From 1df3598a7426bedee6cfdacfcf5261da28a402b8 Mon Sep 17 00:00:00 2001 From: logmanoriginal Date: Fri, 1 Nov 2019 16:43:14 +0100 Subject: [PATCH] [Dockerfile] Drop minimum security level back to TLS 1.0 Debian increased the minimum security level for OpenSSL from TLS 1.0 to TLS 1.2 [1] which also affects the Debian-based PHP image for Docker. This change can break some bridges which have to connect to servers with lower security level. Since all browsers still connect to these servers, so should RSS-Bridge. Note that according to [2] Mozilla, Firefox, Microsoft, Google and Apple plan to increase the minimum security level to TLS 1.2 around March 2020. At this time RSS-Bridge should follow the browser changes. This commit updates the Dockerfile to automatically drop the minimum security level back to TLS 1.0. Based on the solution provided by @theScrabi in #1318 [1] https://wiki.debian.org/ContinuousIntegration/TriagingTips/openssl-1.1.1 [2] https://salsa.debian.org/ondrej/openssl/blob/553fc8e61f30cd1f7a59dd38c61e1dd4bf58437d/debian/libssl1.1.NEWS --- Dockerfile | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 7d0611be..fa9979d6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -6,6 +6,8 @@ RUN mv "$PHP_INI_DIR/php.ini-production" "$PHP_INI_DIR/php.ini" \ && apt-get --yes update && apt-get --yes install libxml2-dev \ && docker-php-ext-install -j$(nproc) simplexml \ && sed -ri -e 's!/var/www/html!${APACHE_DOCUMENT_ROOT}!g' /etc/apache2/sites-available/*.conf \ - && sed -ri -e 's!/var/www/!${APACHE_DOCUMENT_ROOT}!g' /etc/apache2/apache2.conf /etc/apache2/conf-available/*.conf + && sed -ri -e 's!/var/www/!${APACHE_DOCUMENT_ROOT}!g' /etc/apache2/apache2.conf /etc/apache2/conf-available/*.conf \ + && sed -ri -e 's/(MinProtocol\s*=\s*)TLSv1\.2/\1None/' /etc/ssl/openssl.cnf \ + && sed -ri -e 's/(CipherString\s*=\s*DEFAULT)@SECLEVEL=2/\1/' /etc/ssl/openssl.cnf COPY --chown=www-data:www-data ./ /app/ \ No newline at end of file