From 5caa176291a24fda0c429bb3cde4eb0806245de4 Mon Sep 17 00:00:00 2001 From: root Date: Sun, 21 Sep 2014 00:05:55 -0400 Subject: [PATCH] A bash tool script to allow for DHEC on Nginx. It generates a key and adds the path to the Nginx SSL conf file. It has additional mode for stricter SSL cipher suite and limiting to TLSv1.2. Also 4096 bit key can generated as well. JKO --- tools/ssl_dhec.sh | 110 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 110 insertions(+) create mode 100755 tools/ssl_dhec.sh diff --git a/tools/ssl_dhec.sh b/tools/ssl_dhec.sh new file mode 100755 index 00000000..8e115e58 --- /dev/null +++ b/tools/ssl_dhec.sh @@ -0,0 +1,110 @@ +#!/bin/bash + +# Author by JKO Email: jonathan@kosar.email +# This script tool enables DHEC for SSL on Nginx. +# A user can also add a more hardened SSL cipher suite. +# Otherwise a default 2048 EC key is generated and added to nginx-ssl.conf. +# No suite or protocols are changed. Only in hardened mode they are changed. +# But only clients that support the suites will be able to connect, please remember that. +# http://www.roushtech.net/2014/04/01/100-qualys-ssl-test-a/ +# See usage command for more. +# Sidenote: -h -b 2048 will produce a hardened settings with 2048 bit key. + +source /etc/mailinabox.conf # load global vars +source setup/functions.sh #functions + +apt_install openssl + +nginx_ssl_conf=/etc/nginx/nginx-ssl.conf +DEFAULT_BIT_SIZE=2048 +isHardened="false" +hardened_ciphers="'ECDH+AESGCM256:DH+AESGCM256:ECDH+AES256:SH+AES256:RSA+AESGCM256:RSA+AES256:!aNULL:!MD5:!kEDH';" +hardened_protocol="TLSv1.2;" + +DHEC_path=$STORAGE_ROOT/ssl/dhparam.pem + +# Functions +update_config() +{ + lineNUM=$(grep -n "$2" $1 | tail -n1 | sed 's/:.*//') + [ "$lineNUM" ] || lineNUM="$" + sed -i -r "$lineNUM s|#?(.*)|#\1\n$4\n$2 $3|" "$1" +} + +ok() +{ + echo -e '\e[32m'$1'\e[m'; +} + + +# Usage info +usage() +{ + cat << EOF + Usage: ${0##*/} [-h] [-b BIT_SIZE] [-p DIR_DHEC_KEY] [-c DIR_NGINX_SSL] + This script generates and enables DHEC for Nginx. Defaulted to 2048 key. + Hardened mode will generate 4096 key and the following cipher suites: + 'ECDH+AESGCM256:DH+AESGCM256:ECDH+AES256:SH+AES256:RSA+AESGCM256:RSA+AES256:!aNULL:!MD5:!kEDH' + + -h Enable hardened ciphers and 4096 bit key. + -b Specify the bit size to generate which will override any other default. + -p Specify dir to generate the DHEC key. + -c Specify dir nginx ssl conf is. +EOF + exit 1 +} + +while getopts "hb:c:p:" opt ; do + case "${opt}" in + b) + BIT_SIZE=${OPTARG} + if [ -z "${OPTARG}" ]; then + usage + fi + ;; + h) + isHardened=true + BIT_SIZE=4096 + ;; + p) + DHEC_path=${OPTARG} + if [ -z "${OPTARG}" ]; then + usage + fi + ;; + c) + nginx_ssl_conf=${OPTARG} + if [ -z "${OPTARG}" ]; then + usage + fi + ;; + *) + usage + ;; + esac +done +shift $((OPTIND-1)) + +if [ -z "${BIT_SIZE}" -a "true" == ${isHardened} ]; then + BIT_SIZE=4096 +elif [ -z "${BIT_SIZE}" ]; then + BIT_SIZE=$DEFAULT_BIT_SIZE +fi + +ok "❯❯❯ It might take a while, grab a coffee!" + +if [ ! -f $DHEC_path ]; then + # Generate a 4096 bit random parameter for DH elliptic curves. + # Generated by OpenSSL with the following command: + # openssl dhparam -outform pem -out dhparam.pem 2048 + # openssl dhparam -outform pem -out dhparam.pem 4096 + openssl dhparam -outform pem -out $DHEC_path $BIT_SIZE +fi + update_config $nginx_ssl_conf ssl_dhparam $DHEC_path';' "#Path to DHEC key" + +if [ $isHardened == "true" ]; then + update_config $nginx_ssl_conf ssl_ciphers $hardened_ciphers "#Hardened SSL Ciphers DHEC" + update_config $nginx_ssl_conf ssl_protocols $hardened_protocol "#Hardened SSL Protocol" +fi + +service nginx reload