diff options
author | Renato Botelho <garga@FreeBSD.org> | 2015-03-11 14:03:29 -0300 |
---|---|---|
committer | Renato Botelho <garga@FreeBSD.org> | 2015-03-11 14:04:38 -0300 |
commit | 8304fb462a0afebd93546af043ce741096a5ee1b (patch) | |
tree | a7bf7cfae14f1737cdbfe78b93ff113595b92b46 | |
parent | 3d50cb09c62cd068ae27c5556616b503f08e279a (diff) | |
download | pfsense-8304fb462a0afebd93546af043ce741096a5ee1b.zip pfsense-8304fb462a0afebd93546af043ce741096a5ee1b.tar.gz |
Remove BEAST protection option since default cipher is now good and works with hifn cards
-rw-r--r-- | etc/inc/system.inc | 22 | ||||
-rw-r--r-- | usr/local/www/system_advanced_admin.php | 37 |
2 files changed, 2 insertions, 57 deletions
diff --git a/etc/inc/system.inc b/etc/inc/system.inc index 710690f..06e7bbe 100644 --- a/etc/inc/system.inc +++ b/etc/inc/system.inc @@ -1341,28 +1341,10 @@ EOD; $lighty_config .= "ssl.use-sslv2 = \"disable\"\n"; $lighty_config .= "ssl.use-sslv3 = \"disable\"\n"; - /* Hifn accelerators do NOT work with the BEAST mitigation code. Do not allow it to be enabled if a Hifn card has been detected. */ - $fd = @fopen("{$g['varlog_path']}/dmesg.boot", "r"); - if ($fd) { - while (!feof($fd)) { - $dmesgl = fgets($fd); - if (preg_match("/^hifn.: (.*?),/", $dmesgl, $matches) && isset($config['system']['webgui']['beast_protection'])) { - unset($config['system']['webgui']['beast_protection']); - log_error("BEAST Protection disabled because a conflicting cryptographic accelerator card has been detected (" . $matches[1] . ")"); - break; - } - } - fclose($fd); - } - // where ssl.cipher-list is set, this is automatically enabled, but set it explicitly anyway. $lighty_config .= "ssl.honor-cipher-order = \"enable\"\n"; - - if (isset($config['system']['webgui']['beast_protection'])) { - $lighty_config .= "ssl.cipher-list = \"ECDHE-RSA-AES256-SHA384:AES256-SHA256:HIGH:!MD5:!aNULL:!EDH:!AESGCM\"\n"; - } else { - $lighty_config .= "ssl.cipher-list = \"AES128+EECDH:AES256+EECDH:AES128+EDH:AES256+EDH:AES128-SHA:AES256-SHA:!aNULL:!eNULL:!DSS\"\n"; - } + + $lighty_config .= "ssl.cipher-list = \"AES128+EECDH:AES256+EECDH:AES128+EDH:AES256+EDH:AES128-SHA:AES256-SHA:!aNULL:!eNULL:!DSS\"\n"; if(!(empty($ca) || (strlen(trim($ca)) == 0))) $lighty_config .= "ssl.ca-file = \"{$g['varetc_path']}/{$ca_location}\"\n\n"; diff --git a/usr/local/www/system_advanced_admin.php b/usr/local/www/system_advanced_admin.php index 11dc981..36eb7a3 100644 --- a/usr/local/www/system_advanced_admin.php +++ b/usr/local/www/system_advanced_admin.php @@ -58,7 +58,6 @@ $pconfig['disableconsolemenu'] = isset($config['system']['disableconsolemenu']); $pconfig['noantilockout'] = isset($config['system']['webgui']['noantilockout']); $pconfig['nodnsrebindcheck'] = isset($config['system']['webgui']['nodnsrebindcheck']); $pconfig['nohttpreferercheck'] = isset($config['system']['webgui']['nohttpreferercheck']); -$pconfig['beast_protection'] = isset($config['system']['webgui']['beast_protection']); $pconfig['pagenamefirst'] = isset($config['system']['webgui']['pagenamefirst']); $pconfig['loginautocomplete'] = isset($config['system']['webgui']['loginautocomplete']); $pconfig['althostnames'] = $config['system']['webgui']['althostnames']; @@ -171,11 +170,6 @@ if ($_POST) { else unset($config['system']['webgui']['nohttpreferercheck']); - if ($_POST['beast_protection'] == "yes") - $config['system']['webgui']['beast_protection'] = true; - else - unset($config['system']['webgui']['beast_protection']); - if ($_POST['pagenamefirst'] == "yes") $config['system']['webgui']['pagenamefirst'] = true; else @@ -257,21 +251,6 @@ if ($_POST) { } } -unset($hwcrypto); -$fd = @fopen("{$g['varlog_path']}/dmesg.boot", "r"); -if ($fd) { - while (!feof($fd)) { - $dmesgl = fgets($fd); - if (preg_match("/^hifn.: (.*?),/", $dmesgl, $matches)) { - unset($pconfig['beast_protection']); - $disable_beast_option = "disabled"; - $hwcrypto = $matches[1]; - break; - } - } - fclose($fd); -} - $pgtitle = array(gettext("System"),gettext("Advanced: Admin Access")); include("head.inc"); @@ -488,22 +467,6 @@ function prot_change() { </td> </tr> <tr> - <td width="22%" valign="top" class="vncell"><?=gettext("BEAST Attack Protection"); ?></td> - <td width="78%" class="vtable"> - <input name="beast_protection" type="checkbox" id="beast_protection" value="yes" <?php if ($pconfig['beast_protection']) echo "checked=\"checked\""; ?> <?= $disable_beast_option ?>/> - <strong><?=gettext("Mitigate the BEAST SSL Attack"); ?></strong> - <br /> - <?php echo gettext("When this is checked, the webConfigurator can mitigate BEAST SSL attacks. ") ?> - <br /> - <?php if ($disable_beast_option) { - echo "<br />" . sprintf(gettext("This option has been automatically disabled because a conflicting cryptographic accelerator card has been detected (%s)."), $hwcrypto) . "<br /><br />"; - } ?> - <?php echo gettext("This option is off by default because Hifn accelerators do NOT work with this option, and the GUI will not function. " . - "It is possible that other accelerators have a similar problem that is not yet known/documented. " . - "More information on BEAST is available from <a target='_blank' href='https://en.wikipedia.org/wiki/Transport_Layer_Security#BEAST_attack'>Wikipedia</a>."); ?> - </td> - </tr> - <tr> <td width="22%" valign="top" class="vncell"><?=gettext("Browser tab text"); ?></td> <td width="78%" class="vtable"> <input name="pagenamefirst" type="checkbox" id="pagenamefirst" value="yes" <?php if ($pconfig['pagenamefirst']) echo "checked=\"checked\""; ?> /> |