MMCT TEAM
Server IP : 103.53.40.154  /  Your IP : 13.59.198.150
Web Server : Apache
System : Linux md-in-35.webhostbox.net 4.19.286-203.ELK.el7.x86_64 #1 SMP Wed Jun 14 04:33:55 CDT 2023 x86_64
User : ppcad7no ( 715)
PHP Version : 8.2.25
Disable Function : NONE
MySQL : OFF  |  cURL : ON  |  WGET : ON  |  Perl : ON  |  Python : ON
Directory (0755) :  /srv/../scripts/

[  Home  ][  C0mmand  ][  Upload File  ]

Current File : //srv/../scripts/fixtlsversions
#!/usr/local/cpanel/3rdparty/bin/perl
# cpanel - scripts/fixtlsversions                    Copyright 2022 cPanel, L.L.C.
#                                                           All rights reserved.
# copyright@cpanel.net                                         http://cpanel.net
# This code is subject to the cPanel license. Unauthorized copying is prohibited

package scripts::fixtlsversions;

# This script is related to CPANEL-33512 and is expected to be
# of limited usefulness outside of the one-time task to ensure
# that TLSv1.2 is active for cpsrvd and other services.

use strict;
use warnings;
use Cpanel::LoadModule     ();
use Cpanel::SSL::Protocols ();
use Cpanel::ServerTasks    ();
use Cpanel::Imports;

use Getopt::Long 'GetOptionsFromArray';

exit run(@ARGV) unless caller;

sub run {
    my @args = @_;
    my ( $help, $dry_run, $update );
    GetOptionsFromArray(
        \@args,
        'help'    => \$help,
        'dry-run' => \$dry_run,
        'update'  => \$update,
    ) || return _usage(1);
    return _usage(0) if $help;
    return _usage(1) unless $dry_run xor $update;

    my $obj = __PACKAGE__->new( update => $update );

    $obj->logmsg('Ensuring that web-accessible services have TLSv1.2 active …');

    for my $try ( 1, 2 ) {
        $obj->adjust_cpsrvd_and_cpdavd();
        $obj->adjust_apache();

        if ( $obj->{failed} ) {
            $obj->logmsg( sprintf( '%d error(s) occurred.', $obj->{failed} ) );
            if ( $try == 1 ) {
                $obj->logmsg('Trying again …');
                delete $obj->{failed};
                sleep 2;
            }
        }
        else {
            $obj->logmsg('Done.');
            last;
        }
    }

    return $obj->{failed} ? 1 : 0;
}

sub new {
    my ( $package, %opts ) = @_;
    return bless {%opts}, $package;
}

sub adjust_cpsrvd_and_cpdavd {
    my ($self) = @_;

    for my $service (qw(cpsrvd cpdavd)) {
        my $module = "Cpanel::ServiceConfig::$service";
        Cpanel::LoadModule::load_perl_module($module);

        my $conf_obj    = $module->new();
        my $settings_hr = $conf_obj->get_config(1);

        my $old_string = $settings_hr->{SSLVersion};
        my $new_string = Cpanel::SSL::Protocols::upgrade_version_string_for_tls_1_2( $settings_hr->{SSLVersion}, '_' );
        $settings_hr->{SSLVersion} = $new_string;

        if ( $new_string ne $old_string ) {
            if ( $self->{update} ) {
                eval {
                    $conf_obj->validate($settings_hr) or die "Failed to validate configuration\n";
                    my ( $save_ok, $save_msg ) = $conf_obj->save_datastore($settings_hr);
                    $conf_obj->update_config($settings_hr);
                    Cpanel::ServerTasks::queue_task( ['CpServicesTasks'], "restartsrv $service" );
                };
                if ( my $exception = $@ ) {
                    $self->logmsg("'$service' failed to update TLS protocols: $exception");
                    ++$self->{failed};
                }
                else {
                    $self->logmsg("'$service' switched $old_string to $new_string");
                }
            }
        }
        else {
            $self->logmsg("'$service' left $old_string unchanged");
        }
    }
    return;
}

sub adjust_apache {
    my ($self) = @_;

    require Cpanel::EA4::Conf;
    my $conf       = Cpanel::EA4::Conf->instance();
    my $old_string = $conf->sslprotocol;
    my $new_string = Cpanel::SSL::Protocols::upgrade_version_string_for_tls_1_2_apache($old_string);
    my $current    = $conf->sslprotocol($new_string);
    if ( $new_string ne $old_string ) {
        if ( $self->{update} ) {
            eval {
                $conf->save;
                Cpanel::ServerTasks::queue_task( ['ApacheTasks'], 'build_apache_conf' );
            };
            if ( my $exception = $@ ) {
                $self->logmsg("'httpd' failed to update TLS protocols: $exception");
                ++$self->{failed};

                # rebuild conf but save restart for the next time it's necessary
            }
            else {
                $self->logmsg("'httpd' switched $old_string to $new_string");
            }
        }
    }
    else {
        $self->logmsg("'httpd' left $old_string unchanged");
    }
    return;
}

sub logmsg {
    my ( $self, $msg ) = @_;
    return logger()->info( sprintf( '%s%s', $self->{update} ? '' : '(dry run) ', $msg ) );
}

sub _usage {
    my ($error) = @_;
    my $usage = <<EOU;
usage: $0 --dry-run | --update

You must specify one or the other, and you may not specify both.

--dry-run: Do everything (including log messages) except make the actual changes

--update: Make the changes
EOU

    if ($error) {
        print STDERR $usage;
        return 1;
    }
    print $usage;
    return 0;
}

MMCT - 2023