mirrors/vm
2
0
Fork 0
mirror of https://github.com/nextcloud/vm.git synced 2025-10-26 11:27:32 +00:00
Code Issues Packages Projects Releases Wiki Activity
1,915 Commits 13 Branches 80 Tags 68 MiB
36432522d7
Commit Graph

151 Commits

Author SHA1 Message Date
Ted B
e65ff4aaba
Fix spelling in VM (#1706) 
Signed-off-by: Lantrix <lantrix@pobox.com>
 2020-12-03 21:24:33 +01:00
Daniel Hansson
73936ddd43
don't use function without lib 2020-11-30 20:45:08 +01:00
Daniel Hansson
383a4e1c3e
put default SC rules in a single file (#1667) 
Signed-off-by: enoch85 <github@hanssonit.se>
 2020-11-12 21:39:53 +01:00
Daniel Hansson
43500670e1
do not exit 2020-11-06 17:16:32 +01:00
Daniel Hansson
cbc2c80217
Use start_if_stopped instead of just service start (#1608) 
Signed-off-by: enoch85 <github@hanssonit.se>
 2020-10-19 20:46:01 +02:00
Daniel Hansson
a75e64897e
TLS1.3 and improvements (#1578) 
Signed-off-by: enoch85 <github@hanssonit.se>
 2020-10-16 23:22:34 +02:00
szaimen
f28af0807a
make all scripts much more readable (#1493) 
Co-authored-by: Daniel Hansson <github@hanssonit.se>
 2020-10-14 11:16:35 +02:00
Daniel Hansson
577601d63a
old le script doesn't have fetch_lib 2020-10-04 10:51:13 +02:00
Daniel Hansson
f251b03549
go live with fetch lib (#1520) 
Signed-off-by: enoch85 <github@hanssonit.se>
 2020-10-03 21:09:15 +02:00
Daniel Hansson
5ca0ba8387
chaneg to real link 2020-09-18 12:16:00 +02:00
Daniel Hansson
a116de1aac
another typo 2020-09-18 12:13:27 +02:00
Daniel Hansson
3f9c7cd3cc
typo 2020-09-18 12:10:14 +02:00
Daniel Hansson
6aba7b7935
create open_port function to automatically open ports over upnp (#1469) 
Co-authored-by: szaimen <szaimen@e.mail.de>
 2020-09-18 12:04:31 +02:00
Daniel Hansson
9d41d1b274
Revert "create open_port function to automatically open ports over upnp (#1464)" (#1468) 
This reverts commit 567c2759c9.

I commited the wrong PR!
 2020-09-17 11:23:40 +02:00
szaimen
567c2759c9
create open_port function to automatically open ports over upnp (#1464) 
Co-authored-by: Daniel Hansson <github@hanssonit.se>
 2020-09-17 11:22:14 +02:00
szaimen
eda50026fd
create input_box_flow (#1449) 
Co-authored-by: Daniel Hansson <github@hanssonit.se>
 2020-09-13 19:18:02 +02:00
szaimen
9adb4e422a
some small fixes and enhancements (#1440) 2020-09-10 21:31:43 +02:00
Daniel Hansson
34002c7589
only allow tls1.2 
```
Configuration
Protocols
TLS 1.3 	No
TLS 1.2 	Yes
TLS 1.1 	No
TLS 1.0 	No
SSL 3 	No
SSL 2 	No


Cipher Suites
# TLS 1.2 (suites in server-preferred order)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   ECDH x25519 (eq. 3072 bits RSA)   FS 	128
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)   ECDH x25519 (eq. 3072 bits RSA)   FS 	256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)   ECDH x25519 (eq. 3072 bits RSA)   FS 	256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   DH 4096 bits   FS 	128
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)   DH 4096 bits   FS 	256


Handshake Simulation
Android 4.4.2 	RSA 4096 (SHA256)   	TLS 1.2 	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Android 5.0.0 	RSA 4096 (SHA256)   	TLS 1.2 	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Android 6.0 	RSA 4096 (SHA256)   	TLS 1.2 > http/1.1   	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Android 7.0 	RSA 4096 (SHA256)   	TLS 1.2 > h2   	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH x25519  FS
Android 8.0 	RSA 4096 (SHA256)   	TLS 1.2 > h2   	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH x25519  FS
Android 8.1 	RSA 4096 (SHA256)   	TLS 1.2 > h2   	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH x25519  FS
Android 9.0 	RSA 4096 (SHA256)   	TLS 1.2 > h2   	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH x25519  FS
BingPreview Jan 2015 	RSA 4096 (SHA256)   	TLS 1.2 	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Chrome 49 / XP SP3 	RSA 4096 (SHA256)   	TLS 1.2 > h2   	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Chrome 69 / Win 7  R		RSA 4096 (SHA256)   	TLS 1.2 > h2   	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH x25519  FS
Chrome 70 / Win 10 	RSA 4096 (SHA256)   	TLS 1.2 > h2   	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH x25519  FS
Chrome 80 / Win 10  R		RSA 4096 (SHA256)   	TLS 1.2 > h2   	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH x25519  FS
Firefox 31.3.0 ESR / Win 7 	RSA 4096 (SHA256)   	TLS 1.2 	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Firefox 47 / Win 7  R		RSA 4096 (SHA256)   	TLS 1.2 > h2   	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Firefox 49 / XP SP3 	RSA 4096 (SHA256)   	TLS 1.2 > h2   	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Firefox 62 / Win 7  R		RSA 4096 (SHA256)   	TLS 1.2 > h2   	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH x25519  FS
Firefox 73 / Win 10  R		RSA 4096 (SHA256)   	TLS 1.2 > h2   	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH x25519  FS
Googlebot Feb 2018 	RSA 4096 (SHA256)   	TLS 1.2 	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH x25519  FS
IE 11 / Win 7  R		RSA 4096 (SHA256)   	TLS 1.2 	TLS_DHE_RSA_WITH_AES_128_GCM_SHA256   DH 4096  FS
IE 11 / Win 8.1  R		RSA 4096 (SHA256)   	TLS 1.2 > http/1.1   	TLS_DHE_RSA_WITH_AES_128_GCM_SHA256   DH 4096  FS
IE 11 / Win Phone 8.1  R		Server sent fatal alert: handshake_failure
IE 11 / Win Phone 8.1 Update  R		RSA 4096 (SHA256)   	TLS 1.2 > http/1.1   	TLS_DHE_RSA_WITH_AES_128_GCM_SHA256   DH 4096  FS
IE 11 / Win 10  R		RSA 4096 (SHA256)   	TLS 1.2 > h2   	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Edge 15 / Win 10  R		RSA 4096 (SHA256)   	TLS 1.2 > h2   	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH x25519  FS
Edge 16 / Win 10  R		RSA 4096 (SHA256)   	TLS 1.2 > h2   	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH x25519  FS
Edge 18 / Win 10  R		RSA 4096 (SHA256)   	TLS 1.2 > h2   	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH x25519  FS
Edge 13 / Win Phone 10  R		RSA 4096 (SHA256)   	TLS 1.2 > h2   	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Java 8u161 	RSA 4096 (SHA256)   	TLS 1.2 	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Java 11.0.3 	RSA 4096 (SHA256)   	TLS 1.2 	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Java 12.0.1 	RSA 4096 (SHA256)   	TLS 1.2 	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
OpenSSL 1.0.1l  R		RSA 4096 (SHA256)   	TLS 1.2 	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
OpenSSL 1.0.2s  R		RSA 4096 (SHA256)   	TLS 1.2 	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
OpenSSL 1.1.0k  R		RSA 4096 (SHA256)   	TLS 1.2 	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH x25519  FS
OpenSSL 1.1.1c  R		RSA 4096 (SHA256)   	TLS 1.2 	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH x25519  FS
Safari 6 / iOS 6.0.1 	Server sent fatal alert: handshake_failure
Safari 7 / iOS 7.1  R		Server sent fatal alert: handshake_failure
Safari 7 / OS X 10.9  R		Server sent fatal alert: handshake_failure
Safari 8 / iOS 8.4  R		Server sent fatal alert: handshake_failure
Safari 8 / OS X 10.10  R		Server sent fatal alert: handshake_failure
Safari 9 / iOS 9  R		RSA 4096 (SHA256)   	TLS 1.2 > h2   	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Safari 9 / OS X 10.11  R		RSA 4096 (SHA256)   	TLS 1.2 > h2   	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Safari 10 / iOS 10  R		RSA 4096 (SHA256)   	TLS 1.2 > h2   	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Safari 10 / OS X 10.12  R		RSA 4096 (SHA256)   	TLS 1.2 > h2   	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Safari 12.1.2 / MacOS 10.14.6 Beta  R		RSA 4096 (SHA256)   	TLS 1.2 > h2   	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH x25519  FS
Safari 12.1.1 / iOS 12.3.1  R		RSA 4096 (SHA256)   	TLS 1.2 > h2   	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH x25519  FS
Apple ATS 9 / iOS 9  R		RSA 4096 (SHA256)   	TLS 1.2 > h2   	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Yahoo Slurp Jan 2015 	RSA 4096 (SHA256)   	TLS 1.2 	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
YandexBot Jan 2015 	RSA 4096 (SHA256)   	TLS 1.2 	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
# Not simulated clients (Protocol mismatch)

Click here to expand
(1) Clients that do not support Forward Secrecy (FS) are excluded when determining support for it.
(2) No support for virtual SSL hosting (SNI). Connects to the default site if the server uses SNI.
(3) Only first connection attempt simulated. Browsers sometimes retry with a lower protocol version.
(R) Denotes a reference browser or client, with which we expect better effective security.
(All) We use defaults, but some platforms do not use their best protocols and features (e.g., Java 6 & 7, older IE).
(All) Certificate trust is not checked in handshake simulation, we only perform TLS handshake.


Protocol Details
DROWN 	No, server keys and hostname not seen elsewhere with SSLv2
(1) For a better understanding of this test, please read this longer explanation
(2) Key usage data kindly provided by the Censys network search engine; original DROWN website here
(3) Censys data is only indicative of possible key and certificate reuse; possibly out-of-date and not complete
Secure Renegotiation 	Supported
Secure Client-Initiated Renegotiation 	No
Insecure Client-Initiated Renegotiation 	No
BEAST attack 	Mitigated server-side (more info)  
POODLE (SSLv3) 	No, SSL 3 not supported (more info)
POODLE (TLS) 	No (more info)
Zombie POODLE 	No (more info)  
GOLDENDOODLE 	No (more info)  
OpenSSL 0-Length 	No (more info)  
Sleeping POODLE 	No (more info)  
Downgrade attack prevention 	Unknown (requires support for at least two protocols, excl. SSL2)
SSL/TLS compression 	No
RC4 	No
Heartbeat (extension) 	No
Heartbleed (vulnerability) 	No (more info)
Ticketbleed (vulnerability) 	No (more info)
OpenSSL CCS vuln. (CVE-2014-0224) 	No (more info)
OpenSSL Padding Oracle vuln.
(CVE-2016-2107) 	No (more info)
ROBOT (vulnerability) 	No (more info)
Forward Secrecy 	Yes (with most browsers)   ROBUST (more info)
ALPN 	Yes   h2 http/1.1
NPN 	No
Session resumption (caching) 	Yes
Session resumption (tickets) 	No
OCSP stapling 	Yes
Strict Transport Security (HSTS) 	Yes
max-age=15768000;includeSubdomains
HSTS Preloading 	Not in: Chrome  Edge  Firefox  IE 
Public Key Pinning (HPKP) 	No (more info)
Public Key Pinning Report-Only 	No
Public Key Pinning (Static) 	No (more info)
Long handshake intolerance 	No
TLS extension intolerance 	No
TLS version intolerance 	No
Incorrect SNI alerts 	No
Uses common DH primes 	No
DH public server param (Ys) reuse 	No
ECDH public server param reuse 	No
Supported Named Groups 	x25519, secp256r1, x448, secp521r1, secp384r1 (server preferred order)
SSL 2 handshake compatibility 	Yes

```
 2020-09-08 16:48:27 +02:00
szaimen
3e5947b755
remove TLS_INSTALL from the lib (#1424) 2020-09-08 10:34:31 +02:00
szaimen
4a6402ebfd
fix last subdomain occurences and remove print_text_in_color before a yesno_box (#1421) 2020-09-07 22:10:43 +02:00
Daniel Hansson
1857c63ec5
ask if the domain is correct (#1418) 2020-09-07 16:06:19 +02:00
szaimen
cbc20d1881
add yesno_box_no and yesno_box_yes (#1409) 
Co-authored-by: Daniel Hansson <github@hanssonit.se>
 2020-09-07 11:44:43 +02:00
szaimen
c42ec1d992
add SCRIPT_NAME to all scripts and standardize whiptail-titles (#1400) 
Signed-off-by: enoch85 <github@hanssonit.se>

Co-authored-by: enoch85 <github@hanssonit.se>
 2020-09-04 09:05:47 +02:00
szaimen
80dc7b6293
substitute ask_yes_or_no through yesno_box (#1401) 2020-09-03 23:15:42 +02:00
Daniel Hansson
6bfdd693bc
change message for backwards compatibility msg (#1395) 2020-09-01 20:19:06 +02:00
Daniel Hansson
597188acfc
Create activate-ssl.sh 2020-09-01 19:41:46 +02:00
Daniel Hansson
34f58238c5
Make Webmin optional and move some scripts (#1349) 
Signed-off-by: enoch85 <github@hanssonit.se>
 2020-08-10 17:57:42 +02:00
Daniel Hansson
9315557130
get current PHP-version (#1271) 2020-06-03 00:23:33 +02:00
Daniel Hansson
6bb64dd9f0
Revert "update lib.sh to change variables to functions (#1247)" (#1266) 
This reverts commit e0fff5e529.
 2020-05-31 15:02:43 +02:00
szaimen
e0fff5e529
update lib.sh to change variables to functions (#1247) 2020-05-27 18:32:57 +02:00
Daniel Hansson
b2c5d7dff9
update the way scripts are run and downloaded (#1256) 
Co-authored-by: szaimen <szaimen@e.mail.de>
Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>
 2020-05-24 00:55:56 +02:00
Daniel Hansson
9ad7cdde0a
travis (use pgrep instead) 2020-05-04 23:35:58 +02:00
Daniel Hansson
20c46882bd
make check more generic 2020-05-04 23:26:50 +02:00
Daniel Hansson
cea719fdd1
Update activate-tls.sh 2020-05-04 23:17:09 +02:00
Daniel Hansson
75879c41b6
delete, as the new version is out 2020-04-24 23:01:05 +02:00
Daniel Hansson
6658155451
Create activate-ssl.sh 2020-04-22 11:27:18 +02:00
Daniel Hansson
20812cdb6f
20.04 (#1176) 2020-04-21 22:31:21 +02:00
Daniel Hansson
b41325d7eb
add a reminder about port 80 (#1147) 2020-03-10 20:33:28 +01:00
Daniel Hansson
3c6b11bf0d
change to TLS, we dont use SSL (#1087) 2020-02-18 18:33:17 +01:00
Liao Weizhi
5c46f163f8 Refactor the way TLS certs are generated + make all options (standalone, dns, tls) available everywhere (#1025) 2020-01-12 19:38:47 +01:00
Daniel Hansson
75bf1bbffc
happy new year (#1028) 
Signed-off-by: enoch85 <github@hanssonit.se>
 2020-01-11 12:42:22 +01:00
Daniel Hansson
102beab33e
possible fix for SSL not starting 2019-11-13 19:15:57 +01:00
Daniel Hansson
1a5349f8a9
remove TLS 1.1 as well 2019-11-12 23:55:17 +01:00
Daniel Hansson
a50400e58d
enhance SSL security 2019-11-12 23:22:15 +01:00
BetaLeaf
f6b11701c2 Fixed issue where HTTP to HTTPS redirect leaves out the / (#959) 2019-10-03 21:13:42 +02:00
Daniel Hansson
d42f3de2f9
change crontab to every 12 hours 2019-08-17 21:52:48 +02:00
Daniel Hansson
f41f62dfa9
found one more occurance for is_this_installed() 2019-07-29 15:21:04 +02:00
Daniel Hansson
335c8f5c31
remove webroot, standalone works better 
+ improve security
 2019-07-04 15:51:50 +02:00
Daniel Hansson
499e743eb5
remove error handling since it's all done in the function (#864) 2019-07-04 10:13:49 +02:00
Daniel Hansson
87dd0e6439
remove hsts from certbot, it's already done in apache 2019-07-04 08:43:31 +02:00