Skip to content

Commit 6d1dfa1

Browse files
andytson-inviqaandytson-inviqa
committed
Change 3DES naming to SWEET32 to represent the security flaw
1 parent f4f49bb commit 6d1dfa1

5 files changed

Lines changed: 17 additions & 17 deletions

File tree

nginx/README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -74,7 +74,7 @@ WEB_HTTPS_ONLY | Whether to redirect all HTTP traffic to HTTPS | true/false
7474
WEB_RESOLVER | DNS resolver for proxy_pass and ssl_stapling_verify | ip address |
7575
WEB_REVERSE_PROXIED | Whether to interpret X-Forwarded-Proto as the $custom_scheme and $custom_https emulation. | true/false | true
7676
WEB_SSL_CIPHERS | The enabled SSL/TLS server ciphers | the format understood by the OpenSSL library | ECDH+ECDSA+AESGCM:ECDH+aRSA+AESGCM:DH+AESGCM:ECDH+ECDSA+AES256:ECDH+aRSA+AES256:DH+AES256:ECDH+ECDSA+AES128:ECDH+aRSA+AES128:DH+AES:${SSL_CIPHERS_3DES_DH}:${SSL_CIPHERS_ROBOT}:!aNULL:!MD5:!DSS
77-
WEB_SSL_CIPHERS_3DES_FIX | Whether to disable 3DES ciphers found weak | true/false | false
77+
WEB_SSL_CIPHERS_SWEET32_FIX | Whether to disable 3DES ciphers found weak (SWEET32) | true/false | false
7878
WEB_SSL_CIPHERS_ROBOT_FIX | Whether to disable RSA encryption ciphers found weak (ROBOT) | true/false | false
7979
WEB_SSL_FULLCHAIN | The location of the SSL certificate and intermediate chain file | absolute filename | /etc/ssl/certs/fullchain.pem
8080
WEB_SSL_OCSP_STAPLING | Whether to enable TLS OCSP stapling | true/false | false

nginx/usr/local/share/env/40-stack

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -25,21 +25,21 @@ export WEB_HTTPS_OFFLOADED
2525
WEB_REVERSE_PROXIED="$(convert_to_boolean_string "${WEB_REVERSE_PROXIED:-true}")"
2626
export WEB_REVERSE_PROXIED
2727

28-
if is_true "${WEB_SSL_CIPHERS_3DES_FIX:-}"; then
29-
SSL_CIPHERS_3DES_DH=""
30-
SSL_CIPHERS_3DES_RSA=""
28+
if is_true "${WEB_SSL_CIPHERS_SWEET32_FIX:-}"; then
29+
SSL_CIPHERS_SWEET32_DH=""
30+
SSL_CIPHERS_SWEET32_RSA=""
3131
else
32-
SSL_CIPHERS_3DES_DH="ECDH+3DES:DH+3DES"
33-
SSL_CIPHERS_3DES_RSA="RSA+3DES"
32+
SSL_CIPHERS_SWEET32_DH="ECDH+3DES:DH+3DES"
33+
SSL_CIPHERS_SWEET32_RSA="RSA+3DES"
3434
fi
3535

3636
if is_true "${WEB_SSL_CIPHERS_ROBOT_FIX:-}"; then
3737
SSL_CIPHERS_ROBOT=""
3838
else
39-
SSL_CIPHERS_ROBOT="RSA+AESGCM:RSA+AES:${SSL_CIPHERS_3DES_RSA}"
39+
SSL_CIPHERS_ROBOT="RSA+AESGCM:RSA+AES:${SSL_CIPHERS_SWEET32_RSA}"
4040
fi
4141

42-
DEFAULT_SSL_CIPHERS="ECDH+ECDSA+AESGCM:ECDH+aRSA+AESGCM:DH+AESGCM:ECDH+ECDSA+AES256:ECDH+aRSA+AES256:DH+AES256:ECDH+ECDSA+AES128:ECDH+aRSA+AES128:DH+AES:${SSL_CIPHERS_3DES_DH}:${SSL_CIPHERS_ROBOT}:!aNULL:!MD5:!DSS"
42+
DEFAULT_SSL_CIPHERS="ECDH+ECDSA+AESGCM:ECDH+aRSA+AESGCM:DH+AESGCM:ECDH+ECDSA+AES256:ECDH+aRSA+AES256:DH+AES256:ECDH+ECDSA+AES128:ECDH+aRSA+AES128:DH+AES:${SSL_CIPHERS_SWEET32_DH}:${SSL_CIPHERS_ROBOT}:!aNULL:!MD5:!DSS"
4343

4444
export WEB_SSL_CIPHERS=${WEB_SSL_CIPHERS:-$DEFAULT_SSL_CIPHERS}
4545
export WEB_SSL_FULLCHAIN=${WEB_SSL_FULLCHAIN:-/etc/ssl/certs/fullchain.pem}

php/apache/README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -128,7 +128,7 @@ WEB_HTTPS_ONLY | Whether to redirect all HTTP traffic to HTTPS | true/false
128128
WEB_INCLUDES | A space separated list of files in /etc/apache2/sites-enabled/ to include. ".conf" will be appended automatically. Globs are accepted. | space separated list of partial file names | 000-default-*
129129
WEB_REVERSE_PROXIED | Whether to interpret X-Forwarded-Proto as the $custom_scheme and $custom_https emulation. | true/false | true
130130
WEB_SSL_CIPHERS | The enabled SSL/TLS server ciphers | the format understood by the OpenSSL library | ECDH+ECDSA+AESGCM:ECDH+aRSA+AESGCM:DH+AESGCM:ECDH+ECDSA+AES256:ECDH+aRSA+AES256:DH+AES256:ECDH+ECDSA+AES128:ECDH+aRSA+AES128:DH+AES:${SSL_CIPHERS_3DES_DH}:${SSL_CIPHERS_ROBOT}:!aNULL:!MD5:!DSS
131-
WEB_SSL_CIPHERS_3DES_FIX | Whether to disable 3DES ciphers found weak | true/false | false
131+
WEB_SSL_CIPHERS_SWEET32_FIX | Whether to disable 3DES ciphers found weak (SWEET32) | true/false | false
132132
WEB_SSL_CIPHERS_ROBOT_FIX | Whether to disable RSA encryption ciphers found weak (ROBOT) | true/false | false
133133
WEB_SSL_FULLCHAIN | The location of the SSL certificate and intermediate chain file | absolute filename | /etc/ssl/certs/fullchain.pem
134134
WEB_SSL_OCSP_STAPLING | Whether to enable TLS OCSP stapling | true/false | false

php/nginx/README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -135,7 +135,7 @@ WEB_HTTP2_TLS | Whether to enable HTTP2 over TLS on HTTPS port. If WEB_HTTPS_OFF
135135
WEB_HTTP2_PLAINTEXT_NONBC | Whether to enable HTTP2 over plaintext on HTTP port (or HTTPS if WEB_HTTPS_OFFLOADED enabled). Nginx doesn't support h2c for plain HTTP protocol so will not support HTTP 1.1/1.0 if enabled | true/false | false
136136
WEB_REVERSE_PROXIED | Whether to interpret X-Forwarded-Proto as the $custom_scheme and $custom_https emulation. | true/false | true
137137
WEB_SSL_CIPHERS | The enabled SSL/TLS server ciphers | the format understood by the OpenSSL library | ECDH+ECDSA+AESGCM:ECDH+aRSA+AESGCM:DH+AESGCM:ECDH+ECDSA+AES256:ECDH+aRSA+AES256:DH+AES256:ECDH+ECDSA+AES128:ECDH+aRSA+AES128:DH+AES:${SSL_CIPHERS_3DES_DH}:${SSL_CIPHERS_ROBOT}:!aNULL:!MD5:!DSS
138-
WEB_SSL_CIPHERS_3DES_FIX | Whether to disable 3DES ciphers found weak | true/false | false
138+
WEB_SSL_CIPHERS_SWEET32_FIX | Whether to disable 3DES ciphers found weak (SWEET32) | true/false | false
139139
WEB_SSL_CIPHERS_ROBOT_FIX | Whether to disable RSA encryption ciphers found weak (ROBOT) | true/false | false
140140
WEB_SSL_FULLCHAIN | The location of the SSL certificate and intermediate chain file | absolute filename | /etc/ssl/certs/fullchain.pem
141141
WEB_SSL_OCSP_STAPLING | Whether to enable TLS OCSP stapling | true/false | false

php/shared/usr/local/share/env/40-stack

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -57,21 +57,21 @@ export WEB_HTTPS_OFFLOADED
5757
WEB_REVERSE_PROXIED="$(convert_to_boolean_string "${WEB_REVERSE_PROXIED:-true}")"
5858
export WEB_REVERSE_PROXIED
5959

60-
if is_true "${WEB_SSL_CIPHERS_3DES_FIX:-}"; then
61-
SSL_CIPHERS_3DES_DH=""
62-
SSL_CIPHERS_3DES_RSA=""
60+
if is_true "${WEB_SSL_CIPHERS_SWEET32_FIX:-}"; then
61+
SSL_CIPHERS_SWEET32_DH=""
62+
SSL_CIPHERS_SWEET32_RSA=""
6363
else
64-
SSL_CIPHERS_3DES_DH="ECDH+3DES:DH+3DES"
65-
SSL_CIPHERS_3DES_RSA="RSA+3DES"
64+
SSL_CIPHERS_SWEET32_DH="ECDH+3DES:DH+3DES"
65+
SSL_CIPHERS_SWEET32_RSA="RSA+3DES"
6666
fi
6767

6868
if is_true "${WEB_SSL_CIPHERS_ROBOT_FIX:-}"; then
6969
SSL_CIPHERS_ROBOT=""
7070
else
71-
SSL_CIPHERS_ROBOT="RSA+AESGCM:RSA+AES:${SSL_CIPHERS_3DES_RSA}"
71+
SSL_CIPHERS_ROBOT="RSA+AESGCM:RSA+AES:${SSL_CIPHERS_SWEET32_RSA}"
7272
fi
7373

74-
DEFAULT_SSL_CIPHERS="ECDH+ECDSA+AESGCM:ECDH+aRSA+AESGCM:DH+AESGCM:ECDH+ECDSA+AES256:ECDH+aRSA+AES256:DH+AES256:ECDH+ECDSA+AES128:ECDH+aRSA+AES128:DH+AES:${SSL_CIPHERS_3DES_DH}:${SSL_CIPHERS_ROBOT}:!aNULL:!MD5:!DSS"
74+
DEFAULT_SSL_CIPHERS="ECDH+ECDSA+AESGCM:ECDH+aRSA+AESGCM:DH+AESGCM:ECDH+ECDSA+AES256:ECDH+aRSA+AES256:DH+AES256:ECDH+ECDSA+AES128:ECDH+aRSA+AES128:DH+AES:${SSL_CIPHERS_SWEET32_DH}:${SSL_CIPHERS_ROBOT}:!aNULL:!MD5:!DSS"
7575

7676
export WEB_SSL_CIPHERS=${WEB_SSL_CIPHERS:-$DEFAULT_SSL_CIPHERS}
7777
export WEB_SSL_FULLCHAIN=${WEB_SSL_FULLCHAIN:-/etc/ssl/certs/fullchain.pem}

0 commit comments

Comments
 (0)