2017-05-30 12:59 CEST

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0001702openmediavaultFeaturepublic2017-03-20 08:12
Reporterkavejo 
Assigned Tovotdev 
PrioritynormalSeverityminorReproducibilityN/A
StatusresolvedResolutionfixed 
Product Version 
Target VersionFixed in VersionErasmus (3.x) 
Summary0001702: Possibility to select the TLS ciphers
DescriptionWould it be possible to have an option to select the TLS version and cipher suites in General > Web Administration?

Nowadays TLS 1.0 and perhaps 1.1 are being deprecated and so do 3DES and RC4 ciphers. This would allow the users to ensure their installation of OpenMediaVault is compliant to the organization standards.
Steps To ReproduceHave the possibility to change: OMV_NGINX_SITE_WEBGUI_SSL_PROTOCOLS=${OMV_NGINX_SITE_WEBGUI_SSL_PROTOCOLS:-"TLSv1.1 TLSv1.2"}
To:
OMV_NGINX_SITE_WEBGUI_SSL_PROTOCOLS=${OMV_NGINX_SITE_WEBGUI_SSL_PROTOCOLS:-"TLSv1.2"}

Then have the possibility to change:
OMV_NGINX_SITE_WEBGUI_SSL_CIPHERS=${OMV_NGINX_SITE_WEBGUI_SSL_CIPHERS:-"ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK"}
To:
OMV_NGINX_SITE_WEBGUI_SSL_CIPHERS=${OMV_NGINX_SITE_WEBGUI_SSL_CIPHERS:-"ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"}
TagsWebGUI
Product build
Attached Files

-Relationships
+Relationships

-Notes

~0004670

votdev (administrator)

No, i do not want to see such an option in the WebUI. To allow customization the user can use the environment variables. OMV is NO webmin replacement where every possible option is available to the user. Instead the options are reduced to the absolute minimum to reduce the complexity.

~0004671

votdev (administrator)

The SSL ciphers has been adapted to the latest moderate profile, see https://mozilla.github.io/server-side-tls/ssl-config-generator/. TLSv1.1 hasn't been removed because of supporting older browsers.

https://github.com/openmediavault/openmediavault/commit/523d88d5eef12b669b1849cd1af02ef75db9a4f0.
+Notes

-Issue History
Date Modified Username Field Change
2017-03-18 12:38 kavejo New Issue
2017-03-18 12:38 kavejo Status new => assigned
2017-03-18 12:38 kavejo Assigned To => votdev
2017-03-18 12:38 kavejo Tag Attached: WebGUI
2017-03-20 08:01 votdev Note Added: 0004670
2017-03-20 08:12 votdev Status assigned => resolved
2017-03-20 08:12 votdev Resolution open => fixed
2017-03-20 08:12 votdev Fixed in Version => Erasmus (3.x)
2017-03-20 08:12 votdev Note Added: 0004671
+Issue History