prop("disabled", true);
 		$('#ldap_version').prop("disabled", true);
 		$('#ldap_userattribute').prop("disabled", true);
 		$('#ldap_filter').prop("disabled", true);
 		$('#ldap_pass').prop("disabled", true);
 		$('#ldap_basedomain').prop("disabled", true);
 		$('#radius_secret').prop("disabled", true);
-		$('#msnt_secondary').prop("disabled", true);
 		$('#auth_prompt').prop("disabled", true);
 		$('#auth_processes').prop("disabled", true);
 		$('#auth_ttl').prop("disabled", true);
@@ -109,15 +105,13 @@ function on_auth_method_changed() {
 	case 'local':
 		$('#auth_server').prop("disabled", true);
 		$('#auth_server_port').prop("disabled", true);
-		$('#auth_ntdomain').prop("disabled", true);
 		$('#ldap_user').prop("disabled", true);
 		$('#ldap_pass').prop("disabled", true);
 		$('#ldap_version').prop("disabled", true);
 		$('#ldap_userattribute').prop("disabled", true);
 		$('#ldap_filter').prop("disabled", true);
 		$('#ldap_basedomain').prop("disabled", true);
 		$('#radius_secret').prop("disabled", true);
-		$('#msnt_secondary').prop("disabled", true);
 		break;
 	case 'ldap':
 		$('#auth_server').prop("disabled", false);
@@ -129,8 +123,6 @@ function on_auth_method_changed() {
 		$('#ldap_filter').prop("disabled", false);
 		$('#ldap_basedomain').prop("disabled", false);
 		$('#radius_secret').prop("disabled", true);
-		$('#msnt_secondary').prop("disabled", true);
-		$('#auth_ntdomain').prop("disabled", true);
 		break;
 	case 'radius':
 		$('#auth_server').prop("disabled", false);
@@ -142,34 +134,17 @@ function on_auth_method_changed() {
 		$('#ldap_filter').prop("disabled", true);
 		$('#ldap_basedomain').prop("disabled", true);
 		$('#radius_secret').prop("disabled", false);
-		$('#msnt_secondary').prop("disabled", true);
-		$('#auth_ntdomain').prop("disabled", true);
-		break;
-	case 'msnt':
-		$('#auth_server').prop("disabled", false);
-		$('#auth_server_port').prop("disabled", true);
-		$('#auth_ntdomain').prop("disabled", false);
-		$('#ldap_user').prop("disabled", true);
-		$('#ldap_pass').prop("disabled", true);
-		$('#ldap_version').prop("disabled", true);
-		$('#ldap_userattribute').prop("disabled", true);
-		$('#ldap_filter').prop("disabled", true);
-		$('#ldap_basedomain').prop("disabled", true);
-		$('#radius_secret').prop("disabled", true);
-		$('#msnt_secondary').prop("disabled", false);
 		break;
 	case 'cp':
 		$('#auth_server').prop("disabled", true);
 		$('#auth_server_port').prop("disabled", true);
-		$('#auth_ntdomain').prop("disabled", true);
 		$('#ldap_user').prop("disabled", true);
 		$('#ldap_version').prop("disabled", true);
 		$('#ldap_userattribute').prop("disabled", true);
 		$('#ldap_filter').prop("disabled", true);
 		$('#ldap_pass').prop("disabled", true);
 		$('#ldap_basedomain').prop("disabled", true);
 		$('#radius_secret').prop("disabled", true);
-		$('#msnt_secondary').prop("disabled", true);
 		$('#auth_prompt').prop("disabled", true);
 		$('#auth_processes').prop("disabled", false);
 		$('#auth_ttl').prop("disabled", false);
@@ -242,7 +217,7 @@ function on_antivirus_advanced_config_changed() {
 
 	}
 
-	if (! $('enable').prop("checked")) {
+	if ($('#enable').prop('checked') == false) {
 		$('#update_av').prop("disabled", true);
 	} else {
 		$('#update_av').prop("disabled", false);