Commit beade4b9 authored by Paul Cammish's avatar Paul Cammish

2020422 web buster

parent 3511e84c
CHANGELOG
---------
2020-04-22
sympl-web
* Switch to individual packages for sympl-web (#292)
* Only enable OCSP Stapling for certs that support it (#293)
2020-04-20
sympl-core
* Prevent sympl-filesystem-security from changing permissions of /etc/firewall/local.d/ contents.
......
......@@ -34,11 +34,6 @@
SSLHonorCipherOrder off
SSLSessionTickets off
# OCSP Stapling
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
% if hsts_enabled?
<IfModule headers_module>
# Enable HSTS (mod_headers is required, 15768000 seconds = 6 months)
......
......@@ -38,10 +38,6 @@
SSLHonorCipherOrder off
SSLSessionTickets off
# OCSP Stapling
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
</IfModule>
# This provides a helpful error message when the root of the
......
sympl-web (10.0.200422.0) stable; urgency=medium
* Switch to individual packages for sympl-web (#292)
* Only enable OCSP Stapling for certs that support it (#293)
-- Paul Cammish <sympl@kelduum.net> Wed, 22 Apr 2020 09:42:02 +0100
sympl-web (10.0.191216.0) stable; urgency=medium
* Added cron to clean up old PHP sessions
......
......@@ -8,7 +8,7 @@ Standards-Version: 3.9.6
XS-Ruby-Versions: all
Package: sympl-web
Architecture: all
Architecture: any
Depends: apache2, libapache2-mod-php7.3, webalizer, ${misc:Depends}, sympl-core (>= 9.0.190611.0), ruby | ruby-interpreter
Recommends: php7.3-mysql | php7.3-mysqli | php7.3-mysqlnd, php7.3-curl, php7.3-imagick, php7.3-mcrypt, php7.3-xmlrpc, php7.3-gd, geoip-database
Replaces: symbiosis-httpd
......
......@@ -246,6 +246,18 @@ module Symbiosis
# Add a bundle, if needed.
#
ans << "SSLCertificateChainFile #{@domain.ssl_bundle_file}" if @domain.ssl_bundle_file
#
# Add OCSP Stapling if the Certificate supports it.
# This is fairly hacky, but should be reasonably resilient.
#
ocsp_stapling = `openssl x509 -in #{@domain.ssl_certificate_file} -inform PEM -text -noout | grep -c OCSP`
if ocsp_stapling.to_i > 0
ans << ""
ans << "# OCSP Stapling automatically enabled as certificate supports it"
ans << "SSLUseStapling on"
ans << "SSLStaplingResponderTimeout 5"
ans << "SSLStaplingReturnResponderErrors off"
end
elsif File.exist?("/etc/ssl/ssl.crt")
#
# TODO: this makes absolutely no checks for the certificate validity
......@@ -257,6 +269,18 @@ module Symbiosis
#
ans << "SSLCertificateKeyFile /etc/ssl/ssl.key" if File.exist?("/etc/ssl/ssl.key")
ans << "SSLCertificateChainFile /etc/ssl/ssl.bundle" if File.exist?("/etc/ssl/ssl.bundle")
#
# Add OCSP Stapling if the Certificate supports it.
# This is fairly hacky, but should be reasonably resilient.
#
ocsp_stapling = `openssl x509 -in /etc/ssl/ssl.crt -inform PEM -text -noout | grep -c OCSP`
if ocsp_stapling.to_i > 0
ans << ""
ans << "# OCSP Stapling automatically enabled as certificate supports it"
ans << "SSLUseStapling on"
ans << "SSLStaplingResponderTimeout 5"
ans << "SSLStaplingReturnResponderErrors off"
end
end
ans.join("\n ")
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment