YunoHost / packages_old

[not used anymore] YunoHost Debian package sources
http://yunohost.org
8 stars 7 forks source link

Nginx still accept SSLv3 #32

Closed solarus0 closed 10 years ago

solarus0 commented 10 years ago

This line in the nginx configuration file should prevent the web client to connect in SSLv3. _nano /etc/nginx/conf.d/mail.ultrawaves.net.conf sslprotocols TLSv1 TLSv1.1 TLSv1.2 ;

But when I use openSSL to test my server, SSLv3 still work. *openssl s_client -ssl3 -connect mail.ultrawaves.net:443

CONNECTED(00000003) depth=0 CN = yunohost.org verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = yunohost.org verify error:num=21:unable to verify the first certificate verify return:1 ---*

I can't explain this bug, it works normally on my others nginx servers.

opi commented 10 years ago

could you paste your entire vhost conf (mail.ultrawaves.net.conf) ?

solarus0 commented 10 years ago

server { listen 80; listen [::]:80; server_name mail.ultrawaves.net; access_by_lua_file /usr/share/ssowat/access.lua; include conf.d/mail.ultrawaves.net.d/*.conf; location /yunohost/admin { rewrite ^ https://$http_host$request_uri? permanent; } access_log /var/log/nginx/mail.ultrawaves.net-access.log; error_log /var/log/nginx/mail.ultrawaves.net-error.log; }

server { listen 443 ssl; listen [::]:443 ssl; server_name mail.ultrawaves.net; ssl_certificate /etc/yunohost/certs/mail.ultrawaves.net/crt.pem; ssl_certificate_key /etc/yunohost/certs/mail.ultrawaves.net/key.pem; ssl_session_timeout 5m; ssl_session_cache shared:SSL:50m; ssl_prefer_server_ciphers on; ssl_protocols TLSv1 TLSv1.1 TLSv1.2 ; ssl_ciphers ALL:!aNULL:!eNULL:!LOW:!EXP:!RC4:!3DES:+HIGH:+MEDIUM; add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";

Uncomment the following directive after DH generation

# > openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048
#ssl_dhparam /etc/ssl/private/dh2048.pem;
access_by_lua_file /usr/share/ssowat/access.lua;
include conf.d/mail.ultrawaves.net.d/*.conf;
include conf.d/yunohost_admin.conf.inc;
include conf.d/yunohost_api.conf.inc;
access_log /var/log/nginx/mail.ultrawaves.net-access.log;
error_log /var/log/nginx/mail.ultrawaves.net-error.log;

}

opi commented 10 years ago

any other vhost for this domain ?

solarus0 commented 10 years ago

I have a vhost for ultrawaves.net, it's the same configuration (I never touched the automatically generated files).

solarus0 commented 10 years ago

I've just found the solution. The nginx default files is /etc/nginx/conf.d/yunohost_admin.conf where the SSL Protocols line is missing. By adding this line to the yunohost_admin.conf file, SSLv3 is correctly disabled.

solarus0 commented 10 years ago

Here is a pull request https://github.com/YunoHost/packages/pull/33

solarus0 commented 10 years ago

Solved with this merge : https://github.com/YunoHost/packages/commit/0a54e754f60e9897346080d581a79447b705e42a