allow configurable ssl protocols and ciphersuites

util/Setup/Context.cs

@@ -150,6 +150,7 @@ namespace Bit.Setup
         {
             [Description("Note: After making changes to this file you need to run the `rebuild` or `update`\n" +
                 "command for them to be applied.\n\n" +
+
                 "Full URL for accessing the installation from a browser. (Required)")]
             public string Url { get; set; } = "https://localhost";
 
@@ -180,6 +181,14 @@ namespace Bit.Setup
             [Description("Configure Nginx for SSL.")]
             public bool Ssl { get; set; } = true;
 
+            [Description("SSL versions used by Nginx (ssl_protocols). Leave empty for recommended default.\n" +
+                "Learn more: https://wiki.mozilla.org/Security/Server_Side_TLS")]
+            public string SslVersions { get; set; }
+
+            [Description("SSL ciphersuites used by Nginx (ssl_ciphers). Leave empty for recommended default.\n" +
+                "Learn more: https://wiki.mozilla.org/Security/Server_Side_TLS")]
+            public string SslCiphersuites { get; set; }
+
             [Description("Installation uses a managed Let's Encrypt certificate.")]
             public bool SslManagedLetsEncrypt { get; set; }
 

util/Setup/NginxConfigBuilder.cs

@@ -6,10 +6,6 @@ namespace Bit.Setup
     public class NginxConfigBuilder
     {
         private const string ConfFile = "/bitwarden/nginx/default.conf";
-        private const string SslCiphers =
-            "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:" +
-            "ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:" +
-            "ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256";
         private const string ContentSecurityPolicy =
             "default-src 'self'; style-src 'self' 'unsafe-inline'; " +
             "img-src 'self' data: https://haveibeenpwned.com https://www.gravatar.com; " +
@@ -98,6 +94,27 @@ namespace Bit.Setup
                         DiffieHellmanPath = context.Config.SslDiffieHellmanPath;
                     }
                 }
+
+                if(!string.IsNullOrWhiteSpace(context.Config.SslCiphersuites))
+                {
+                    SslCiphers = context.Config.SslCiphersuites;
+                }
+                else
+                {
+                    SslCiphers = "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:" +
+                        "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:" +
+                        "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:" +
+                        "ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256";
+                }
+
+                if(!string.IsNullOrWhiteSpace(context.Config.SslVersions))
+                {
+                    SslProtocols = context.Config.SslVersions;
+                }
+                else
+                {
+                    SslProtocols = "TLSv1.2";
+                }
             }
 
             public bool Ssl { get; set; }
@@ -107,8 +124,9 @@ namespace Bit.Setup
             public string KeyPath { get; set; }
             public string CaPath { get; set; }
             public string DiffieHellmanPath { get; set; }
+            public string SslCiphers { get; set; }
+            public string SslProtocols { get; set; }
             public string ContentSecurityPolicy => string.Format(NginxConfigBuilder.ContentSecurityPolicy, Domain);
-            public string SslCiphers => NginxConfigBuilder.SslCiphers;
         }
     }
 }

util/Setup/Templates/NginxConfig.hbs

@@ -28,9 +28,7 @@ server {
   ssl_dhparam {{{DiffieHellmanPath}}};
 {{/if}}
 
-  # SSL protocol TLSv1.2 is allowed. Disabled SSLv3, TLSv1, and TLSv1.1
-  ssl_protocols TLSv1.2;
-  # Enable most secure cipher suites only.
+  ssl_protocols {{{SslProtocols}}};
   ssl_ciphers "{{{SslCiphers}}}";
   # Enables server-side protection from BEAST attacks
   ssl_prefer_server_ciphers on;