Skip to content

Commit 0a97f77

Browse files
nachoparkernachoparker
committed
lamp: disable old TLS versions
Signed-off-by: nachoparker <nacho@ownyourbits.com>
1 parent 84e6b4e commit 0a97f77

File tree

3 files changed

+35
-5
lines changed

3 files changed

+35
-5
lines changed

changelog.md

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,9 @@
11

2-
[v1.23.1](https://github.com/nextcloud/nextcloudpi/commit/317c2aa) (2020-03-15) ncp-web: check for possibly missing index
2+
[v1.23.2](https://github.com/nextcloud/nextcloudpi/commit/0d9680d) (2020-03-22) lamp: disable old TLS versions
33

4-
[v1.23.0](https://github.com/nextcloud/nextcloudpi/commit/d108fad) (2020-03-13) upgrade to NC18.0.2
4+
[v1.23.1](https://github.com/nextcloud/nextcloudpi/commit/84e6b4e) (2020-03-15) ncp-web: check for possibly missing index
5+
6+
[v1.23.0 ](https://github.com/nextcloud/nextcloudpi/commit/d108fad) (2020-03-13) upgrade to NC18.0.2
57

68
[v1.22.3 ](https://github.com/nextcloud/nextcloudpi/commit/c09dfd9) (2020-03-02) nc-snapshot-auto: read datadir location during execution
79

@@ -11,7 +13,7 @@
1113

1214
[v1.22.0 ](https://github.com/nextcloud/nextcloudpi/commit/9304c86) (2020-03-03) Add nc-trusted-proxies (#1094)
1315

14-
[v1.21.0](https://github.com/nextcloud/nextcloudpi/commit/4a51c1f) (2020-02-28) upgrade to NC18.0.1
16+
[v1.21.0 ](https://github.com/nextcloud/nextcloudpi/commit/4a51c1f) (2020-02-28) upgrade to NC18.0.1
1517

1618
[v1.20.11](https://github.com/nextcloud/nextcloudpi/commit/f066b03) (2020-02-27) redis: make sure we have the right permissions for conf file
1719

lamp.sh

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -50,7 +50,7 @@ install()
5050
# CONFIGURE APACHE
5151
##########################################
5252

53-
cat >/etc/apache2/conf-available/http2.conf <<EOF
53+
cat > /etc/apache2/conf-available/http2.conf <<EOF
5454
Protocols h2 h2c http/1.1
5555
5656
# HTTP2 configuration
@@ -62,7 +62,7 @@ H2PushPriority image/png after 32
6262
H2PushPriority application/javascript interleaved
6363
6464
# SSL/TLS Configuration
65-
SSLProtocol all -SSLv2 -SSLv3
65+
SSLProtocol -all +TLSv1.2
6666
SSLHonorCipherOrder on
6767
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
6868
SSLCompression off

updates/1.24.0.sh

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
#!/bin/bash
2+
3+
set -e
4+
5+
## BACKWARD FIXES ( for older images )
6+
7+
source /usr/local/etc/library.sh # sets NCVER PHPVER RELEASE
8+
9+
# all images
10+
11+
# disable old TLS versions
12+
file=/etc/apache2/conf-available/http2.conf
13+
grep -q '^SSLProtocol all -SSLv2 -SSLv3' "${file}" && {
14+
sed -i 's|^SSLProtocol .*|SSLProtocol -all +TLSv1.2|' "${file}"
15+
bash -c "sleep 10 && service apache2 reload" &>/dev/null &
16+
}
17+
18+
# docker images only
19+
[[ -f /.docker-image ]] && {
20+
:
21+
}
22+
23+
# for non docker images
24+
[[ ! -f /.docker-image ]] && {
25+
:
26+
}
27+
28+
exit 0

0 commit comments

Comments
 (0)