ownCloud and TLS 1.1/1.2

[Mathew]

Hello all.

Before starting I would like to add that I've done a number of searches here and on Google but have not been able to get the ownCloud plugin to use TLS 1.1 or 1.2. It seems to only like 1.0.

I have jexec'd into the jail, changed the Apache config file in /usr/pbi/..../etc/Apache24/extra/httpd-ssl.conf to include:

SSLProtocol ALL -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:EC
DH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5

without any issue but if I add "-SSLv1" to the SSLProtocol line, Apache will not start and I cannot find any error written anywhere in /var/log, aside one that just states that the Apache service failed to start.

Anyone have any insight?

 

[Mathew]

Sorry.

Code:

SSLProtocol ALL -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:EC
DH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5

 

[cyberjock]

You are probably better off asking the Owncloud support forums.

 

[Mathew]

This is not a problem directly with ownCloud, it is an issue more with the underlying Apache server. I will try there as well. Thank you.

 

[Joshua Parker Ruehlig]

This is not a problem directly with ownCloud, it is an issue more with the underlying Apache server. I will try there as well. Thank you.

I wonder if your issue has something to do with the version of openssl apache was compiled with. it was likely built with the default for freebsd 9.3, openssl 0.9.8

EDIT
TLS >1.0 needs openssl 1.0.1+

 

[Jailer]

So if you are installing from the package repository then the only version you can get would be the version compiled with 9.3 correct? To get any other version (apache, nginx, etc.) then you would have to install from ports after you update to the latest version of openssl?

 

[Joshua Parker Ruehlig]

So if you are installing from the package repository then the only version you can get would be the version compiled with 9.3 correct? To get any other version (apache, nginx, etc.) then you would have to install from ports after you update to the latest version of openssl?

updating openssl is irrelevant. either you compile a port/package/pbi with the version included with your version of FreeBSD or you compile with the latest version in ports (set WITH_OPENSSL_PORT=yes)

the default package repo doesn't enable this option, I could enable this in our PBI if you guys want.

 

[Jailer]

So even if you update to openssl 1.0.1+ before you compile your apache or nginx it will still be built with the base version of openssl? If so how do you get around this and install your server using the latest version of openssl in a jail?

 

[Joshua Parker Ruehlig]

So even if you update to openssl 1.0.1+ before you compile your apache or nginx it will still be built with the base version of openssl? If so how do you get around this and install your server using the latest version of openssl in a jail?

I said it above. set that option in your make.conf and build from ports. I could also set that option in my pbi.conf if you guys want the latest openssl in the freenas pbi.

 

[Jailer]

Sorry, guess I needed to hear it twice for it to sink in.

 

[Jailer]

OK just created a new jail to try it out and nginx 1.8.0 installed from ports with openssl 1.0.2 support. Thanks.

 

[SmallGuy]

Compile from port is how I proceed with nginx.
Very easy to update OpenSSL in this case.
You will find useful informations about OpenSSL like "how create a secure cypher suite", testing... here: https://www.feistyduck.com/books/openssl-cookbook/

 

[Mathew]

I wonder if your issue has something to do with the version of openssl apache was compiled with. it was likely built with the default for freebsd 9.3, openssl 0.9.8

EDIT
TLS >1.0 needs openssl 1.0.1+

Exactly right. 0.9.8 it is. :-\

 

[Joshua Parker Ruehlig]

Exactly right. 0.9.8 it is. :-\

once owncloud 8.0.3 finally releases, I'll compile this PBI with openssl from ports.

 

[Mathew]

once owncloud 8.0.3 finally releases, I'll compile this PBI with openssl from ports.

That would be awesome. This is a handy plugin to have on the NAS!

 

[Jailer]

once owncloud 8.0.3 finally releases, I'll compile this PBI with openssl from ports.

Probably a good idea if someone does want to harden the installation and make it internet facing.

 

[Joshua Parker Ruehlig]

I fixed this in the owncloud 8.0.3 update of the plugin which should be available tomorrow. Please test if it worked cause I don't use apache myself.
Thanks

 

[Mathew]

Hmm. I just get "
May 6 18:03:26 NAS manage.py: [middleware.exceptions:38] [MiddlewareError: Failed to update plugin]"

I've looked through a few logs and cannot locate any more details.

 

[Joshua Parker Ruehlig]

Hmm. I just get "
May 6 18:03:26 NAS manage.py: [middleware.exceptions:38] [MiddlewareError: Failed to update plugin]"

I've looked through a few logs and cannot locate any more details.

so updating 8.0.2>8.0.3 doesn't work.

how about a second install of owncloud?

 

[Mathew]

I would hate to lose everything I've put into the existing OwnCloud. Is there a log that may have more details?