diff options
-rw-r--r-- | etc/inc/system.inc | 23 | ||||
-rw-r--r-- | usr/local/www/system_advanced_admin.php | 37 |
2 files changed, 58 insertions, 2 deletions
diff --git a/etc/inc/system.inc b/etc/inc/system.inc index 876dba6..b2ba9f0 100644 --- a/etc/inc/system.inc +++ b/etc/inc/system.inc @@ -1184,8 +1184,27 @@ EOD; // Harden SSL a bit for PCI conformance testing $lighty_config .= "ssl.use-sslv2 = \"disable\"\n"; - $lighty_config .= "ssl.honor-cipher-order = \"enable\"\n"; - $lighty_config .= "ssl.cipher-list = \"ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM\"\n"; + + /* Hifn accelerators do NOT work with the BEAST mitigation code. Do not allow it to be enabled if a Hifn card has been detected. */ + $fd = @fopen("{$g['varlog_path']}/dmesg.boot", "r"); + if ($fd) { + while (!feof($fd)) { + $dmesgl = fgets($fd); + if (preg_match("/^hifn.: (.*?),/", $dmesgl, $matches) && isset($config['system']['webgui']['beast_protection'])) { + unset($config['system']['webgui']['beast_protection']); + log_error("BEAST Protection disabled because a conflicting cryptographic accelerator card has been detected (" . $matches[1] . ")"); + break; + } + } + fclose($fd); + } + + if (isset($config['system']['webgui']['beast_protection'])) { + $lighty_config .= "ssl.honor-cipher-order = \"enable\"\n"; + $lighty_config .= "ssl.cipher-list = \"ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM\"\n"; + } else { + $lighty_config .= "ssl.cipher-list = \"DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:CAMELLIA256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:CAMELLIA128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:RC4-SHA:RC4-MD5:!aNULL:!eNULL:!3DES:@STRENGTH\"\n"; + } if(!(empty($ca) || (strlen(trim($ca)) == 0))) $lighty_config .= "ssl.ca-file = \"{$g['varetc_path']}/{$ca_location}\"\n\n"; diff --git a/usr/local/www/system_advanced_admin.php b/usr/local/www/system_advanced_admin.php index 3c55a86..2f20610 100644 --- a/usr/local/www/system_advanced_admin.php +++ b/usr/local/www/system_advanced_admin.php @@ -58,6 +58,7 @@ $pconfig['disableconsolemenu'] = isset($config['system']['disableconsolemenu']); $pconfig['noantilockout'] = isset($config['system']['webgui']['noantilockout']); $pconfig['nodnsrebindcheck'] = isset($config['system']['webgui']['nodnsrebindcheck']); $pconfig['nohttpreferercheck'] = isset($config['system']['webgui']['nohttpreferercheck']); +$pconfig['beast_protection'] = isset($config['system']['webgui']['beast_protection']); $pconfig['noautocomplete'] = isset($config['system']['webgui']['noautocomplete']); $pconfig['althostnames'] = $config['system']['webgui']['althostnames']; $pconfig['enableserial'] = $config['system']['enableserial']; @@ -166,6 +167,11 @@ if ($_POST) { else unset($config['system']['webgui']['nohttpreferercheck']); + if ($_POST['beast_protection'] == "yes") + $config['system']['webgui']['beast_protection'] = true; + else + unset($config['system']['webgui']['beast_protection']); + if ($_POST['noautocomplete'] == "yes") $config['system']['webgui']['noautocomplete'] = true; else @@ -239,6 +245,21 @@ if ($_POST) { } } +unset($hwcrypto); +$fd = @fopen("{$g['varlog_path']}/dmesg.boot", "r"); +if ($fd) { + while (!feof($fd)) { + $dmesgl = fgets($fd); + if (preg_match("/^hifn.: (.*?),/", $dmesgl, $matches)) { + unset($pconfig['beast_protection']); + $disable_beast_option = "disabled"; + $hwcrypto = $matches[1]; + break; + } + } + fclose($fd); +} + $pgtitle = array(gettext("System"),gettext("Advanced: Admin Access")); include("head.inc"); @@ -451,6 +472,22 @@ function prot_change() { </td> </tr> <tr> + <td width="22%" valign="top" class="vncell"><?=gettext("BEAST Attack Protection"); ?></td> + <td width="78%" class="vtable"> + <input name="beast_protection" type="checkbox" id="beast_protection" value="yes" <?php if ($pconfig['beast_protection']) echo "checked=\"checked\""; ?> <?= $disable_beast_option ?>/> + <strong><?=gettext("Mitigate the BEAST SSL Attack"); ?></strong> + <br/> + <?php echo gettext("When this is checked, the webConfigurator can mitigate BEAST SSL attacks. ") ?> + <br/> + <?php if ($disable_beast_option) { + echo "<br/>" . sprintf(gettext("This option has been automatically disabled because a conflicting cryptographic accelerator card has been detected (%s)."), $hwcrypto) . "<br/><br/>"; + } ?> + <?php echo gettext("This option is off by default because Hifn accelerators do NOT work with this option, and the GUI will not function. " . + "It is possible that other accelerators have a similar problem that is not yet known/documented. " . + "More information on BEAST is available from <a target='_blank' href='https://en.wikipedia.org/wiki/Transport_Layer_Security#BEAST_attack'>Wikipedia</a>."); ?> + </td> + </tr> + <tr> <td colspan="2" class="list" height="12"> </td> </tr> <tr> |