diff options
author | jim-p <jimp@pfsense.org> | 2013-07-18 09:30:20 -0400 |
---|---|---|
committer | jim-p <jimp@pfsense.org> | 2013-07-18 09:35:21 -0400 |
commit | dce51b017ad61f03de7df2262731ac03ea6adab8 (patch) | |
tree | 70cb5fbf5f42e81ba16a7a48559a1c7093764308 /usr | |
parent | 845adb3549515fe4b3aa19a1adb3b83421e75b57 (diff) | |
download | pfsense-dce51b017ad61f03de7df2262731ac03ea6adab8.zip pfsense-dce51b017ad61f03de7df2262731ac03ea6adab8.tar.gz |
Disable the BEAST protection by default because the GUI *will* break if you use this and have a Hifn card installed. Others may break similarly. Change it into a checkbox option, off by default, and automatically disable it if a conflicting card has been detected.
Diffstat (limited to 'usr')
-rw-r--r-- | usr/local/www/system_advanced_admin.php | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/usr/local/www/system_advanced_admin.php b/usr/local/www/system_advanced_admin.php index 3c55a86..2f20610 100644 --- a/usr/local/www/system_advanced_admin.php +++ b/usr/local/www/system_advanced_admin.php @@ -58,6 +58,7 @@ $pconfig['disableconsolemenu'] = isset($config['system']['disableconsolemenu']); $pconfig['noantilockout'] = isset($config['system']['webgui']['noantilockout']); $pconfig['nodnsrebindcheck'] = isset($config['system']['webgui']['nodnsrebindcheck']); $pconfig['nohttpreferercheck'] = isset($config['system']['webgui']['nohttpreferercheck']); +$pconfig['beast_protection'] = isset($config['system']['webgui']['beast_protection']); $pconfig['noautocomplete'] = isset($config['system']['webgui']['noautocomplete']); $pconfig['althostnames'] = $config['system']['webgui']['althostnames']; $pconfig['enableserial'] = $config['system']['enableserial']; @@ -166,6 +167,11 @@ if ($_POST) { else unset($config['system']['webgui']['nohttpreferercheck']); + if ($_POST['beast_protection'] == "yes") + $config['system']['webgui']['beast_protection'] = true; + else + unset($config['system']['webgui']['beast_protection']); + if ($_POST['noautocomplete'] == "yes") $config['system']['webgui']['noautocomplete'] = true; else @@ -239,6 +245,21 @@ if ($_POST) { } } +unset($hwcrypto); +$fd = @fopen("{$g['varlog_path']}/dmesg.boot", "r"); +if ($fd) { + while (!feof($fd)) { + $dmesgl = fgets($fd); + if (preg_match("/^hifn.: (.*?),/", $dmesgl, $matches)) { + unset($pconfig['beast_protection']); + $disable_beast_option = "disabled"; + $hwcrypto = $matches[1]; + break; + } + } + fclose($fd); +} + $pgtitle = array(gettext("System"),gettext("Advanced: Admin Access")); include("head.inc"); @@ -451,6 +472,22 @@ function prot_change() { </td> </tr> <tr> + <td width="22%" valign="top" class="vncell"><?=gettext("BEAST Attack Protection"); ?></td> + <td width="78%" class="vtable"> + <input name="beast_protection" type="checkbox" id="beast_protection" value="yes" <?php if ($pconfig['beast_protection']) echo "checked=\"checked\""; ?> <?= $disable_beast_option ?>/> + <strong><?=gettext("Mitigate the BEAST SSL Attack"); ?></strong> + <br/> + <?php echo gettext("When this is checked, the webConfigurator can mitigate BEAST SSL attacks. ") ?> + <br/> + <?php if ($disable_beast_option) { + echo "<br/>" . sprintf(gettext("This option has been automatically disabled because a conflicting cryptographic accelerator card has been detected (%s)."), $hwcrypto) . "<br/><br/>"; + } ?> + <?php echo gettext("This option is off by default because Hifn accelerators do NOT work with this option, and the GUI will not function. " . + "It is possible that other accelerators have a similar problem that is not yet known/documented. " . + "More information on BEAST is available from <a target='_blank' href='https://en.wikipedia.org/wiki/Transport_Layer_Security#BEAST_attack'>Wikipedia</a>."); ?> + </td> + </tr> + <tr> <td colspan="2" class="list" height="12"> </td> </tr> <tr> |