mirror of
https://github.com/mailcow/mailcow-dockerized.git
synced 2024-11-28 08:52:00 +02:00
[WebAuthn] disable rootCA default
This commit is contained in:
parent
5858c464d9
commit
7df2bb28f8
@ -63,20 +63,7 @@ $tfa = new RobThree\Auth\TwoFactorAuth($OTP_LABEL, 6, 30, 'sha1', $qrprovider);
|
||||
$formats = $GLOBALS['FIDO2_FORMATS'];
|
||||
$WebAuthn = new lbuchs\WebAuthn\WebAuthn('WebAuthn Library', $_SERVER['HTTP_HOST'], $formats);
|
||||
// only include root ca's when needed
|
||||
$WEBAUTHN_DISABLE_ROOTCA = (getenv('WEBAUTHN_DISABLE_ROOTCA') == 'y');
|
||||
if (!$WEBAUTHN_DISABLE_ROOTCA){
|
||||
$WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/solo.pem');
|
||||
$WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/apple.pem');
|
||||
$WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/nitro.pem');
|
||||
$WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/yubico.pem');
|
||||
$WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/hypersecu.pem');
|
||||
$WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/globalSign.pem');
|
||||
$WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/googleHardware.pem');
|
||||
$WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/microsoftTpmCollection.pem');
|
||||
$WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/huawei.pem');
|
||||
$WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/trustkey.pem');
|
||||
$WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates/bsi.pem');
|
||||
}
|
||||
if (getenv('WEBAUTHN_RESPECT_ROOTCA') == 'y') $WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates');
|
||||
|
||||
// Redis
|
||||
$redis = new Redis();
|
||||
|
@ -157,7 +157,7 @@ services:
|
||||
- ALLOW_ADMIN_EMAIL_LOGIN=${ALLOW_ADMIN_EMAIL_LOGIN:-n}
|
||||
- MASTER=${MASTER:-y}
|
||||
- DEV_MODE=${DEV_MODE:-n}
|
||||
- WEBAUTHN_DISABLE_ROOTCA=${WEBAUTHN_DISABLE_ROOTCA:-n}
|
||||
- WEBAUTHN_RESPECT_ROOTCA=${WEBAUTHN_RESPECT_ROOTCA:-n}
|
||||
restart: always
|
||||
networks:
|
||||
mailcow-network:
|
||||
|
@ -344,22 +344,10 @@ DOVECOT_MASTER_PASS=
|
||||
# https://mailcow.github.io/mailcow-dockerized-docs/debug-reset_tls/
|
||||
ACME_CONTACT=
|
||||
|
||||
# Disable including device root ca's for WebAuthn
|
||||
# setting WEBAUTHN_DISABLE_ROOTCA=y will allow you to use Fido2 devices from untrusted Manufacturers
|
||||
# It will solve "Error: invalid root certificate" at TFA device registration
|
||||
# Suported devices are
|
||||
# solo certified
|
||||
# apple certified
|
||||
# nitro certified
|
||||
# yubico certified
|
||||
# hypersecu certified
|
||||
# globalSign certified
|
||||
# googleHardware certified
|
||||
# microsoftTpmCollection certified
|
||||
# huawei certified
|
||||
# trustkey certified
|
||||
# bsi certified
|
||||
WEBAUTHN_DISABLE_ROOTCA=n
|
||||
# Enable webauthn device manufacturer verification
|
||||
# After setting WEBAUTHN_RESPECT_ROOTCA=y only devices from trusted manufacturers are allowed
|
||||
# root certificates can be placed for validation under mailcow-dockerized/data/web/inc/lib/WebAuthn/rootCertificates
|
||||
WEBAUTHN_RESPECT_ROOTCA=n
|
||||
|
||||
EOF
|
||||
|
||||
|
24
update.sh
24
update.sh
@ -307,7 +307,7 @@ CONFIG_ARRAY=(
|
||||
"ADDITIONAL_SERVER_NAMES"
|
||||
"ACME_CONTACT"
|
||||
"WATCHDOG_VERBOSE"
|
||||
"WEBAUTHN_DISABLE_ROOTCA"
|
||||
"WEBAUTHN_RESPECT_ROOTCA"
|
||||
)
|
||||
|
||||
sed -i --follow-symlinks '$a\' mailcow.conf
|
||||
@ -515,24 +515,12 @@ for option in ${CONFIG_ARRAY[@]}; do
|
||||
echo '# https://mailcow.github.io/mailcow-dockerized-docs/debug-reset-tls/' >> mailcow.conf
|
||||
echo 'ACME_CONTACT=' >> mailcow.conf
|
||||
fi
|
||||
elif [[ ${option} == "WEBAUTHN_DISABLE_ROOTCA" ]]; then
|
||||
elif [[ ${option} == "WEBAUTHN_RESPECT_ROOTCA" ]]; then
|
||||
if ! grep -q ${option} mailcow.conf; then
|
||||
echo "# Disable including device root ca's for WebAuthn" >> mailcow.conf
|
||||
echo '# setting WEBAUTHN_DISABLE_ROOTCA=y will allow you to use Fido2 devices from untrusted Manufacturers' >> mailcow.conf
|
||||
echo '# It will solve "Error: invalid root certificate" at TFA device registration' >> mailcow.conf
|
||||
echo '# Suported devices are' >> mailcow.conf
|
||||
echo '# solo certified' >> mailcow.conf
|
||||
echo '# apple certified' >> mailcow.conf
|
||||
echo '# nitro certified' >> mailcow.conf
|
||||
echo '# yubico certified' >> mailcow.conf
|
||||
echo '# hypersecu certified' >> mailcow.conf
|
||||
echo '# globalSign certified' >> mailcow.conf
|
||||
echo '# googleHardware certified' >> mailcow.conf
|
||||
echo '# microsoftTpmCollection certified' >> mailcow.conf
|
||||
echo '# huawei certified' >> mailcow.conf
|
||||
echo '# trustkey certified' >> mailcow.conf
|
||||
echo '# bsi certified' >> mailcow.conf
|
||||
echo 'WEBAUTHN_DISABLE_ROOTCA=n' >> mailcow.conf
|
||||
echo "# Enable webauthn device manufacturer verification" >> mailcow.conf
|
||||
echo '# After setting WEBAUTHN_RESPECT_ROOTCA=y only devices from trusted manufacturers are allowed' >> mailcow.conf
|
||||
echo '# root certificates can be placed for validation under mailcow-dockerized/data/web/inc/lib/WebAuthn/rootCertificates' >> mailcow.conf
|
||||
echo 'WEBAUTHN_RESPECT_ROOTCA=n' >> mailcow.conf
|
||||
fi
|
||||
elif [[ ${option} == "WATCHDOG_VERBOSE" ]]; then
|
||||
if ! grep -q ${option} mailcow.conf; then
|
||||
|
Loading…
Reference in New Issue
Block a user