Allow some apps to use ciphers better suited for mobile apps

c9eb34c7 · Bob Mottram · 58a8c2b2 · c9eb34c7 · c9eb34c7 · c9eb34c7
Commit c9eb34c7 authored 7 years ago by Bob Mottram
--- a/src/freedombone-app-nextcloud
+++ b/src/freedombone-app-nextcloud
@@ -442,7 +442,7 @@ function install_nextcloud_main {
        echo '' >> $nextcloud_nginx_site
        echo '  # Security' >> $nextcloud_nginx_site
        function_check nginx_ssl
-        nginx_ssl $NEXTCLOUD_DOMAIN_NAME
+        nginx_ssl $NEXTCLOUD_DOMAIN_NAME mobile

        function_check nginx_disable_sniffing
        nginx_disable_sniffing $NEXTCLOUD_DOMAIN_NAME

--- a/src/freedombone-sec
+++ b/src/freedombone-sec
@@ -612,7 +612,11 @@ function update_ciphersuite {
    cd $WEBSITES_DIRECTORY
    for file in `dir -d *` ; do
        sed -i "s|ssl_protocols .*|ssl_protocols $RECOMMENDED_SSL_PROTOCOLS;|g" $WEBSITES_DIRECTORY/$file
-        sed -i "s|ssl_ciphers .*|ssl_ciphers '$RECOMMENDED_SSL_CIPHERS';|g" $WEBSITES_DIRECTORY/$file
+        if ! grep -q "Mobile compatible ciphers" $WEBSITES_DIRECTORY/$file; then
+            sed -i "s|ssl_ciphers .*|ssl_ciphers '$RECOMMENDED_SSL_CIPHERS';|g" $WEBSITES_DIRECTORY/$file
+        else
+            sed -i "s|ssl_ciphers .*|ssl_ciphers '$SSL_CIPHERS_MOBILE';|g" $WEBSITES_DIRECTORY/$file
+        fi
    done
    systemctl restart nginx
    write_config_param "SSL_PROTOCOLS" "$RECOMMENDED_SSL_PROTOCOLS"

--- a/src/freedombone-utils-web
+++ b/src/freedombone-utils-web
@@ -45,6 +45,10 @@ SSL_PROTOCOLS="TLSv1 TLSv1.1 TLSv1.2"
 # See https://wiki.mozilla.org/Security/Server_Side_TLS
 SSL_CIPHERS="ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"

+# some mobile apps (eg. NextCloud) have not very good cipher compatibility.
+# These ciphers can be used for those cases
+SSL_CIPHERS_MOBILE="ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA"
+
 NGINX_ENSITE_REPO="https://github.com/perusio/nginx_ensite"
 NGINX_ENSITE_COMMIT='fa4d72ce1c0a490442c8474e9c8dc21ed52c93d0'

@@ -123,6 +127,7 @@ function nginx_http_redirect {
 function nginx_ssl {
    # creates the SSL/TLS section for a website
    domain_name=$1
+    mobile_ciphers=$2
    filename=/etc/nginx/sites-available/$domain_name

    echo '    ssl_stapling off;' >> $filename
@@ -136,7 +141,12 @@ function nginx_ssl {
    echo '    ssl_session_timeout 60m;' >> $filename
    echo '    ssl_prefer_server_ciphers on;' >> $filename
    echo "    ssl_protocols $SSL_PROTOCOLS;" >> $filename
-    echo "    ssl_ciphers '$SSL_CIPHERS';" >> $filename
+    if [ $mobile_ciphers ]; then
+        echo "    # Mobile compatible ciphers" >> $filename
+        echo "    ssl_ciphers '$SSL_CIPHERS_MOBILE';" >> $filename
+    else
+        echo "    ssl_ciphers '$SSL_CIPHERS';" >> $filename
+    fi
    echo "    add_header Content-Security-Policy \"default-src https:; script-src https: 'unsafe-inline'; style-src https: 'unsafe-inline'\";" >> $filename
    echo '    add_header X-XSS-Protection "1; mode=block";' >> $filename
    echo '    add_header X-Robots-Tag none;' >> $filename