From 2c295bcafd8e00a8f6a33a8b9d827a7aeacedbb5 Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Fri, 23 Apr 2021 17:02:31 -0400 Subject: [PATCH] Upgrade the Roundcube persistent login cookie encryption to AES-256-CBC and increase the key length accordingly This change will force everyone to be logged out of Roundcube since the encryption key and cipher won't match anyone's already-set cookie, but this happens anyway after every Mail-in-a-Box update since we generate a new key each time already. Fixes #1968. --- CHANGELOG.md | 1 + setup/webmail.sh | 8 +++++--- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 80988981..1efe77d1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,7 @@ In Development -------------- * Migrate to the ECDSAP256SHA256 DNSSEC algorithm. If a DS record is set for any of your domain names that have DNS hosted on your box, you will be prompted by status checks to update the DS record. +* Roundcube's login cookie is updated to use a new encryption algorithm (AES-256-CBC instead of DES-EDE-CBC). v0.53 (April 12, 2021) ---------------------- diff --git a/setup/webmail.sh b/setup/webmail.sh index 912bd5e5..98e12d1a 100755 --- a/setup/webmail.sh +++ b/setup/webmail.sh @@ -91,8 +91,9 @@ fi # ### Configuring Roundcube -# Generate a safe 24-character secret key of safe characters. -SECRET_KEY=$(dd if=/dev/urandom bs=1 count=18 2>/dev/null | base64 | fold -w 24 | head -n 1) +# Generate a secret key of PHP-string-safe characters appropriate +# for the cipher algorithm selected below. +SECRET_KEY=$(dd if=/dev/urandom bs=1 count=32 2>/dev/null | base64 | sed s/=//g) # Create a configuration file. # @@ -126,7 +127,8 @@ cat > $RCM_CONFIG < ~256 bits for AES-256, see above \$config['plugins'] = array('html5_notifier', 'archive', 'zipdownload', 'password', 'managesieve', 'jqueryui', 'persistent_login', 'carddav'); \$config['skin'] = 'elastic'; \$config['login_autocomplete'] = 2;