From cb114dfaa604d971f661dbf002476f3cd3f5c1ea Mon Sep 17 00:00:00 2001 From: Glenn Strauss Date: Fri, 29 Nov 2024 20:56:36 -0500 Subject: [PATCH] config TLSv1.3 key exchange groups where supported x-ref: Explicitly configure curves/groups from the guidelines https://github.com/mozilla/ssl-config-generator/issues/270 github: closes #270 --- src/js/state.js | 1 + src/templates/partials/apache.hbs | 3 +++ src/templates/partials/caddy.hbs | 3 ++- src/templates/partials/dovecot.hbs | 1 + src/templates/partials/exim.hbs | 7 ++++++- src/templates/partials/go.hbs | 6 ++++++ src/templates/partials/haproxy.hbs | 2 ++ src/templates/partials/lighttpd.hbs | 3 +++ src/templates/partials/nginx.hbs | 1 + src/templates/partials/postfix.hbs | 2 ++ src/templates/partials/postgresql.hbs | 3 +++ src/templates/partials/proftpd.hbs | 3 +++ src/templates/partials/stunnel.hbs | 3 +++ src/templates/partials/traefik.hbs | 3 ++- 14 files changed, 38 insertions(+), 3 deletions(-) diff --git a/src/js/state.js b/src/js/state.js index 7119314b..41c64015 100644 --- a/src/js/state.js +++ b/src/js/state.js @@ -79,6 +79,7 @@ export default async function () { supportsConfigs: configs[server].supportsConfigs !== false, supportsHsts: configs[server].supportsHsts !== false, supportsOcspStapling: configs[server].supportsOcspStapling !== false, + tlsCurves: ssc.tls_curves, usesDhe: ciphers.join(":").includes(":DHE") || ciphers.join(":").includes("_DHE_"), usesOpenssl: configs[server].usesOpenssl !== false, }, diff --git a/src/templates/partials/apache.hbs b/src/templates/partials/apache.hbs index 1c3f0d44..2b5e0f93 100644 --- a/src/templates/partials/apache.hbs +++ b/src/templates/partials/apache.hbs @@ -42,6 +42,9 @@ SSLProtocol all {{#unless (minver "2.3.16" form.serverVersion)}}-SSL {{~#unless (includes "TLSv1" output.protocols)}} -TLSv1{{/unless}} {{~#unless (includes "TLSv1.1" output.protocols)}} -TLSv1.1{{/unless}} {{~#unless (includes "TLSv1.2" output.protocols)}} -TLSv1.2{{/unless}} +{{#if (minver "2.4.8" form.serverVersion)}} +SSLOpenSSLConfCmd Curves {{{join output.tlsCurves ":"}}} +{{/if}} {{#if output.ciphers.length}} SSLCipherSuite {{{join output.ciphers ":"}}} {{/if}} diff --git a/src/templates/partials/caddy.hbs b/src/templates/partials/caddy.hbs index 2fd36bd0..2c0c1823 100644 --- a/src/templates/partials/caddy.hbs +++ b/src/templates/partials/caddy.hbs @@ -14,9 +14,10 @@ example.com { {{/if}} # Note: Caddy automatically configures safe TLS settings, - # so 'ciphers' may safely be commented out to use Caddy defaults. + # so 'ciphers' and 'curves' may safely be commented out to use Caddy defaults. ciphers {{{join output.ciphers " "}}} {{/if}} + curves {{{join output.tlsCurves " "}}} {{#if (includes "TLSv1.2" output.protocols)}} {{#if (includes "TLSv1.1" output.protocols)}} # Note: Caddy supports only TLSv1.2 and later diff --git a/src/templates/partials/dovecot.hbs b/src/templates/partials/dovecot.hbs index 0748bc3e..e4c8a4ba 100644 --- a/src/templates/partials/dovecot.hbs +++ b/src/templates/partials/dovecot.hbs @@ -20,6 +20,7 @@ ssl_min_protocol = {{output.protocols.[0]}} {{else}} ssl_protocols = {{join output.protocols " "}} {{/if}} +ssl_curve_list = {{{join output.tlsCurves ":"}}} {{#if output.ciphers.length}} ssl_cipher_list = {{{join output.ciphers ":"}}} {{/if}} diff --git a/src/templates/partials/exim.hbs b/src/templates/partials/exim.hbs index 15abdd36..52c0fbf5 100644 --- a/src/templates/partials/exim.hbs +++ b/src/templates/partials/exim.hbs @@ -11,6 +11,11 @@ tls_dhparam = /path/to/dhparam # {{form.config}} configuration openssl_options = +no_sslv2 +no_sslv3{{#unless (includes "TLSv1" output.protocols)}} +no_tlsv1{{/unless}}{{#unless (includes "TLSv1.1" output.protocols)}} +no_tlsv1_1{{/unless}}{{#unless (includes "TLSv1.2" output.protocols)}} +no_tlsv1_2{{/unless}} +{{#if (minver "4.97" form.serverVersion)}} +{{#if (minver "1.1.1" form.opensslVersion)}} +tls_eccurve = "{{{join output.tlsCurves ':'}}}" +{{/if}} +{{/if}} {{#if output.ciphers.length}} tls_require_ciphers = {{{join output.ciphers ":"}}} -{{/if}} \ No newline at end of file +{{/if}} diff --git a/src/templates/partials/go.hbs b/src/templates/partials/go.hbs index 5650ae03..a3a2a3d8 100644 --- a/src/templates/partials/go.hbs +++ b/src/templates/partials/go.hbs @@ -42,6 +42,12 @@ func main() { {{/if}} cfg := &tls.Config{ MinVersion: tls.{{#if (eq output.protocols.[0] "TLSv1")}}VersionTLS10{{else}}{{{replace output.protocols.[0] "TLSv1." "VersionTLS1"}}}{{/if}}, + CurvePreferences: []tls.CurveID{ + tls.X25519, // Go 1.8+ + tls.CurveP256, + tls.CurveP384, + //tls.x25519Kyber768Draft00, // Go 1.23+ + }, {{#if output.serverPreferredOrder}} PreferServerCipherSuites: true, {{/if}} diff --git a/src/templates/partials/haproxy.hbs b/src/templates/partials/haproxy.hbs index e0869c94..d8e122b0 100644 --- a/src/templates/partials/haproxy.hbs +++ b/src/templates/partials/haproxy.hbs @@ -4,6 +4,7 @@ {{#if (minver "1.5.0" form.serverVersion)}} global # {{form.config}} configuration + ssl-default-bind-curves {{{join output.tlsCurves ":"}}} {{#if output.ciphers.length}} ssl-default-bind-ciphers {{{join output.ciphers ":"}}} {{/if}} @@ -14,6 +15,7 @@ global {{/if}} ssl-default-bind-options{{#if (minver "1.8.0" form.serverVersion)}}{{#unless output.serverPreferredOrder}} prefer-client-ciphers{{/unless}}{{/if}}{{#if (minver "2.2.0" form.serverVersion)}} ssl-min-ver {{#if (includes "TLSv1" output.protocols)}}TLSv1.0{{else}}{{output.protocols.[0]}}{{/if}}{{else}}{{#unless (includes "SSLv3" output.protocols)}} no-sslv3{{/unless}}{{#unless (includes "TLSv1" output.protocols)}} no-tlsv10{{/unless}}{{#unless (includes "TLSv1.1" output.protocols)}} no-tlsv11{{/unless}}{{#unless (includes "TLSv1.2" output.protocols)}} no-tlsv12{{/unless}}{{/if}} no-tls-tickets + ssl-default-server-curves {{{join output.tlsCurves ":"}}} {{#if output.ciphers.length}} ssl-default-server-ciphers {{{join output.ciphers ":"}}} {{/if}} diff --git a/src/templates/partials/lighttpd.hbs b/src/templates/partials/lighttpd.hbs index 90dad41f..764b0ad5 100644 --- a/src/templates/partials/lighttpd.hbs +++ b/src/templates/partials/lighttpd.hbs @@ -40,6 +40,7 @@ ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.3") {{else}} ssl.openssl.ssl-conf-cmd = ("Protocol" => "ALL, -SSLv2, -SSLv3{{#unless (includes "TLSv1" output.protocols)}}, -TLSv1{{/unless}}{{#unless (includes "TLSv1.1" output.protocols)}}, -TLSv1.1{{/unless}}{{#unless (includes "TLSv1.2" output.protocols)}}, -TLSv1.2{{/unless}}") {{/if}} +ssl.openssl.ssl-conf-cmd += ("Curves" => "{{{join output.tlsCurves ':'}}}") {{#if (minver "1.4.68" form.serverVersion)}} {{#if output.serverPreferredOrder}} ssl.openssl.ssl-conf-cmd += ("Options" => "+ServerPreference") @@ -106,8 +107,10 @@ $SERVER["socket"] == ":443" { {{#if (minver "1.4.48" form.serverVersion)}} {{#if (minver "1.1.0" form.opensslVersion)}} ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "{{output.protocols.[0]}}", "Options" => "-SessionTicket") + ssl.openssl.ssl-conf-cmd += ("Curves" => "{{{join output.tlsCurves ':'}}}") {{else if (minver "1.0.2" form.opensslVersion)}} ssl.openssl.ssl-conf-cmd = ("Protocol" => "ALL, -SSLv2, -SSLv3{{#unless (includes "TLSv1" output.protocols)}}, -TLSv1{{/unless}}{{#unless (includes "TLSv1.1" output.protocols)}}, -TLSv1.1{{/unless}}{{#unless (includes "TLSv1.2" output.protocols)}}, -TLSv1.2{{/unless}}", "Options" => "-SessionTicket") + ssl.openssl.ssl-conf-cmd += ("Curves" => "{{{join output.tlsCurves ':'}}}") {{else}} ssl.use-sslv2 = "disable" ssl.use-sslv3 = "disable" diff --git a/src/templates/partials/nginx.hbs b/src/templates/partials/nginx.hbs index 86f0f1b9..91df5c8d 100644 --- a/src/templates/partials/nginx.hbs +++ b/src/templates/partials/nginx.hbs @@ -45,6 +45,7 @@ server { {{/if}} # {{form.config}} configuration ssl_protocols {{join output.protocols " "}}; + ssl_ecdh_curve {{join output.tlsCurves ":"}}; {{#if output.ciphers.length}} ssl_ciphers {{{join output.ciphers ":"}}}; {{/if}} diff --git a/src/templates/partials/postfix.hbs b/src/templates/partials/postfix.hbs index 62d51185..42414403 100644 --- a/src/templates/partials/postfix.hbs +++ b/src/templates/partials/postfix.hbs @@ -27,6 +27,8 @@ smtp_tls_mandatory_protocols = !SSLv2, !SSLv3{{#unless (includes "TLSv1" output. smtp_tls_protocols = !SSLv2, !SSLv3{{#unless (includes "TLSv1" output.protocols)}}, !TLSv1{{/unless}}{{#unless (includes "TLSv1.1" output.protocols)}}, !TLSv1.1{{/unless}}{{#unless (includes "TLSv1.2" output.protocols)}}, !TLSv1.2{{/unless}} {{/if}} +tls_eecdh_auto_curves = {{{join output.tlsCurves " "}}} +tls_ffdhe_auto_groups = {{#if output.ciphers.length}} smtp_tls_mandatory_ciphers = medium smtpd_tls_mandatory_ciphers = medium diff --git a/src/templates/partials/postgresql.hbs b/src/templates/partials/postgresql.hbs index 278412f8..bba408e7 100644 --- a/src/templates/partials/postgresql.hbs +++ b/src/templates/partials/postgresql.hbs @@ -15,6 +15,9 @@ ssl_dh_params_file = '/path/to/dhparam' ssl_ciphers = '{{{join output.ciphers ":"}}}' {{/if}} +{{#if (minver "18.0.0" form.serverVersion)}} +ssl_groups = '{{{join output.tlsCurves ":"}}}' +{{/if}} {{#if (minver "12.0.0" form.serverVersion)}} ssl_min_protocol_version = '{{output.protocols.[0]}}' {{/if}} diff --git a/src/templates/partials/proftpd.hbs b/src/templates/partials/proftpd.hbs index 08964da6..afe090b8 100644 --- a/src/templates/partials/proftpd.hbs +++ b/src/templates/partials/proftpd.hbs @@ -20,6 +20,9 @@ TLSDHParamFile /path/to/dhparam # {{form.config}} configuration TLSProtocol {{join output.protocols " "}} +{{#if (minver "1.0.2" form.opensslVersion)}} +TLSECDHCurve {{{join output.tlsCurves ":"}}} +{{/if}} {{#if output.ciphers.length}} TLSCipherSuite {{{join output.ciphers ":"}}} {{/if}} diff --git a/src/templates/partials/stunnel.hbs b/src/templates/partials/stunnel.hbs index a3c81f64..b67967cf 100644 --- a/src/templates/partials/stunnel.hbs +++ b/src/templates/partials/stunnel.hbs @@ -24,6 +24,9 @@ options = NO_TLSv1 options = NO_SSLv3 options = NO_SSLv2 {{/unless}} +{{#if (minver "1.1.1" form.opensslVersion)}} +curves = {{{join output.tlsCurves ":"}}} +{{/if}} {{#if output.ciphers.length}} ciphers = {{{join output.ciphers ":"}}} {{/if}} diff --git a/src/templates/partials/traefik.hbs b/src/templates/partials/traefik.hbs index e9935502..7e4a67a8 100644 --- a/src/templates/partials/traefik.hbs +++ b/src/templates/partials/traefik.hbs @@ -36,6 +36,7 @@ [tls.options] [tls.options.{{form.config}}] minVersion = "{{{replace output.protocols.[0] "TLSv1." "VersionTLS1"}}}" + curvePreferences = ["X25519", "CurveP256", "CurveP384"] {{#if output.ciphers.length}} cipherSuites = [ {{#each output.ciphers}} @@ -76,4 +77,4 @@ defaultEntryPoints = ["http", "https"] [[entryPoints.https.tls.certificates]] certFile = "/path/to/signed_cert_plus_intermediates" keyFile = "/path/to/private_key" -{{/if}} \ No newline at end of file +{{/if}}