Merge pull request #46 from mozilla/no-modern-for-old-openssl

Adding new semver test for OpenSSL grammar and code to disable `modern` profile for old versions of OpenSSL
author: Gene Wood <github.com@ewood.users.cementhorizon.com> 2015-04-13 14:27:14 -0700
committer: Gene Wood <github.com@ewood.users.cementhorizon.com> 2015-04-13 14:27:14 -0700
commit: 9264e24be2ba0e9f567a4466a4dc0dc4c24af05c (patch)
tree: 91a5818a59fb5c3f0eff039d4baaf1b8d10ffe24 /ssl-config-generator
parent: 549a5b6b9979ec71b12baed5428cfde2a6a2eff2 (diff)
parent: c5f8201c1e10b305cda954a15d76be270feebe40 (diff)
download: server-side-tls-9264e24be2ba0e9f567a4466a4dc0dc4c24af05c.zip
server-side-tls-9264e24be2ba0e9f567a4466a4dc0dc4c24af05c.tar.gz
server-side-tls-9264e24be2ba0e9f567a4466a4dc0dc4c24af05c.tar.bz2
1 files changed, 16 insertions, 3 deletions
diff --git a/ssl-config-generator/index.html b/ssl-config-generator/index.html
index 3cab564..136e367 100644
--- a/ssl-config-generator/index.html
+++ b/ssl-config-generator/index.html
@@ -31,6 +31,8 @@
     <script>
         // https://gist.github.com/cowboy/566233
         var isSemVer=(function(){var a=/^(<|>|[=!<>]=)?\s*(\d+(?:\.\d+){0,2})([a-z][a-z0-9\-]*)?$/i;function b(e,c){var d=(e+"").match(a);return d?(c?(d[1]||"=="):"")+'"'+(d[2]+".0.0").match(/\d+(?:\.\d+){0,2}/)[0].replace(/(?:^|\.)(\d+)/g,function(g,f){return Array(9-f.length).join(0)+f;})+(d[3]||"~")+'"':(c?"==0":1);}return function(e){e=b(e);for(var c,d=1;c=arguments[d++];){if(!(new Function("return "+e+b(c,1)))()){return false;}}return true;};})();
+        // isSemVer says "1.0.1 > 1.0.1e" and isOpenSSLSemVer says "1.0.1 < 1.0.1e". isOpenSSLSemVer is needed to accommodate OpenSSL's version grammar
+        var isOpenSSLSemVer=(function(){var a=/^(<|>|[=!<>]=)?\s*(\d+(?:\.\d+){0,2})([a-z][a-z0-9\-]*)?$/i;function b(e,c){var d=(e+"").match(a);return d?(c?(d[1]||"=="):"")+'"'+(d[2]+".0.0").match(/\d+(?:\.\d+){0,2}/)[0].replace(/(?:^|\.)(\d+)/g,function(g,f){return Array(9-f.length).join(0)+f;})+(d[3]||"")+'"':(c?"==0":1);}return function(e){e=b(e);for(var c,d=1;c=arguments[d++];){if(!(new Function("return "+e+b(c,1)))()){return false;}}return true;};})();
     </script>
     <script>
         if (window.location.protocol != "https:")
@@ -167,7 +169,7 @@ frontend ft_test
                 case "apache":
                     // http://httpd.apache.org/docs/current/mod/mod_ssl.html
                     data.compression = isSemVer(data.serverVersion, ">=2.4.3") ? '    SSLCompression          off' : '';
-                    if (isSemVer(data.opensslVersion, ">=0.9.8h") && isSemVer(data.serverVersion, '>=2.3.3')) {
+                    if (isOpenSSLSemVer(data.opensslVersion, ">=0.9.8h") && isSemVer(data.serverVersion, '>=2.3.3')) {
                         data.ocspStapling = '\n    # OCSP Stapling, only in httpd 2.3.3 and later' + '\n' +
                             '    SSLUseStapling          on' + '\n' +
                             '    SSLStaplingResponderTimeout 5' + '\n' +
@@ -248,6 +250,17 @@ frontend ft_test
                         profile: $("div#security-profile-list input:radio:checked").val()
                     })
                 });
+
+                if (isOpenSSLSemVer(data.opensslVersion, "<1.0.1") && data.securityProfile == "modern") {
+                	$("#security-profile-list input#intermediate").prop( "checked", true );
+                	data.securityProfile = "intermediate";
+                	$("#security-profile-list input#modern").prop("disabled", true);
+                	$("#security-profile-list label[for=modern]").attr("title", "Modern profile is not available. TLS v1.1 and v1.2 support is only present in OpenSSL 1.0.1 and newer");
+                } else if (isOpenSSLSemVer(data.opensslVersion, ">=1.0.1") && $("#security-profile-list input#modern").prop("disabled") == true) {
+                	$("#security-profile-list input#modern").prop("disabled", false);
+                	$("#security-profile-list label[for=modern]").removeAttr("title");
+                }
+
                 $("#server-config-text").html(template(data));
             }
             $("ul#security-profile-list li button").click(function() {
@@ -298,10 +311,10 @@ frontend ft_test
     </div>
     <div style="width 100px; float:left; padding:1em;">
         <label for="server-version">Server Version</label>
-        <input id="server-version" type="text" maxlength="15" value="1.0" />
+        <input id="server-version" type="text" maxlength="15" value="2.2.15" />
         <br />
         <label for="openssl-version">OpenSSL Version</label>
-        <input id="openssl-version" type="text" maxlength="15" value="0.9.8h" />
+        <input id="openssl-version" type="text" maxlength="15" value="1.0.1e" />
         <br />
         <label for="hsts-enabled"><a href="http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security">HSTS</a> Enabled</label>
         <input id="hsts-enabled" type="checkbox" value="true" checked="checked" />
author	Gene Wood <github.com@ewood.users.cementhorizon.com>	2015-04-13 14:27:14 -0700
committer	Gene Wood <github.com@ewood.users.cementhorizon.com>	2015-04-13 14:27:14 -0700
commit	9264e24be2ba0e9f567a4466a4dc0dc4c24af05c (patch)
tree	91a5818a59fb5c3f0eff039d4baaf1b8d10ffe24 /ssl-config-generator
parent	549a5b6b9979ec71b12baed5428cfde2a6a2eff2 (diff)
parent	c5f8201c1e10b305cda954a15d76be270feebe40 (diff)
download	server-side-tls-9264e24be2ba0e9f567a4466a4dc0dc4c24af05c.zip server-side-tls-9264e24be2ba0e9f567a4466a4dc0dc4c24af05c.tar.gz server-side-tls-9264e24be2ba0e9f567a4466a4dc0dc4c24af05c.tar.bz2