external
/
mailinabox
mirror of https://github.com/mail-in-a-box/mailinabox.git
1
0
Fork 0
Code Issues Releases Wiki Activity
mailinabox/tools/ssl_dhec.sh

111 lines
3.2 KiB
Bash
Executable File
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

#!/bin/bash
# Author by JKO Email: jonathan@kosar.email
# This script tool enables DHEC for SSL on Nginx.
# A user can also add a more hardened SSL cipher suite.
# Otherwise a default 2048 EC key is generated and added to nginx-ssl.conf.
# No suite or protocols are changed. Only in hardened mode they are changed.
# But only clients that support the suites will be able to connect, please remember that.
# http://www.roushtech.net/2014/04/01/100-qualys-ssl-test-a/
# See usage command for more.
# Sidenote: -h -b 2048 will produce a hardened settings with 2048 bit key.
source /etc/mailinabox.conf # load global vars
source setup/functions.sh #functions
apt_install openssl
nginx_ssl_conf=/etc/nginx/nginx-ssl.conf
DEFAULT_BIT_SIZE=2048
isHardened="false"
hardened_ciphers="'ECDH+AESGCM256:DH+AESGCM256:ECDH+AES256:SH+AES256:RSA+AESGCM256:RSA+AES256:!aNULL:!MD5:!kEDH';"
hardened_protocol="TLSv1.2;"
DHEC_path=$STORAGE_ROOT/ssl/dhparam.pem
# Functions
update_config()
{
lineNUM=$(grep -n "$2" $1 | tail -n1 | sed 's/:.*//')
[ "$lineNUM" ] || lineNUM="$"
sed -i -r "$lineNUM s|#?(.*)|#\1\n$4\n$2 $3|" "$1"
}
ok()
{
echo -e '\e[32m'$1'\e[m';
}
# Usage info
usage()
{
cat << EOF
Usage: ${0##*/} [-h] [-b BIT_SIZE] [-p DIR_DHEC_KEY] [-c DIR_NGINX_SSL]
This script generates and enables DHEC for Nginx. Defaulted to 2048 key.
Hardened mode will generate 4096 key and the following cipher suites:
'ECDH+AESGCM256:DH+AESGCM256:ECDH+AES256:SH+AES256:RSA+AESGCM256:RSA+AES256:!aNULL:!MD5:!kEDH'
-h Enable hardened ciphers and 4096 bit key.
-b Specify the bit size to generate which will override any other default.
-p Specify dir to generate the DHEC key.
-c Specify dir nginx ssl conf is.
EOF
exit 1
}
while getopts "hb:c:p:" opt ; do
case "${opt}" in
b)
BIT_SIZE=${OPTARG}
if [ -z "${OPTARG}" ]; then
usage
fi
;;
h)
isHardened=true
BIT_SIZE=4096
;;
p)
DHEC_path=${OPTARG}
if [ -z "${OPTARG}" ]; then
usage
fi
;;
c)
nginx_ssl_conf=${OPTARG}
if [ -z "${OPTARG}" ]; then
usage
fi
;;
*)
usage
;;
esac
done
shift $((OPTIND-1))
if [ -z "${BIT_SIZE}" -a "true" == ${isHardened} ]; then
BIT_SIZE=4096
elif [ -z "${BIT_SIZE}" ]; then
BIT_SIZE=$DEFAULT_BIT_SIZE
fi
ok " It might take a while, grab a coffee!"
if [ ! -f $DHEC_path ]; then
# Generate a 4096 bit random parameter for DH elliptic curves.
# Generated by OpenSSL with the following command:
# openssl dhparam -outform pem -out dhparam.pem 2048
# openssl dhparam -outform pem -out dhparam.pem 4096
openssl dhparam -outform pem -out $DHEC_path $BIT_SIZE
fi
update_config $nginx_ssl_conf ssl_dhparam $DHEC_path';' "#Path to DHEC key"
if [ $isHardened == "true" ]; then
update_config $nginx_ssl_conf ssl_ciphers $hardened_ciphers "#Hardened SSL Ciphers DHEC"
update_config $nginx_ssl_conf ssl_protocols $hardened_protocol "#Hardened SSL Protocol"
fi
service nginx reload
Reference in New Issue View Git Blame Copy Permalink