external
/
mailinabox
mirror of https://github.com/mail-in-a-box/mailinabox.git
1
0
Fork 0
Code Issues Releases Wiki Activity
mailinabox/tools/ssl_dhec.sh

111 lines
3.2 KiB
Bash
Raw Normal View History

A bash tool script to allow for DHEC on Nginx. It generates a key and adds the path to the Nginx SSL conf file. It has additional mode for stricter SSL cipher suite and limiting to TLSv1.2. Also 4096 bit key can generated as well. JKO
2014-09-21 04:05:55 +00:00
#!/bin/bash
# Author by JKO Email: jonathan@kosar.email
# This script tool enables DHEC for SSL on Nginx.
# A user can also add a more hardened SSL cipher suite.
# Otherwise a default 2048 EC key is generated and added to nginx-ssl.conf.
# No suite or protocols are changed. Only in hardened mode they are changed.
# But only clients that support the suites will be able to connect, please remember that.
# http://www.roushtech.net/2014/04/01/100-qualys-ssl-test-a/
# See usage command for more.
# Sidenote: -h -b 2048 will produce a hardened settings with 2048 bit key.
source /etc/mailinabox.conf # load global vars
source setup/functions.sh #functions
apt_install openssl
nginx_ssl_conf=/etc/nginx/nginx-ssl.conf
DEFAULT_BIT_SIZE=2048
isHardened="false"
hardened_ciphers="'ECDH+AESGCM256:DH+AESGCM256:ECDH+AES256:SH+AES256:RSA+AESGCM256:RSA+AES256:!aNULL:!MD5:!kEDH';"
hardened_protocol="TLSv1.2;"
DHEC_path=$STORAGE_ROOT/ssl/dhparam.pem
# Functions
update_config()
{
lineNUM=$(grep -n "$2" $1 | tail -n1 | sed 's/:.*//')
[ "$lineNUM" ] || lineNUM="$"
sed -i -r "$lineNUM s|#?(.*)|#\1\n$4\n$2 $3|" "$1"
}
ok()
{
echo -e '\e[32m'$1'\e[m';
}
# Usage info
usage()
{
cat << EOF
Usage: ${0##*/} [-h] [-b BIT_SIZE] [-p DIR_DHEC_KEY] [-c DIR_NGINX_SSL]
This script generates and enables DHEC for Nginx. Defaulted to 2048 key.
Hardened mode will generate 4096 key and the following cipher suites:
'ECDH+AESGCM256:DH+AESGCM256:ECDH+AES256:SH+AES256:RSA+AESGCM256:RSA+AES256:!aNULL:!MD5:!kEDH'
-h Enable hardened ciphers and 4096 bit key.
-b Specify the bit size to generate which will override any other default.
-p Specify dir to generate the DHEC key.
-c Specify dir nginx ssl conf is.
EOF
exit 1
}
while getopts "hb:c:p:" opt ; do
case "${opt}" in
b)
BIT_SIZE=${OPTARG}
if [ -z "${OPTARG}" ]; then
usage
fi
;;
h)
isHardened=true
BIT_SIZE=4096
;;
p)
DHEC_path=${OPTARG}
if [ -z "${OPTARG}" ]; then
usage
fi
;;
c)
nginx_ssl_conf=${OPTARG}
if [ -z "${OPTARG}" ]; then
usage
fi
;;
*)
usage
;;
esac
done
shift $((OPTIND-1))
if [ -z "${BIT_SIZE}" -a "true" == ${isHardened} ]; then
BIT_SIZE=4096
elif [ -z "${BIT_SIZE}" ]; then
BIT_SIZE=$DEFAULT_BIT_SIZE
fi
ok " It might take a while, grab a coffee!"
if [ ! -f $DHEC_path ]; then
# Generate a 4096 bit random parameter for DH elliptic curves.
# Generated by OpenSSL with the following command:
# openssl dhparam -outform pem -out dhparam.pem 2048
# openssl dhparam -outform pem -out dhparam.pem 4096
openssl dhparam -outform pem -out $DHEC_path $BIT_SIZE
fi
update_config $nginx_ssl_conf ssl_dhparam $DHEC_path';' "#Path to DHEC key"
if [ $isHardened == "true" ]; then
update_config $nginx_ssl_conf ssl_ciphers $hardened_ciphers "#Hardened SSL Ciphers DHEC"
update_config $nginx_ssl_conf ssl_protocols $hardened_protocol "#Hardened SSL Protocol"
fi
service nginx reload