Merge branch '2020422-web_buster' into 'buster-testing'

2020422 web buster

See merge request sympl/sympl!188

CHANGELOG

 CHANGELOG
 ---------
 
+2020-04-22
+  sympl-web
+    * Switch to individual packages for sympl-web (#292)
+    * Only enable OCSP Stapling for certs that support it (#293)
+
 2020-04-20
   sympl-core
     * Prevent sympl-filesystem-security from changing permissions of /etc/firewall/local.d/ contents.

web/apache.d/ssl.template.erb

@@ -34,11 +34,6 @@
     SSLHonorCipherOrder               off
     SSLSessionTickets                 off
 
-    # OCSP Stapling
-    SSLUseStapling                    on
-    SSLStaplingResponderTimeout       5
-    SSLStaplingReturnResponderErrors  off
-
 % if hsts_enabled?
     <IfModule headers_module>
       # Enable HSTS (mod_headers is required, 15768000 seconds = 6 months)

web/apache.d/zz-mass-hosting.ssl.template.erb

@@ -38,10 +38,6 @@
     SSLHonorCipherOrder               off
     SSLSessionTickets                 off
 
-    # OCSP Stapling
-    SSLUseStapling                    on
-    SSLStaplingResponderTimeout       5
-    SSLStaplingReturnResponderErrors  off
   </IfModule>
 
   # This provides a helpful error message when the root of the

web/debian/changelog

+sympl-web (10.0.200422.0) stable; urgency=medium
+
+  * Switch to individual packages for sympl-web (#292)
+  * Only enable OCSP Stapling for certs that support it (#293)
+
+ -- Paul Cammish <sympl@kelduum.net>  Wed, 22 Apr 2020 09:42:02 +0100
+
 sympl-web (10.0.191216.0) stable; urgency=medium
 
   * Added cron to clean up old PHP sessions

web/debian/control

@@ -8,7 +8,7 @@ Standards-Version: 3.9.6
 XS-Ruby-Versions: all
 
 Package: sympl-web
-Architecture: all
+Architecture: any
 Depends: apache2, libapache2-mod-php7.3, webalizer, ${misc:Depends}, sympl-core (>= 9.0.190611.0), ruby | ruby-interpreter
 Recommends: php7.3-mysql | php7.3-mysqli | php7.3-mysqlnd, php7.3-curl, php7.3-imagick, php7.3-mcrypt, php7.3-xmlrpc, php7.3-gd, geoip-database
 Replaces: symbiosis-httpd

web/lib/symbiosis/config_files/apache.rb

@@ -246,6 +246,18 @@ module Symbiosis
           # Add a bundle, if needed.
           #
           ans << "SSLCertificateChainFile #{@domain.ssl_bundle_file}" if @domain.ssl_bundle_file
+          #
+          # Add OCSP Stapling if the Certificate supports it.
+          # This is fairly hacky, but should be reasonably resilient.
+          #
+          ocsp_stapling = `openssl x509 -in #{@domain.ssl_certificate_file} -inform PEM -text -noout | grep -c OCSP`
+          if ocsp_stapling.to_i > 0
+            ans << ""
+            ans << "# OCSP Stapling automatically enabled as certificate supports it"
+            ans << "SSLUseStapling                    on"
+            ans << "SSLStaplingResponderTimeout       5"
+            ans << "SSLStaplingReturnResponderErrors  off"
+          end
         elsif File.exist?("/etc/ssl/ssl.crt")
           #
           # TODO: this makes absolutely no checks for the certificate validity
@@ -257,6 +269,18 @@ module Symbiosis
           #
           ans << "SSLCertificateKeyFile /etc/ssl/ssl.key" if File.exist?("/etc/ssl/ssl.key")
           ans << "SSLCertificateChainFile /etc/ssl/ssl.bundle" if File.exist?("/etc/ssl/ssl.bundle")
+          #
+          # Add OCSP Stapling if the Certificate supports it.
+          # This is fairly hacky, but should be reasonably resilient.
+          #
+          ocsp_stapling = `openssl x509 -in /etc/ssl/ssl.crt -inform PEM -text -noout | grep -c OCSP`
+          if ocsp_stapling.to_i > 0
+            ans << ""
+            ans << "# OCSP Stapling automatically enabled as certificate supports it"
+            ans << "SSLUseStapling                    on"
+            ans << "SSLStaplingResponderTimeout       5"
+            ans << "SSLStaplingReturnResponderErrors  off"
+          end
         end
 
         ans.join("\n        ")