From 8702ae01109216bddb9b05e3dae2fe6fb15ce117 Mon Sep 17 00:00:00 2001 From: Maximilian Bosch Date: Mon, 9 Oct 2023 10:47:17 +0200 Subject: nixos/nextcloud: drop enableBrokenCiphersForSSE MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 🎉 --- nixos/doc/manual/release-notes/rl-2211.section.md | 2 +- nixos/modules/services/web-apps/nextcloud.md | 8 +-- nixos/modules/services/web-apps/nextcloud.nix | 68 ++--------------------- 3 files changed, 8 insertions(+), 70 deletions(-) diff --git a/nixos/doc/manual/release-notes/rl-2211.section.md b/nixos/doc/manual/release-notes/rl-2211.section.md index 97a30557350..37079c20967 100644 --- a/nixos/doc/manual/release-notes/rl-2211.section.md +++ b/nixos/doc/manual/release-notes/rl-2211.section.md @@ -130,7 +130,7 @@ In addition to numerous new and upgraded packages, this release includes the fol don't lose access to their files. In any other case, it's safe to use OpenSSL 3 for PHP's OpenSSL extension. This can be done by setting - [](#opt-services.nextcloud.enableBrokenCiphersForSSE) to `false`. + `services.nextcloud.enableBrokenCiphersForSSE` to `false`. - The `coq` package and versioned variants starting at `coq_8_14` no longer include CoqIDE, which is now available through diff --git a/nixos/modules/services/web-apps/nextcloud.md b/nixos/modules/services/web-apps/nextcloud.md index cbd7b5b3d06..a25bed30e47 100644 --- a/nixos/modules/services/web-apps/nextcloud.md +++ b/nixos/modules/services/web-apps/nextcloud.md @@ -119,13 +119,7 @@ Auto updates for Nextcloud apps can be enabled using - **Server-side encryption.** Nextcloud supports [server-side encryption (SSE)](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html). This is not an end-to-end encryption, but can be used to encrypt files that will be persisted - to external storage such as S3. Please note that this won't work anymore when using OpenSSL 3 - for PHP's openssl extension and **Nextcloud 25 or older** because this is implemented using the - legacy cipher RC4. For Nextcloud26 this isn't relevant anymore, because Nextcloud has an RC4 implementation - written in native PHP and thus doesn't need `ext-openssl` for that anymore. - If [](#opt-system.stateVersion) is *above* `22.05`, - this is disabled by default. To turn it on again and for further information please refer to - [](#opt-services.nextcloud.enableBrokenCiphersForSSE). + to external storage such as S3. ## Using an alternative webserver as reverse-proxy (e.g. `httpd`) {#module-services-nextcloud-httpd} diff --git a/nixos/modules/services/web-apps/nextcloud.nix b/nixos/modules/services/web-apps/nextcloud.nix index 5f09179faed..241b2b9b821 100644 --- a/nixos/modules/services/web-apps/nextcloud.nix +++ b/nixos/modules/services/web-apps/nextcloud.nix @@ -27,13 +27,7 @@ let phpPackage = cfg.phpPackage.buildEnv { extensions = { enabled, all }: - (with all; - # disable default openssl extension - (lib.filter (e: e.pname != "php-openssl") enabled) - # use OpenSSL 1.1 for RC4 Nextcloud encryption if user - # has acknowledged the brokenness of the ciphers (RC4). - # TODO: remove when https://github.com/nextcloud/server/issues/32003 is fixed. - ++ (if cfg.enableBrokenCiphersForSSE then [ cfg.phpPackage.extensions.openssl-legacy ] else [ cfg.phpPackage.extensions.openssl ]) + (with all; enabled ++ optional cfg.enableImagemagick imagick # Optionally enabled depending on caching settings ++ optional cfg.caching.apcu apcu @@ -87,6 +81,10 @@ in { Further details about this can be found in the `Nextcloud`-section of the NixOS-manual (which can be opened e.g. by running `nixos-help`). '') + (mkRemovedOptionModule [ "services" "nextcloud" "enableBrokenCiphersForSSE" ] '' + This option has no effect since there's no supported Nextcloud version packaged here + using OpenSSL for RC4 SSE. + '') (mkRemovedOptionModule [ "services" "nextcloud" "disableImagemagick" ] '' Use services.nextcloud.enableImagemagick instead. '') @@ -95,39 +93,6 @@ in { options.services.nextcloud = { enable = mkEnableOption (lib.mdDoc "nextcloud"); - enableBrokenCiphersForSSE = mkOption { - type = types.bool; - default = versionOlder stateVersion "22.11"; - defaultText = literalExpression "versionOlder system.stateVersion \"22.11\""; - description = lib.mdDoc '' - This option enables using the OpenSSL PHP extension linked against OpenSSL 1.1 - rather than latest OpenSSL (≥ 3), this is not recommended unless you need - it for server-side encryption (SSE). SSE uses the legacy RC4 cipher which is - considered broken for several years now. See also [RFC7465](https://datatracker.ietf.org/doc/html/rfc7465). - - This cipher has been disabled in OpenSSL ≥ 3 and requires - a specific legacy profile to re-enable it. - - If you deploy Nextcloud using OpenSSL ≥ 3 for PHP and have - server-side encryption configured, you will not be able to access - your files anymore. Enabling this option can restore access to your files. - Upon testing we didn't encounter any data corruption when turning - this on and off again, but this cannot be guaranteed for - each Nextcloud installation. - - It is `true` by default for systems with a [](#opt-system.stateVersion) below - `22.11` to make sure that existing installations won't break on update. On newer - NixOS systems you have to explicitly enable it on your own. - - Please note that this only provides additional value when using - external storage such as S3 since it's not an end-to-end encryption. - If this is not the case, - it is advised to [disable server-side encryption](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html#disabling-encryption) and set this to `false`. - - In the future, Nextcloud may move to AES-256-GCM, by then, - this option will be removed. - ''; - }; hostName = mkOption { type = types.str; description = lib.mdDoc "FQDN for the nextcloud instance."; @@ -740,28 +705,7 @@ in { '') ++ (optional (versionOlder cfg.package.version "25") (upgradeWarning 24 "22.11")) ++ (optional (versionOlder cfg.package.version "26") (upgradeWarning 25 "23.05")) - ++ (optional (versionOlder cfg.package.version "27") (upgradeWarning 26 "23.11")) - ++ (optional cfg.enableBrokenCiphersForSSE '' - You're using PHP's openssl extension built against OpenSSL 1.1 for Nextcloud. - This is only necessary if you're using Nextcloud's server-side encryption. - Please keep in mind that it's using the broken RC4 cipher. - - If you don't use that feature, you can switch to OpenSSL 3 and get - rid of this warning by declaring - - services.nextcloud.enableBrokenCiphersForSSE = false; - - If you need to use server-side encryption you can ignore this warning. - Otherwise you'd have to disable server-side encryption first in order - to be able to safely disable this option and get rid of this warning. - See on how to achieve this. - - For more context, here is the implementing pull request: https://github.com/NixOS/nixpkgs/pull/198470 - '') - ++ (optional (cfg.enableBrokenCiphersForSSE && versionAtLeast cfg.package.version "26") '' - Nextcloud26 supports RC4 without requiring legacy OpenSSL, so - `services.nextcloud.enableBrokenCiphersForSSE` can be set to `false`. - ''); + ++ (optional (versionOlder cfg.package.version "27") (upgradeWarning 26 "23.11")); services.nextcloud.package = with pkgs; mkDefault ( -- cgit 1.4.1