dont generate dhparam file as fallback but use defined FFDHE4096 group;

fixes #1270 Signed-off-by: Michael Kaufmann <[email protected]>
froxlor · Aug 29, 2024 · 197eb79 · 197eb79
1 parent a1b6125
commit 197eb79
Show file tree

Hide file tree

Showing 5 changed files with 26 additions and 6 deletions.
diff --git a/lib/Froxlor/Api/Commands/SysLog.php b/lib/Froxlor/Api/Commands/SysLog.php
@@ -225,7 +225,7 @@ public function delete()
 			}
 			$params['trunc'] = $truncatedate;
 			Database::pexecute($result_stmt, $params, true, true);
-			$this->logger()->logAction($this->isAdmin() ? FroxlorLogger::ADM_ACTION : FroxlorLogger::USR_ACTION, LOG_WARNING, "[API] truncated the froxlor syslog");
+			$this->logger()->logAction(FroxlorLogger::ADM_ACTION, LOG_WARNING, "[API] truncated the froxlor syslog");
 			return $this->response(true);
 		}
 		throw new Exception("Not allowed to execute given command.", 403);

diff --git a/lib/Froxlor/Cron/Http/Apache.php b/lib/Froxlor/Cron/Http/Apache.php
@@ -441,7 +441,7 @@ public function createIpPort()
 								if (!empty(Settings::Get('system.dhparams_file'))) {
 									$dhparams = FileDir::makeCorrectFile(Settings::Get('system.dhparams_file'));
 									if (!file_exists($dhparams)) {
-										FileDir::safe_exec('openssl dhparam -out ' . escapeshellarg($dhparams) . ' 4096');
+										file_put_contents($dhparams, self::FFDHE4096);
 									}
 									$this->virtualhosts_data[$vhosts_filename] .= ' SSLOpenSSLConfCmd DHParameters "' . $dhparams . '"' . "\n";
 								}
@@ -754,7 +754,7 @@ protected function getVhostContent($domain, $ssl_vhost = false)
 					if (!empty(Settings::Get('system.dhparams_file'))) {
 						$dhparams = FileDir::makeCorrectFile(Settings::Get('system.dhparams_file'));
 						if (!file_exists($dhparams)) {
-							FileDir::safe_exec('openssl dhparam -out ' . escapeshellarg($dhparams) . ' 4096');
+							file_put_contents($dhparams, self::FFDHE4096);
 						}
 						$vhost_content .= '  SSLOpenSSLConfCmd DHParameters "' . $dhparams . '"' . "\n";
 					}

diff --git a/lib/Froxlor/Cron/Http/HttpConfigBase.php b/lib/Froxlor/Cron/Http/HttpConfigBase.php
@@ -45,6 +45,26 @@
 class HttpConfigBase
 {
 
+	/**
+	 * Pre-defined DHE groups to use as fallback if dhparams_file
+	 * is given, but non-existent, see also https://github.com/froxlor/Froxlor/issues/1270
+	 */
+	const FFDHE4096 = <<<EOC
+-----BEGIN DH PARAMETERS-----
+MIICCAKCAgEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3
+7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32
+nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZp4e
+8W5vUsMWTfT7eTDp5OWIV7asfV9C1p9tGHdjzx1VA0AEh/VbpX4xzHpxNciG77Qx
+iu1qHgEtnmgyqQdgCpGBMMRtx3j5ca0AOAkpmaMzy4t6Gh25PXFAADwqTs6p+Y0K
+zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eZV9q//////////8CAQI=
+-----END DH PARAMETERS-----
+EOC;
+
 	public function init()
 	{
 		// if Let's Encrypt is activated, run it before regeneration of webserver configfiles

diff --git a/lib/Froxlor/Cron/Http/Lighttpd.php b/lib/Froxlor/Cron/Http/Lighttpd.php
@@ -273,7 +273,7 @@ public function createIpPort()
 						if (!empty(Settings::Get('system.dhparams_file'))) {
 							$dhparams = FileDir::makeCorrectFile(Settings::Get('system.dhparams_file'));
 							if (!file_exists($dhparams)) {
-								FileDir::safe_exec('openssl dhparam -out ' . escapeshellarg($dhparams) . ' 4096');
+								file_put_contents($dhparams, self::FFDHE4096);
 							}
 							$this->lighttpd_data[$vhost_filename] .= 'ssl.dh-file = "' . $dhparams . '"' . "\n";
 							$this->lighttpd_data[$vhost_filename] .= 'ssl.ec-curve = "secp384r1"' . "\n";
@@ -756,7 +756,7 @@ protected function getSslSettings($domain, $ssl_vhost)
 				if (!empty(Settings::Get('system.dhparams_file'))) {
 					$dhparams = FileDir::makeCorrectFile(Settings::Get('system.dhparams_file'));
 					if (!file_exists($dhparams)) {
-						FileDir::safe_exec('openssl dhparam -out ' . escapeshellarg($dhparams) . ' 4096');
+						file_put_contents($dhparams, self::FFDHE4096);
 					}
 					$ssl_settings .= 'ssl.dh-file = "' . $dhparams . '"' . "\n";
 					$ssl_settings .= 'ssl.ec-curve = "secp384r1"' . "\n";

diff --git a/lib/Froxlor/Cron/Http/Nginx.php b/lib/Froxlor/Cron/Http/Nginx.php
@@ -399,7 +399,7 @@ protected function composeSslSettings($domain_or_ip)
 				if (!empty(Settings::Get('system.dhparams_file'))) {
 					$dhparams = FileDir::makeCorrectFile(Settings::Get('system.dhparams_file'));
 					if (!file_exists($dhparams)) {
-						FileDir::safe_exec('openssl dhparam -out ' . escapeshellarg($dhparams) . ' 4096');
+						file_put_contents($dhparams, self::FFDHE4096);
 					}
 					$sslsettings .= "\t" . 'ssl_dhparam ' . $dhparams . ';' . "\n";
 				}