Skip to content

Commit

Permalink
nixos/nextcloud: drop enableBrokenCiphersForSSE
Browse files Browse the repository at this point in the history
🎉
  • Loading branch information
Ma27 committed Oct 9, 2023
1 parent bbc7d49 commit 8702ae0
Show file tree
Hide file tree
Showing 3 changed files with 8 additions and 70 deletions.
2 changes: 1 addition & 1 deletion nixos/doc/manual/release-notes/rl-2211.section.md
Original file line number Diff line number Diff line change
Expand Up @@ -130,7 +130,7 @@ In addition to numerous new and upgraded packages, this release includes the fol
don't lose access to their files.

In any other case, it's safe to use OpenSSL 3 for PHP's OpenSSL extension. This can be done by setting
[](#opt-services.nextcloud.enableBrokenCiphersForSSE) to `false`.
`services.nextcloud.enableBrokenCiphersForSSE` to `false`.

- The `coq` package and versioned variants starting at `coq_8_14` no
longer include CoqIDE, which is now available through
Expand Down
8 changes: 1 addition & 7 deletions nixos/modules/services/web-apps/nextcloud.md
Original file line number Diff line number Diff line change
Expand Up @@ -119,13 +119,7 @@ Auto updates for Nextcloud apps can be enabled using
- **Server-side encryption.**
Nextcloud supports [server-side encryption (SSE)](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html).
This is not an end-to-end encryption, but can be used to encrypt files that will be persisted
to external storage such as S3. Please note that this won't work anymore when using OpenSSL 3
for PHP's openssl extension and **Nextcloud 25 or older** because this is implemented using the
legacy cipher RC4. For Nextcloud26 this isn't relevant anymore, because Nextcloud has an RC4 implementation
written in native PHP and thus doesn't need `ext-openssl` for that anymore.
If [](#opt-system.stateVersion) is *above* `22.05`,
this is disabled by default. To turn it on again and for further information please refer to
[](#opt-services.nextcloud.enableBrokenCiphersForSSE).
to external storage such as S3.

## Using an alternative webserver as reverse-proxy (e.g. `httpd`) {#module-services-nextcloud-httpd}

Expand Down
68 changes: 6 additions & 62 deletions nixos/modules/services/web-apps/nextcloud.nix
Original file line number Diff line number Diff line change
Expand Up @@ -27,13 +27,7 @@ let

phpPackage = cfg.phpPackage.buildEnv {
extensions = { enabled, all }:
(with all;
# disable default openssl extension
(lib.filter (e: e.pname != "php-openssl") enabled)
# use OpenSSL 1.1 for RC4 Nextcloud encryption if user
# has acknowledged the brokenness of the ciphers (RC4).
# TODO: remove when https://github.com/nextcloud/server/issues/32003 is fixed.
++ (if cfg.enableBrokenCiphersForSSE then [ cfg.phpPackage.extensions.openssl-legacy ] else [ cfg.phpPackage.extensions.openssl ])
(with all; enabled
++ optional cfg.enableImagemagick imagick
# Optionally enabled depending on caching settings
++ optional cfg.caching.apcu apcu
Expand Down Expand Up @@ -87,6 +81,10 @@ in {
Further details about this can be found in the `Nextcloud`-section of the NixOS-manual
(which can be opened e.g. by running `nixos-help`).
'')
(mkRemovedOptionModule [ "services" "nextcloud" "enableBrokenCiphersForSSE" ] ''
This option has no effect since there's no supported Nextcloud version packaged here
using OpenSSL for RC4 SSE.
'')
(mkRemovedOptionModule [ "services" "nextcloud" "disableImagemagick" ] ''
Use services.nextcloud.enableImagemagick instead.
'')
Expand All @@ -95,39 +93,6 @@ in {
options.services.nextcloud = {
enable = mkEnableOption (lib.mdDoc "nextcloud");

enableBrokenCiphersForSSE = mkOption {
type = types.bool;
default = versionOlder stateVersion "22.11";
defaultText = literalExpression "versionOlder system.stateVersion \"22.11\"";
description = lib.mdDoc ''
This option enables using the OpenSSL PHP extension linked against OpenSSL 1.1
rather than latest OpenSSL (≥ 3), this is not recommended unless you need
it for server-side encryption (SSE). SSE uses the legacy RC4 cipher which is
considered broken for several years now. See also [RFC7465](https://datatracker.ietf.org/doc/html/rfc7465).
This cipher has been disabled in OpenSSL ≥ 3 and requires
a specific legacy profile to re-enable it.
If you deploy Nextcloud using OpenSSL ≥ 3 for PHP and have
server-side encryption configured, you will not be able to access
your files anymore. Enabling this option can restore access to your files.
Upon testing we didn't encounter any data corruption when turning
this on and off again, but this cannot be guaranteed for
each Nextcloud installation.
It is `true` by default for systems with a [](#opt-system.stateVersion) below
`22.11` to make sure that existing installations won't break on update. On newer
NixOS systems you have to explicitly enable it on your own.
Please note that this only provides additional value when using
external storage such as S3 since it's not an end-to-end encryption.
If this is not the case,
it is advised to [disable server-side encryption](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html#disabling-encryption) and set this to `false`.
In the future, Nextcloud may move to AES-256-GCM, by then,
this option will be removed.
'';
};
hostName = mkOption {
type = types.str;
description = lib.mdDoc "FQDN for the nextcloud instance.";
Expand Down Expand Up @@ -740,28 +705,7 @@ in {
'')
++ (optional (versionOlder cfg.package.version "25") (upgradeWarning 24 "22.11"))
++ (optional (versionOlder cfg.package.version "26") (upgradeWarning 25 "23.05"))
++ (optional (versionOlder cfg.package.version "27") (upgradeWarning 26 "23.11"))
++ (optional cfg.enableBrokenCiphersForSSE ''
You're using PHP's openssl extension built against OpenSSL 1.1 for Nextcloud.
This is only necessary if you're using Nextcloud's server-side encryption.
Please keep in mind that it's using the broken RC4 cipher.
If you don't use that feature, you can switch to OpenSSL 3 and get
rid of this warning by declaring
services.nextcloud.enableBrokenCiphersForSSE = false;
If you need to use server-side encryption you can ignore this warning.
Otherwise you'd have to disable server-side encryption first in order
to be able to safely disable this option and get rid of this warning.
See <https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html#disabling-encryption> on how to achieve this.
For more context, here is the implementing pull request: https://github.com/NixOS/nixpkgs/pull/198470
'')
++ (optional (cfg.enableBrokenCiphersForSSE && versionAtLeast cfg.package.version "26") ''
Nextcloud26 supports RC4 without requiring legacy OpenSSL, so
`services.nextcloud.enableBrokenCiphersForSSE` can be set to `false`.
'');
++ (optional (versionOlder cfg.package.version "27") (upgradeWarning 26 "23.11"));

services.nextcloud.package = with pkgs;
mkDefault (
Expand Down

0 comments on commit 8702ae0

Please sign in to comment.