From b2f5193d35c7bd34155f4a434cad3390131ec6db Mon Sep 17 00:00:00 2001 From: Sebastian Schmidt Date: Mon, 19 Jul 2021 09:37:50 +0000 Subject: [PATCH 1/2] remove ciphers The LiteSpeed webserver provides better defaults and is updated more often. It also allows the administrator to set better ciphers for the entire server more easily than having to edit every zone individually --- plogical/sslUtilities.py | 4 ---- 1 file changed, 4 deletions(-) diff --git a/plogical/sslUtilities.py b/plogical/sslUtilities.py index d8477d601..b9c267b74 100755 --- a/plogical/sslUtilities.py +++ b/plogical/sslUtilities.py @@ -90,7 +90,6 @@ class sslUtilities: certFile = " certFile /etc/letsencrypt/live/" + virtualHostName + "/fullchain.pem\n" certChain = " certChain 1" + "\n" sslProtocol = " sslProtocol 24" + "\n" - ciphers = " ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4" + "\n" enableECDHE = " enableECDHE 1" + "\n" renegProtection = " renegProtection 1" + "\n" sslSessionCache = " sslSessionCache 1" + "\n" @@ -108,7 +107,6 @@ class sslUtilities: writeDataToFile.writelines(certFile) writeDataToFile.writelines(certChain) writeDataToFile.writelines(sslProtocol) - writeDataToFile.writelines(ciphers) writeDataToFile.writelines(enableECDHE) writeDataToFile.writelines(renegProtection) writeDataToFile.writelines(sslSessionCache) @@ -161,7 +159,6 @@ class sslUtilities: certFile = " certFile /etc/letsencrypt/live/" + virtualHostName + "/fullchain.pem\n" certChain = " certChain 1" + "\n" sslProtocol = " sslProtocol 24" + "\n" - ciphers = " ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4" + "\n" enableECDHE = " enableECDHE 1" + "\n" renegProtection = " renegProtection 1" + "\n" sslSessionCache = " sslSessionCache 1" + "\n" @@ -177,7 +174,6 @@ class sslUtilities: writeSSLConfig.writelines(certFile) writeSSLConfig.writelines(certChain) writeSSLConfig.writelines(sslProtocol) - writeSSLConfig.writelines(ciphers) writeSSLConfig.writelines(enableECDHE) writeSSLConfig.writelines(renegProtection) writeSSLConfig.writelines(sslSessionCache) From bb27d68db81939d018ba9f52e5d662819b18b007 Mon Sep 17 00:00:00 2001 From: Sebastian Schmidt Date: Mon, 19 Jul 2021 09:51:40 +0000 Subject: [PATCH 2/2] Create modern ECDSA certificates Fix self-signed certificate wrongly set to www.example.com Fix consistency where the certificates are issued from. if an aliasDomain was used it was issued from ZeroSSL while others where issued from Let's Encrypt. I went with ZeroSSL due to less rate-limiting Maybe choosing the CA should be an option that can be set by the user. To set a default use 'acme.sh --set-default-ca --server letsencrypt' instead Use `acme.sh --register-account -m my@example.com` to create a ZeroSSL account --- plogical/sslUtilities.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/plogical/sslUtilities.py b/plogical/sslUtilities.py index b9c267b74..54ecdb887 100755 --- a/plogical/sslUtilities.py +++ b/plogical/sslUtilities.py @@ -294,7 +294,7 @@ class sslUtilities: command = acmePath + " --issue -d " + virtualHostName + " -d www." + virtualHostName \ + ' --cert-file ' + existingCertPath + '/cert.pem' + ' --key-file ' + existingCertPath + '/privkey.pem' \ - + ' --fullchain-file ' + existingCertPath + '/fullchain.pem' + ' -w ' + sslpath + ' --server letsencrypt --force' + + ' --fullchain-file ' + existingCertPath + '/fullchain.pem' + ' -w ' + sslpath + ' -k ec-256 --force' logging.CyberCPLogFileWriter.writeToFile(command, 0) @@ -315,7 +315,7 @@ class sslUtilities: logging.CyberCPLogFileWriter.writeToFile("Trying to obtain SSL for: " + virtualHostName, 0) command = acmePath + " --issue -d " + virtualHostName + ' --cert-file ' + existingCertPath \ + '/cert.pem' + ' --key-file ' + existingCertPath + '/privkey.pem' \ - + ' --fullchain-file ' + existingCertPath + '/fullchain.pem' + ' -w ' + sslpath + ' --server letsencrypt --force' + + ' --fullchain-file ' + existingCertPath + '/fullchain.pem' + ' -w ' + sslpath + ' -k ec-256 --force' output = subprocess.check_output(shlex.split(command)).decode("utf-8") logging.CyberCPLogFileWriter.writeToFile("Successfully obtained SSL for: " + virtualHostName, 0) finalText = '%s\nSuccessfully obtained SSL for: %s.' % (finalText, virtualHostName) @@ -340,7 +340,7 @@ class sslUtilities: command = acmePath + " --issue -d " + virtualHostName + " -d www." + virtualHostName \ + ' -d ' + aliasDomain + ' -d www.' + aliasDomain\ + ' --cert-file ' + existingCertPath + '/cert.pem' + ' --key-file ' + existingCertPath + '/privkey.pem' \ - + ' --fullchain-file ' + existingCertPath + '/fullchain.pem' + ' -w ' + sslpath + ' --force' + + ' --fullchain-file ' + existingCertPath + '/fullchain.pem' + ' -w ' + sslpath + ' -k ec-256 --force' output = subprocess.check_output(shlex.split(command)).decode("utf-8") logging.CyberCPLogFileWriter.writeToFile( @@ -376,7 +376,7 @@ def issueSSLForDomain(domain, adminEmail, sslpath, aliasDomain = None): pathToStoreSSLPrivKey = "/etc/letsencrypt/live/%s/privkey.pem" % (domain) pathToStoreSSLFullChain = "/etc/letsencrypt/live/%s/fullchain.pem" % (domain) - command = 'openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" -keyout ' + pathToStoreSSLPrivKey + ' -out ' + pathToStoreSSLFullChain + command = 'openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=' + domain + '" -keyout ' + pathToStoreSSLPrivKey + ' -out ' + pathToStoreSSLFullChain cmd = shlex.split(command) subprocess.call(cmd)