5.1.4 changes

Show error message if gpg failed
fix indexOf value comparison
2020-04-11 18:45:39 -07:00 · 2020-04-11 17:11:55 -07:00 · 2020-04-11 14:21:05 -07:00 · 2020-04-10 09:49:06 -07:00 · 2020-04-09 00:15:56 -07:00 · 2020-04-08 14:24:58 -07:00
5 changed files with 20 additions and 5 deletions
@@ -1904,3 +1904,8 @@
 * Fix crash with misconfigured reverse proxy
 * Fix issue where invitation links are not working anymore

+[5.1.4]
+* Add support for custom .well-known documents to be served
+* Add ECDHE-RSA-AES128-SHA256 to cipher list
+* Fix GPG signature verification
+
@@ -56,6 +56,7 @@ mkdir -p "${BOX_DATA_DIR}/profileicons"
 mkdir -p "${BOX_DATA_DIR}/certs"
 mkdir -p "${BOX_DATA_DIR}/acme" # acme keys
 mkdir -p "${BOX_DATA_DIR}/mail/dkim"
+mkdir -p "${BOX_DATA_DIR}/well-known" # .well-known documents

 # ensure backups folder exists and is writeable
 mkdir -p /var/backups
@@ -49,6 +49,6 @@ exports = module.exports = {

    FOOTER: '&copy; 2020  &nbsp;  [Cloudron](https://cloudron.io) &nbsp; &nbsp; &nbsp;  [Forum <i class="fa fa-comments"></i>](https://forum.cloudron.io)',

-    VERSION: process.env.BOX_ENV === 'cloudron' ? fs.readFileSync(path.join(__dirname, '../VERSION'), 'utf8').trim() : '4.2.0-test'
+    VERSION: process.env.BOX_ENV === 'cloudron' ? fs.readFileSync(path.join(__dirname, '../VERSION'), 'utf8').trim() : '5.1.1-test'
 };

@@ -65,7 +65,7 @@ server {
    # https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices#25-use-forward-secrecy
    # ciphers according to https://ssl-config.mozilla.org/#server=nginx&version=1.14.0&config=intermediate&openssl=1.1.1&guideline=5.4
    ssl_protocols TLSv1.2 TLSv1.3;
-    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256;
    ssl_prefer_server_ciphers off;

    ssl_dhparam /home/yellowtent/boxdata/dhparams.pem;
@@ -139,6 +139,12 @@ server {
        internal;
    }

+    # user defined .well-known resources
+    # alias means only the part after matched location is appended (unlike root)
+    location /.well-known/ {
+        alias /home/yellowtent/boxdata/well-known/$host/;
+    }
+
    location / {
        # increase the proxy buffer sizes to not run into buffer issues (http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffers)
        proxy_buffer_size       128k;
@@ -64,13 +64,16 @@ function gpgVerify(file, sig, callback) {
    debug(`gpgVerify: ${cmd}`);

    child_process.exec(cmd, { encoding: 'utf8' }, function (error, stdout, stderr) {
-        if (error) return callback(new BoxError(BoxError.NOT_SIGNED, `The signature in ${path.basename(sig)} could not verified`));
+        if (error) {
+            debug(`gpgVerify: command failed. error: ${error}\n stdout: ${stdout}\n stderr: ${stderr}`);
+            return callback(new BoxError(BoxError.NOT_SIGNED, `The signature in ${path.basename(sig)} could not verified (command failed)`));
+        }

-        if (stdout.indexOf('[GNUPG:] VALIDSIG 0EADB19CDDA23CD0FE71E3470A372F8703C493CC')) return callback();
+        if (stdout.indexOf('[GNUPG:] VALIDSIG 0EADB19CDDA23CD0FE71E3470A372F8703C493CC') !== -1) return callback();

        debug(`gpgVerify: verification of ${sig} failed: ${stdout}\n${stderr}`);

-        return callback(new BoxError(BoxError.NOT_SIGNED, `The signature in ${path.basename(sig)} could not verified`));
+        return callback(new BoxError(BoxError.NOT_SIGNED, `The signature in ${path.basename(sig)} could not verified (bad sig)`));
    });
 }
Author	SHA1	Message	Date
Girish Ramakrishnan	4e608d04dc	5.1.4 changes	2020-04-11 18:45:39 -07:00
Girish Ramakrishnan	531d314e25	Show error message if gpg failed	2020-04-11 17:11:55 -07:00
Girish Ramakrishnan	1ab23d2902	fix indexOf value comparison	2020-04-11 14:21:05 -07:00
Girish Ramakrishnan	b3496e1354	Add ECDHE-RSA-AES128-SHA256 to cipher list one of our users had the site reverse proxied. it broke after the 5.1 cipher change and they nailed it down to using this cipher. https://security.stackexchange.com/questions/72926/is-tls-ecdhe-rsa-with-aes-128-cbc-sha256-a-safe-cipher-suite-to-use says this is safe The following prints the cipher suite: log_format combined2 '$remote_addr - [$time_local] ' '$ssl_protocol/$ssl_cipher ' '"$request" $status $body_bytes_sent $request_time ' '"$http_referer" "$host" "$http_user_agent"';	2020-04-10 09:49:06 -07:00
Girish Ramakrishnan	2efa0aaca4	serve custom well-known documents via nginx	2020-04-09 00:15:56 -07:00
Girish Ramakrishnan	ef9aeb0772	Bump default version for tests	2020-04-08 14:24:58 -07:00