diff options
| author | jim-p <jimp@pfsense.org> | 2013-07-18 09:30:20 -0400 |
|---|---|---|
| committer | jim-p <jimp@pfsense.org> | 2013-07-18 09:35:47 -0400 |
| commit | 30adceda1fffe160d18bdcbcaccb0da5de000fdf (patch) | |
| tree | 8ce89177a3d826565be1432526303b5bef73d50e /etc | |
| parent | 436a9a88b802590cdcd4a7bf07cacf88d80d2c35 (diff) | |
| download | pfsense-30adceda1fffe160d18bdcbcaccb0da5de000fdf.zip pfsense-30adceda1fffe160d18bdcbcaccb0da5de000fdf.tar.gz | |
Disable the BEAST protection by default because the GUI *will* break if you use this and have a Hifn card installed. Others may break similarly. Change it into a checkbox option, off by default, and automatically disable it if a conflicting card has been detected.
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/inc/system.inc | 23 |
1 files changed, 21 insertions, 2 deletions
diff --git a/etc/inc/system.inc b/etc/inc/system.inc index 18ae4f1..75ee8f9 100644 --- a/etc/inc/system.inc +++ b/etc/inc/system.inc @@ -1125,8 +1125,27 @@ EOD; // Harden SSL a bit for PCI conformance testing $lighty_config .= "ssl.use-sslv2 = \"disable\"\n"; - $lighty_config .= "ssl.honor-cipher-order = \"enable\"\n"; - $lighty_config .= "ssl.cipher-list = \"ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM\"\n"; + + /* Hifn accelerators do NOT work with the BEAST mitigation code. Do not allow it to be enabled if a Hifn card has been detected. */ + $fd = @fopen("{$g['varlog_path']}/dmesg.boot", "r"); + if ($fd) { + while (!feof($fd)) { + $dmesgl = fgets($fd); + if (preg_match("/^hifn.: (.*?),/", $dmesgl, $matches) && isset($config['system']['webgui']['beast_protection'])) { + unset($config['system']['webgui']['beast_protection']); + log_error("BEAST Protection disabled because a conflicting cryptographic accelerator card has been detected (" . $matches[1] . ")"); + break; + } + } + fclose($fd); + } + + if (isset($config['system']['webgui']['beast_protection'])) { + $lighty_config .= "ssl.honor-cipher-order = \"enable\"\n"; + $lighty_config .= "ssl.cipher-list = \"ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM\"\n"; + } else { + $lighty_config .= "ssl.cipher-list = \"DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:CAMELLIA256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:CAMELLIA128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:RC4-SHA:RC4-MD5:!aNULL:!eNULL:!3DES:@STRENGTH\"\n"; + } if(!(empty($ca) || (strlen(trim($ca)) == 0))) $lighty_config .= "ssl.ca-file = \"{$g['varetc_path']}/{$ca_location}\"\n\n"; |
