Merge 5caa176291 into 18f1689f45

2025-10-30 18:50:53 +00:00 · 2017-05-29 00:10:31 +00:00 · 2017-05-29 00:10:31 +00:00 · cc805e01ac
commit cc805e01ac
parent 18f1689f45 5caa176291
1 changed files with 110 additions and 0 deletions
--- a/tools/ssl_dhec.sh
+++ b/tools/ssl_dhec.sh
@ -0,0 +1,110 @@
+#!/bin/bash
+
+# Author by JKO Email: jonathan@kosar.email
+# This script tool enables DHEC for SSL on Nginx. 
+# A user can also add a more hardened SSL cipher suite. 
+# Otherwise a default 2048 EC key is generated and added to nginx-ssl.conf.  
+# No suite or protocols are changed. Only in hardened mode they are changed.
+# But only clients that support the suites will be able to connect, please remember that.
+# http://www.roushtech.net/2014/04/01/100-qualys-ssl-test-a/
+# See usage command for more.
+# Sidenote: -h -b 2048 will produce a hardened settings with 2048 bit key.
+
+source /etc/mailinabox.conf # load global vars
+source setup/functions.sh #functions
+ 
+apt_install openssl
+
+nginx_ssl_conf=/etc/nginx/nginx-ssl.conf
+DEFAULT_BIT_SIZE=2048 
+isHardened="false"
+hardened_ciphers="'ECDH+AESGCM256:DH+AESGCM256:ECDH+AES256:SH+AES256:RSA+AESGCM256:RSA+AES256:!aNULL:!MD5:!kEDH';"
+hardened_protocol="TLSv1.2;"
+
+DHEC_path=$STORAGE_ROOT/ssl/dhparam.pem
+
+# Functions
+update_config() 
+{
+	lineNUM=$(grep -n "$2" $1 | tail -n1 | sed 's/:.*//')
+	[ "$lineNUM" ] || lineNUM="$"
+	sed -i -r "$lineNUM s|#?(.*)|#\1\n$4\n$2 $3|" "$1"
+} 
+
+ok() 
+{ 
+	echo -e '\e[32m'$1'\e[m'; 
+}
+
+
+# Usage info
+usage()
+{
+    cat << EOF
+    Usage: ${0##*/} [-h] [-b BIT_SIZE] [-p DIR_DHEC_KEY]  [-c DIR_NGINX_SSL]
+    This script generates and enables DHEC for Nginx.  Defaulted to 2048 key.
+    Hardened mode will generate 4096 key and the following cipher suites:
+    'ECDH+AESGCM256:DH+AESGCM256:ECDH+AES256:SH+AES256:RSA+AESGCM256:RSA+AES256:!aNULL:!MD5:!kEDH'
+    
+    -h          Enable hardened ciphers and 4096 bit key.
+    -b          Specify the bit size to generate which will override any other default.
+    -p          Specify dir to generate the DHEC key.
+    -c          Specify dir nginx ssl conf is. 
+EOF
+    exit 1
+}  
+
+while getopts "hb:c:p:" opt ; do
+    case "${opt}" in
+        b)
+            BIT_SIZE=${OPTARG}
+            if [ -z "${OPTARG}" ]; then
+               usage
+            fi
+            ;;
+        h)
+            isHardened=true
+            BIT_SIZE=4096 
+            ;;
+ 	p)
+            DHEC_path=${OPTARG}
+	    if [ -z "${OPTARG}" ]; then
+               usage
+            fi
+            ;;
+    	c)
+            nginx_ssl_conf=${OPTARG}
+            if [ -z "${OPTARG}" ]; then
+               usage
+            fi
+            ;;
+        *)
+            usage
+            ;;
+    esac
+done
+shift $((OPTIND-1))
+
+if [ -z "${BIT_SIZE}" -a "true" == ${isHardened} ]; then
+    BIT_SIZE=4096
+elif [ -z "${BIT_SIZE}" ]; then
+    BIT_SIZE=$DEFAULT_BIT_SIZE
+fi
+
+ok "❯❯❯ It might take a while, grab a coffee!"
+
+if [ ! -f $DHEC_path ]; then
+  # Generate a 4096 bit random parameter for DH elliptic curves.
+  # Generated by OpenSSL with the following command:
+  #   openssl dhparam -outform pem -out dhparam.pem 2048
+  #   openssl dhparam -outform pem -out dhparam.pem 4096
+  openssl dhparam -outform pem -out $DHEC_path $BIT_SIZE
+fi
+        update_config $nginx_ssl_conf ssl_dhparam $DHEC_path';' "#Path to DHEC key"      
+
+if [ $isHardened == "true" ]; then
+	update_config $nginx_ssl_conf ssl_ciphers $hardened_ciphers "#Hardened SSL Ciphers DHEC" 
+        update_config $nginx_ssl_conf ssl_protocols $hardened_protocol "#Hardened SSL Protocol"  
+fi
+
+service nginx reload