mirror of
https://github.com/ironfox-oss/IronFox.git
synced 2026-06-11 01:34:46 -04:00
feat: harden cipher suites and enforce at least TLS 1.2 for various network connections
Signed-off-by: celenity <celenity@celenity.dev>
This commit is contained in:
celenity
@@ -582,6 +582,13 @@ if [[ -z "${IRONFOX_WASI+x}" ]]; then
|
||||
export IRONFOX_WASI="${IRONFOX_WASI_DEFAULT}"
|
||||
fi
|
||||
|
||||
# Cipher suites
|
||||
## (This enforces strong cipher suites - see ex. https://browserleaks.com/tls)
|
||||
IRONFOX_CIPHERS_DEFAULT='TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384'
|
||||
if [[ -z "${IRONFOX_CIPHERS+x}" ]]; then
|
||||
export IRONFOX_CIPHERS="${IRONFOX_CIPHERS_DEFAULT}"
|
||||
fi
|
||||
|
||||
# If compiler flags are added, this determines whether they should be appended to our default flags (default),
|
||||
## or if they should override them entirely
|
||||
IRONFOX_COMPILER_FLAGS_OVERRIDE_DEFAULT=0
|
||||
@@ -608,7 +615,7 @@ if [[ -z "${IRONFOX_CURL_FLAGS_OVERRIDE+x}" ]]; then
|
||||
fi
|
||||
|
||||
# curl flags
|
||||
IRONFOX_CURL_FLAGS_DEFAULT='-q --disable --no-netrc -j -e "" -A "" -S --clobber --create-dirs --delegation none --disallow-username-in-url --doh-cert-status --ftp-create-dirs --ftp-ssl-control --junk-session-cookies --no-basic --no-ca-native --no-digest --no-doh-insecure --no-http0.9 --no-insecure --no-proxy-insecure --no-negotiate --no-ntlm --no-proxy-basic --no-proxy-ca-native --no-proxy-digest --no-proxy-insecure --no-proxy-ntlm --no-proxy-ssl-allow-beast --no-proxy-ssl-auto-client-cert --no-sessionid --no-skip-existing --no-ssl --no-ssl-allow-beast --no-ssl-auto-client-cert --no-ssl-no-revoke --no-ssl-revoke-best-effort --no-tls-earlydata --no-xattr --progress-meter --proto -all,https --proto-default https --proto-redir -all,https --referer "" --remove-on-error --show-error --ssl-reqd --trace-time --user-agent "" --verbose'
|
||||
IRONFOX_CURL_FLAGS_DEFAULT="-q --disable --no-netrc -j -e "" -A "" -S --ciphers ${IRONFOX_CIPHERS} --clobber --create-dirs --delegation none --disallow-username-in-url --doh-cert-status --ftp-create-dirs --ftp-ssl-control --junk-session-cookies --no-basic --no-ca-native --no-digest --no-doh-insecure --no-http0.9 --no-insecure --no-proxy-insecure --no-negotiate --no-ntlm --no-proxy-basic --no-proxy-ca-native --no-proxy-digest --no-proxy-insecure --no-proxy-ntlm --no-proxy-ssl-allow-beast --no-proxy-ssl-auto-client-cert --no-sessionid --no-skip-existing --no-ssl --no-ssl-allow-beast --no-ssl-auto-client-cert --no-ssl-no-revoke --no-ssl-revoke-best-effort --no-tls-earlydata --no-xattr --progress-meter --proto -all,https --proto-default https --proto-redir -all,https --referer "" --remove-on-error --show-error --ssl-reqd --tlsv1.2 --trace-time --user-agent "" --verbose"
|
||||
if [[ -z "${IRONFOX_CURL_FLAGS+x}" ]]; then
|
||||
export IRONFOX_CURL_FLAGS_OVERRIDE=1
|
||||
export IRONFOX_CURL_FLAGS="${IRONFOX_CURL_FLAGS_DEFAULT}"
|
||||
@@ -626,7 +633,7 @@ if [[ -z "${IRONFOX_GRADLE_FLAGS_OVERRIDE+x}" ]]; then
|
||||
fi
|
||||
|
||||
# Gradle flags
|
||||
IRONFOX_GRADLE_FLAGS_DEFAULT="-Dmaven.repo.local=${IRONFOX_MAVEN_LOCAL} -Dorg.gradle.caching=false -Dorg.gradle.configuration-cache=false -Dorg.gradle.console=verbose -Dorg.gradle.daemon=false -Dorg.gradle.debug=false -Dorg.gradle.java.installations.auto-detect=false -Dorg.gradle.java.installations.auto-download=false --no-build-cache --no-configuration-cache --no-daemon"
|
||||
IRONFOX_GRADLE_FLAGS_DEFAULT="-Dhttps.protocols=TLSv1.3,TLSv1.2 -Dmaven.repo.local=${IRONFOX_MAVEN_LOCAL} -Dorg.gradle.caching=false -Dorg.gradle.configuration-cache=false -Dorg.gradle.console=verbose -Dorg.gradle.daemon=false -Dorg.gradle.debug=false -Dorg.gradle.java.installations.auto-detect=false -Dorg.gradle.java.installations.auto-download=false --no-build-cache --no-configuration-cache --no-daemon"
|
||||
if [[ -z "${IRONFOX_GRADLE_FLAGS+x}" ]]; then
|
||||
export IRONFOX_GRADLE_FLAGS_OVERRIDE=1
|
||||
export IRONFOX_GRADLE_FLAGS="${IRONFOX_GRADLE_FLAGS_DEFAULT}"
|
||||
@@ -636,6 +643,24 @@ else
|
||||
export IRONFOX_GRADLE_FLAGS="${IRONFOX_GRADLE_FLAGS_DEFAULT} ${IRONFOX_GRADLE_FLAGS}"
|
||||
fi
|
||||
|
||||
# If Java options are added, this determines whether they should be appended to our default flags (default),
|
||||
## or if they should override them entirely
|
||||
IRONFOX_JAVA_OPTS_OVERRIDE_DEFAULT=0
|
||||
if [[ -z "${IRONFOX_JAVA_OPTS_OVERRIDE+x}" ]]; then
|
||||
export IRONFOX_JAVA_OPTS_OVERRIDE="${IRONFOX_JAVA_OPTS_OVERRIDE_DEFAULT}"
|
||||
fi
|
||||
|
||||
# Java options
|
||||
IRONFOX_JAVA_OPTS_DEFAULT='-Dhttps.protocols=TLSv1.3,TLSv1.2'
|
||||
if [[ -z "${IRONFOX_JAVA_OPTS+x}" ]]; then
|
||||
export IRONFOX_JAVA_OPTS_OVERRIDE=1
|
||||
export IRONFOX_JAVA_OPTS="${IRONFOX_JAVA_OPTS_DEFAULT}"
|
||||
elif [[ "${IRONFOX_JAVA_OPTS_OVERRIDE}" == 1 ]]; then
|
||||
export IRONFOX_JAVA_OPTS="${IRONFOX_JAVA_OPTS}"
|
||||
else
|
||||
export IRONFOX_JAVA_OPTS="${IRONFOX_JAVA_OPTS_DEFAULT} ${IRONFOX_JAVA_OPTS}"
|
||||
fi
|
||||
|
||||
# If Node.js options are added, this determines whether they should be appended to our default flags (default),
|
||||
## or if they should override them entirely
|
||||
IRONFOX_NODE_OPTIONS_OVERRIDE_DEFAULT=0
|
||||
|
||||
@@ -41,6 +41,7 @@ export GRADLE_USER_HOME="${IRONFOX_GRADLE_HOME}"
|
||||
export IRONFOX_PREBUILDS_AWK="${IRONFOX_AWK}"
|
||||
export IRONFOX_PREBUILDS_CARGO_COLORED_OUTPUT="${IRONFOX_CARGO_COLORED_OUTPUT}"
|
||||
export IRONFOX_PREBUILDS_CARGO_PROGRESS_BAR="${IRONFOX_CARGO_PROGRESS_BAR}"
|
||||
export IRONFOX_PREBUILDS_CIPHERS="${IRONFOX_CIPHERS}"
|
||||
export IRONFOX_PREBUILDS_CURL_FLAGS_OVERRIDE=1
|
||||
export IRONFOX_PREBUILDS_CURL_FLAGS="${IRONFOX_CURL_FLAGS}"
|
||||
export IRONFOX_PREBUILDS_MAKE="${IRONFOX_MAKE}"
|
||||
@@ -53,6 +54,12 @@ export IRONFOX_PREBUILDS_TAR="${IRONFOX_TAR}"
|
||||
# Java home
|
||||
export JAVA_HOME="${IRONFOX_JAVA_HOME}"
|
||||
|
||||
# Java options
|
||||
export GRADLE_OPTS="${IRONFOX_JAVA_OPTS}"
|
||||
export JAVA_OPTS="${IRONFOX_JAVA_OPTS}"
|
||||
export JAVA_TOOL_OPTIONS="${IRONFOX_JAVA_OPTS}"
|
||||
export JDK_JAVA_OPTIONS="${IRONFOX_JAVA_OPTS}"
|
||||
|
||||
# llvm-profdata
|
||||
export LLVM_PROFDATA="${IRONFOX_LLVM_PROFDATA}"
|
||||
|
||||
@@ -142,6 +149,7 @@ export PROFILE='/dev/null'
|
||||
# Phoenix
|
||||
export PHOENIX_ANDROID_ONLY=1
|
||||
export PHOENIX_AWK="${IRONFOX_AWK}"
|
||||
export PHOENIX_CIPHERS="${IRONFOX_CIPHERS}"
|
||||
export PHOENIX_CURL_FLAGS="${IRONFOX_CURL_FLAGS}"
|
||||
export PHOENIX_CURL_FLAGS_OVERRIDE=1
|
||||
export PHOENIX_EXTENDED_ONLY=1
|
||||
@@ -188,6 +196,9 @@ export CARGO_INSTALL_ROOT="${IRONFOX_CARGO_HOME}"
|
||||
export RUSTC="${IRONFOX_RUSTC}"
|
||||
export RUSTDOC="${IRONFOX_RUSTDOC}"
|
||||
|
||||
## Cipher suites
|
||||
export RUSTUP_TLS_CIPHERSUITES="${IRONFOX_CIPHERS}"
|
||||
|
||||
## Disable debug
|
||||
export CARGO_PROFILE_DEV_DEBUG='false'
|
||||
export CARGO_PROFILE_DEV_DEBUG_ASSERTIONS='false'
|
||||
|
||||
Reference in New Issue
Block a user