lamp: disable old TLS versions

Signed-off-by: nachoparker <nacho@ownyourbits.com>
2026-01-10 15:12:01 -03:30 · 2020-03-22 21:19:39 -06:00 · 2020-03-22 21:19:39 -06:00 · 0a97f77691
commit 0a97f77691
parent 84e6b4ea6b
3 changed files with 35 additions and 5 deletions
--- a/changelog.md
+++ b/changelog.md
@ -1,5 +1,7 @@

-[v1.23.1](https://github.com/nextcloud/nextcloudpi/commit/317c2aa) (2020-03-15) ncp-web: check for possibly missing index
+[v1.23.2](https://github.com/nextcloud/nextcloudpi/commit/0d9680d) (2020-03-22) lamp: disable old TLS versions
+
+[v1.23.1](https://github.com/nextcloud/nextcloudpi/commit/84e6b4e) (2020-03-15) ncp-web: check for possibly missing index

 [v1.23.0 ](https://github.com/nextcloud/nextcloudpi/commit/d108fad) (2020-03-13) upgrade to NC18.0.2

--- a/lamp.sh
+++ b/lamp.sh
@ -62,7 +62,7 @@ H2PushPriority  image/png               after   32
 H2PushPriority  application/javascript  interleaved

 # SSL/TLS Configuration
-SSLProtocol all -SSLv2 -SSLv3
+SSLProtocol -all +TLSv1.2
 SSLHonorCipherOrder on
 SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
 SSLCompression          off
--- a/updates/1.24.0.sh
+++ b/updates/1.24.0.sh
@ -0,0 +1,28 @@
+#!/bin/bash
+
+set -e
+
+## BACKWARD FIXES ( for older images )
+
+source /usr/local/etc/library.sh # sets NCVER PHPVER RELEASE
+
+# all images
+
+# disable old TLS versions
+file=/etc/apache2/conf-available/http2.conf
+grep -q '^SSLProtocol all -SSLv2 -SSLv3' "${file}" && {
+  sed -i 's|^SSLProtocol .*|SSLProtocol -all +TLSv1.2|' "${file}"
+  bash -c "sleep 10 && service apache2 reload" &>/dev/null &
+}
+
+# docker images only
+[[ -f /.docker-image ]] && {
+  :
+}
+
+# for non docker images
+[[ ! -f /.docker-image ]] && {
+  :
+}
+
+exit 0