summaryrefslogtreecommitdiffstats
path: root/etc
diff options
context:
space:
mode:
authorjim-p <jimp@pfsense.org>2013-07-18 09:30:20 -0400
committerjim-p <jimp@pfsense.org>2013-07-18 09:35:47 -0400
commit30adceda1fffe160d18bdcbcaccb0da5de000fdf (patch)
tree8ce89177a3d826565be1432526303b5bef73d50e /etc
parent436a9a88b802590cdcd4a7bf07cacf88d80d2c35 (diff)
downloadpfsense-30adceda1fffe160d18bdcbcaccb0da5de000fdf.zip
pfsense-30adceda1fffe160d18bdcbcaccb0da5de000fdf.tar.gz
Disable the BEAST protection by default because the GUI *will* break if you use this and have a Hifn card installed. Others may break similarly. Change it into a checkbox option, off by default, and automatically disable it if a conflicting card has been detected.
Diffstat (limited to 'etc')
-rw-r--r--etc/inc/system.inc23
1 files changed, 21 insertions, 2 deletions
diff --git a/etc/inc/system.inc b/etc/inc/system.inc
index 18ae4f1..75ee8f9 100644
--- a/etc/inc/system.inc
+++ b/etc/inc/system.inc
@@ -1125,8 +1125,27 @@ EOD;
// Harden SSL a bit for PCI conformance testing
$lighty_config .= "ssl.use-sslv2 = \"disable\"\n";
- $lighty_config .= "ssl.honor-cipher-order = \"enable\"\n";
- $lighty_config .= "ssl.cipher-list = \"ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM\"\n";
+
+ /* Hifn accelerators do NOT work with the BEAST mitigation code. Do not allow it to be enabled if a Hifn card has been detected. */
+ $fd = @fopen("{$g['varlog_path']}/dmesg.boot", "r");
+ if ($fd) {
+ while (!feof($fd)) {
+ $dmesgl = fgets($fd);
+ if (preg_match("/^hifn.: (.*?),/", $dmesgl, $matches) && isset($config['system']['webgui']['beast_protection'])) {
+ unset($config['system']['webgui']['beast_protection']);
+ log_error("BEAST Protection disabled because a conflicting cryptographic accelerator card has been detected (" . $matches[1] . ")");
+ break;
+ }
+ }
+ fclose($fd);
+ }
+
+ if (isset($config['system']['webgui']['beast_protection'])) {
+ $lighty_config .= "ssl.honor-cipher-order = \"enable\"\n";
+ $lighty_config .= "ssl.cipher-list = \"ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM\"\n";
+ } else {
+ $lighty_config .= "ssl.cipher-list = \"DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:CAMELLIA256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:CAMELLIA128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:RC4-SHA:RC4-MD5:!aNULL:!eNULL:!3DES:@STRENGTH\"\n";
+ }
if(!(empty($ca) || (strlen(trim($ca)) == 0)))
$lighty_config .= "ssl.ca-file = \"{$g['varetc_path']}/{$ca_location}\"\n\n";
OpenPOWER on IntegriCloud