From 090dfdd9436541ffbd77aa6a1de5c36a76246f6e Mon Sep 17 00:00:00 2001 From: Eric Schultz Date: Sat, 2 Sep 2017 00:22:24 -0500 Subject: [PATCH] DNS Rebind protection detection during SSL provisioning --- plugins/dynamix/SSLSettings.page | 16 ++++++++++------ plugins/dynamix/include/CertUpload.php | 15 ++++++++++++++- 2 files changed, 24 insertions(+), 7 deletions(-) diff --git a/plugins/dynamix/SSLSettings.page b/plugins/dynamix/SSLSettings.page index c4066fe70..3f57ecc99 100644 --- a/plugins/dynamix/SSLSettings.page +++ b/plugins/dynamix/SSLSettings.page @@ -27,12 +27,16 @@ function provisionSSL(internalip, keyfile, form) { result = false; }; - $.post('https://keys.lime-technology.com/account/ssl/provisioncert',{internalip:internalip,externalip:'no',keyfile:keyfile},function(data) { + $.post('https://keys.lime-technology.com/account/ssl/provisioncert',{internalip:internalip,keyfile:keyfile},function(data) { + if (data.bundle) { $.post("/webGui/include/CertUpload.php",{text:data.bundle,csrf_token:''},function(data) { - var msg = "Your Let's Encrypt SSL Certificate has been provisioned and a DNS record " + - "for local IP address "+internalip+" has been created on unraid.net."; - swal({title:'',text:msg,type:'success'},function(){form.submit();}); + var msg = "Your Let's Encrypt SSL Certificate has been provisioned and a DNS record " + + "for local IP address "+internalip+" has been created on unraid.net."; + swal({title:'',text:msg,type:'success'},function(){form.submit();}); }).fail(failure); + } else { + failure({"status": 403, "responseJSON": {"error": "Server was unable to provision SSL certificate"}}); + } }).fail(failure); return result; } @@ -64,12 +68,12 @@ Use SSL/TLS: > We **highly** recommend using a static IP address if https is enabled. http port: -: +: > Enter the http port, default is 80. https port: -: +: > Enter the https port, default is 443. diff --git a/plugins/dynamix/include/CertUpload.php b/plugins/dynamix/include/CertUpload.php index fb00ea483..a317d4141 100644 --- a/plugins/dynamix/include/CertUpload.php +++ b/plugins/dynamix/include/CertUpload.php @@ -16,7 +16,20 @@ $text = $_POST['text'] ?? ''; file_put_contents('/boot/config/ssl/certs/certificate_bundle.pem.new', $text); //validate certificate_bundle.pem.new is for *.unraid.net before moving it over to certificate_bundle.pem -if (preg_match('/CN=[0-9a-f]{40}\.unraid\.net$/', exec('openssl x509 -in /boot/config/ssl/certs/certificate_bundle.pem.new -subject -noout 2>&1'))) { +if (preg_match('/CN=([0-9a-f]{40}\.unraid\.net)$/', exec('openssl x509 -in /boot/config/ssl/certs/certificate_bundle.pem.new -subject -noout 2>&1'), $matches)) { + // Successful cases: + // If unraid.net and .unraid.net both fail then the dns servers are inaccessible ==> cross-fingers and hope their browser has proper dns + // If unraid.net and .unraid.net both resolve ==> dns rebinding protection isn't going to be a issue + // + // Failure case: + // If unraid.net resolves but .unraid.net fails ==> dns rebinding protection is a issue + if (count(dns_get_record('unraid.net', DNS_A)) !== count(dns_get_record($matches[1], DNS_A))) { + http_response_code(406); + header("Content-Type: application/json"); + echo json_encode(['error' => 'Your router or configured DNS servers are protecting against DNS rebinding thus preventing this SSL certificate from working. See help for more details and workarounds']); + exit; + } + rename('/boot/config/ssl/certs/certificate_bundle.pem.new', '/boot/config/ssl/certs/certificate_bundle.pem'); } else { unlink('/boot/config/ssl/certs/certificate_bundle.pem.new');