teamhephy · higauravkohli · Nov 16, 2022 · Nov 16, 2022
diff --git a/model/model.go b/model/model.go
@@ -220,16 +220,9 @@ type SSLConfig struct {
 func newSSLConfig() *SSLConfig {
 	return &SSLConfig{
 		Enforce:   false,
-		Protocols: "TLSv1 TLSv1.1 TLSv1.2 TLSv1.3",
-		// Default cipher suite:
-		//  - Prefer 128-Bit over 256-Bit encryptions (lower overhead)
-		//  - Prefer GCM over EDH over RSA auth (for Forward Secrecy)
-		//  - Fallback to 112-Bit 3DES (mainly for IE 8 compatibility)
-		//  - Let clients choose between AES128-GCM and ChaCha20-Poly1305
-		// Compatible: Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1, Windows XP IE8, Android 2.3, Java 7
-		// Incompatible: Windows XP IE6, Java 6
-		// Source: https://wiki.mozilla.org/Security/Server_Side_TLS (old backward compatibility)
-		Ciphers:           "[TLS_AES_128_GCM_SHA256|TLS_CHACHA20_POLY1305_SHA256]:TLS_AES_256_GCM_SHA384:[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-ECDSA-CHACHA20-POLY1305-OLD]:[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-CHACHA20-POLY1305-OLD]:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA",
+		Protocols: "TLSv1.2 TLSv1.3",
+		// Source: https://ssl-config.mozilla.org/#server=nginx&version=1.22.1&config=intermediate&openssl=1.1.1n&hsts=false&ocsp=false&guideline=5.6
+		Ciphers:           "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384",
 		SessionTimeout:    "10m",
 		UseSessionTickets: true,
 		BufferSize:        "4k",

diff --git a/rootfs/Dockerfile b/rootfs/Dockerfile
@@ -51,36 +51,22 @@ RUN set -x && \
         build-essential fakeroot devscripts equivs
 
 RUN set -x && \
-    export OPENSSL_VERSION=1.1.1l OPENSSL_VERSION_DEB=1.1.1l-1 BUILD_PATH=$PWD DEBEMAIL="Team Hephy <team@teamhephy.com>" && \
-    get_src_file ad1ba49cef4a57ddd134368b79d9fc170122f00c9b6956e177ddf06a6dc86ad9 \
+    export OPENSSL_VERSION=1.1.1n OPENSSL_VERSION_DEB=1.1.1n-0+deb11u3 BUILD_PATH=$PWD DEBEMAIL="Team Hephy <team@teamhephy.com>" && \
+    get_src_file cbf06993d1dc8c4e59e2f7f0456cc07a005c17274a33eb29135e9fdd7f6b2941 \
                  http://deb.debian.org/debian/pool/main/o/openssl/openssl_$OPENSSL_VERSION_DEB.dsc && \
-    get_src_file 0b7a3e5e59c34827fe0c3a74b7ec8baef302b98fa80088d7f9153aa16fa76bd1 \
+    get_src_file 40dceb51a4f6a5275bde0e6bf20ef4b91bfc32ed57c0552e2e8e15463372b17a \
                  http://deb.debian.org/debian/pool/main/o/openssl/openssl_$OPENSSL_VERSION.orig.tar.gz && \
-    get_src_file e2ae0ea526223843245dd80224b19a55283f4910dd56b7ee7b23187164f69fda \
+    get_src_file e0e89e9467102880ee6f2ee8c1413933eb1268969afb97b9bec61e2190a62fd0 \
                  http://deb.debian.org/debian/pool/main/o/openssl/openssl_$OPENSSL_VERSION.orig.tar.gz.asc && \
-    get_src_file 0738932c86bcca51a17d6a0a840839db192bb8a0e036470fcf6fa4119fb20cd4 \
+    get_src_file 0eed2dc1f8d472291511f386fc0a3c5fe70ec50440b1c252fd99934bf2cddd4a \
                  http://deb.debian.org/debian/pool/main/o/openssl/openssl_$OPENSSL_VERSION_DEB.debian.tar.xz && \
     dpkg-source -x openssl_$OPENSSL_VERSION_DEB.dsc && \
-    # ChaCha20-Poly1305 Draft Support for older Android versions
-    get_src_file 8d3e4e89a957ad8678c5f403f0969abeffc3fe96507b648cd87227bd835c3c30 \
-                 https://raw.githubusercontent.com/hakasenyang/openssl-patch/1b03526/openssl-1.1.1i-chacha_draft.patch && \
-    # Allow setting equal preference and TLSv1.3 ciphers in NGINX
-    get_src_file 04f682c36405a908247c27e317fb0f5f5bb19cbac9699f5afa21fd81511e6be2 \
-                 https://raw.githubusercontent.com/hakasenyang/openssl-patch/e3bd4a8/openssl-equal-1.1.1e-dev_ciphers.patch && \
     cd "$BUILD_PATH/openssl-$OPENSSL_VERSION" && \
     sed -i '/^Build-Depends:/ s/ debhelper-compat (= 12)/ debhelper-compat (= 11)/' debian/control && \
     dch -l hephy "Fix build deps for Ubuntu Bionic" && \
     mk-build-deps -i -t "apt-get -y --no-install-recommends" && \
     sed -i '/^CONFARGS\s*=/ s/ enable-unit-test//' debian/rules && \
     dch -l hephy "Disable unit tests" && \
-    sed -i '/^CONFARGS\s*=/ s/$/ enable-weak-ssl-ciphers/' debian/rules && \
-    dch -l hephy "Enable weak SSL ciphers" && \
-    cp "$BUILD_PATH/openssl-equal-1.1.1e-dev_ciphers.patch" debian/patches/ && \
-    echo openssl-equal-1.1.1e-dev_ciphers.patch >> debian/patches/series && \
-    dch -l hephy "Add BoringSSL port of equal preference cipher groups" && \
-    cp "$BUILD_PATH/openssl-1.1.1i-chacha_draft.patch" debian/patches/ && \
-    echo openssl-1.1.1i-chacha_draft.patch >> debian/patches/series && \
-    dch -l hephy "Add ChaCha-Draft cipher support" && \
     dch -r " " && \
     DEB_BUILD_OPTIONS=nocheck dpkg-buildpackage -uc -b -rfakeroot && \
     cd .. && \
@@ -114,10 +100,10 @@ RUN set -x && \
     DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
         $buildDeps \
         $runtimeDeps && \
-    export NGINX_VERSION=1.20.1 SIGNING_KEY=B0F4253373F8F6F510D42178520A9993A1C052F8 \
+    export NGINX_VERSION=1.22.1 SIGNING_KEY=13C82A63B603576156E30A4EA0EA981B66B0D967 \
            CLOUDFLARE_ZLIB_VERSION=372bcd151c901418c2721232bf09dc9cdbebafb5 \
            VTS_VERSION=0.1.18 GEOIP2_VERSION=3.3 \
-           MOD_SECURITY_NGINX_VERSION=1.0.2 \
+           MOD_SECURITY_NGINX_VERSION=1.0.3 \
            OWASP_MOD_SECURITY_CRS_VERSION=3.3.2 \
            BUILD_PATH=/tmp/build PREFIX=/opt/router && \
     ldconfig && \
@@ -135,7 +121,7 @@ RUN set -x && \
             "https://github.com/vozlt/nginx-module-vts/archive/v$VTS_VERSION.tar.gz" && \
     get_src 41378438c833e313a18869d0c4a72704b4835c30acaf7fd68013ab6732ff78a7 \
             "https://github.com/leev/ngx_http_geoip2_module/archive/$GEOIP2_VERSION.tar.gz" && \
-    get_src f8d3ff15520df736c5e20e91d5852ec27e0874566c2afce7dcb979e2298d6980 \
+    get_src 32a42256616cc674dca24c8654397390adff15b888b77eb74e0687f023c8751b \
             "https://github.com/SpiderLabs/ModSecurity-nginx/archive/v$MOD_SECURITY_NGINX_VERSION.tar.gz" && \
     cd "$BUILD_PATH/zlib-$CLOUDFLARE_ZLIB_VERSION" && \
     make -f Makefile.in distclean && \