lamp: disable old TLS versions

Signed-off-by: nachoparker <nacho@ownyourbits.com>
2026-01-10 15:12:01 -03:30 · 2020-03-22 21:19:39 -06:00 · 2020-03-22 21:19:39 -06:00 · 0a97f77691
commit 0a97f77691
parent 84e6b4ea6b
3 changed files with 35 additions and 5 deletions
--- a/changelog.md
+++ b/changelog.md
@ -1,7 +1,9 @@

-[v1.23.1](https://github.com/nextcloud/nextcloudpi/commit/317c2aa) (2020-03-15) ncp-web: check for possibly missing index
+[v1.23.2](https://github.com/nextcloud/nextcloudpi/commit/0d9680d) (2020-03-22) lamp: disable old TLS versions

-[v1.23.0](https://github.com/nextcloud/nextcloudpi/commit/d108fad) (2020-03-13) upgrade to NC18.0.2
+[v1.23.1](https://github.com/nextcloud/nextcloudpi/commit/84e6b4e) (2020-03-15) ncp-web: check for possibly missing index
+
+[v1.23.0 ](https://github.com/nextcloud/nextcloudpi/commit/d108fad) (2020-03-13) upgrade to NC18.0.2

 [v1.22.3 ](https://github.com/nextcloud/nextcloudpi/commit/c09dfd9) (2020-03-02) nc-snapshot-auto: read datadir location during execution

@ -11,7 +13,7 @@

 [v1.22.0 ](https://github.com/nextcloud/nextcloudpi/commit/9304c86) (2020-03-03) Add nc-trusted-proxies (#1094)

-[v1.21.0](https://github.com/nextcloud/nextcloudpi/commit/4a51c1f) (2020-02-28) upgrade to NC18.0.1
+[v1.21.0 ](https://github.com/nextcloud/nextcloudpi/commit/4a51c1f) (2020-02-28) upgrade to NC18.0.1

 [v1.20.11](https://github.com/nextcloud/nextcloudpi/commit/f066b03) (2020-02-27) redis: make sure we have the right permissions for conf file

--- a/lamp.sh
+++ b/lamp.sh
@ -50,7 +50,7 @@ install()
    # CONFIGURE APACHE
    ##########################################

-  cat >/etc/apache2/conf-available/http2.conf <<EOF
+  cat > /etc/apache2/conf-available/http2.conf <<EOF
 Protocols h2 h2c http/1.1

 # HTTP2 configuration
@ -62,7 +62,7 @@ H2PushPriority  image/png               after   32
 H2PushPriority  application/javascript  interleaved

 # SSL/TLS Configuration
-SSLProtocol all -SSLv2 -SSLv3
+SSLProtocol -all +TLSv1.2
 SSLHonorCipherOrder on
 SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
 SSLCompression          off
--- a/updates/1.24.0.sh
+++ b/updates/1.24.0.sh
@ -0,0 +1,28 @@
+#!/bin/bash
+
+set -e
+
+## BACKWARD FIXES ( for older images )
+
+source /usr/local/etc/library.sh # sets NCVER PHPVER RELEASE
+
+# all images
+
+# disable old TLS versions
+file=/etc/apache2/conf-available/http2.conf
+grep -q '^SSLProtocol all -SSLv2 -SSLv3' "${file}" && {
+  sed -i 's|^SSLProtocol .*|SSLProtocol -all +TLSv1.2|' "${file}"
+  bash -c "sleep 10 && service apache2 reload" &>/dev/null &
+}
+
+# docker images only
+[[ -f /.docker-image ]] && {
+  :
+}
+
+# for non docker images
+[[ ! -f /.docker-image ]] && {
+  :
+}
+
+exit 0