Allow some apps to use ciphers better suited for mobile apps

src/freedombone-app-nextcloud

@@ -442,7 +442,7 @@ function install_nextcloud_main {
         echo '' >> $nextcloud_nginx_site
         echo '  # Security' >> $nextcloud_nginx_site
         function_check nginx_ssl
-        nginx_ssl $NEXTCLOUD_DOMAIN_NAME
+        nginx_ssl $NEXTCLOUD_DOMAIN_NAME mobile
 
         function_check nginx_disable_sniffing
         nginx_disable_sniffing $NEXTCLOUD_DOMAIN_NAME

src/freedombone-sec

@@ -612,7 +612,11 @@ function update_ciphersuite {
     cd $WEBSITES_DIRECTORY
     for file in `dir -d *` ; do
         sed -i "s|ssl_protocols .*|ssl_protocols $RECOMMENDED_SSL_PROTOCOLS;|g" $WEBSITES_DIRECTORY/$file
-        sed -i "s|ssl_ciphers .*|ssl_ciphers '$RECOMMENDED_SSL_CIPHERS';|g" $WEBSITES_DIRECTORY/$file
+        if ! grep -q "Mobile compatible ciphers" $WEBSITES_DIRECTORY/$file; then
+            sed -i "s|ssl_ciphers .*|ssl_ciphers '$RECOMMENDED_SSL_CIPHERS';|g" $WEBSITES_DIRECTORY/$file
+        else
+            sed -i "s|ssl_ciphers .*|ssl_ciphers '$SSL_CIPHERS_MOBILE';|g" $WEBSITES_DIRECTORY/$file
+        fi
     done
     systemctl restart nginx
     write_config_param "SSL_PROTOCOLS" "$RECOMMENDED_SSL_PROTOCOLS"

src/freedombone-utils-web

@@ -45,6 +45,10 @@ SSL_PROTOCOLS="TLSv1 TLSv1.1 TLSv1.2"
 # See https://wiki.mozilla.org/Security/Server_Side_TLS
 SSL_CIPHERS="ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"
 
+# some mobile apps (eg. NextCloud) have not very good cipher compatibility.
+# These ciphers can be used for those cases
+SSL_CIPHERS_MOBILE="ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA"
+
 NGINX_ENSITE_REPO="https://github.com/perusio/nginx_ensite"
 NGINX_ENSITE_COMMIT='fa4d72ce1c0a490442c8474e9c8dc21ed52c93d0'
 
@@ -123,6 +127,7 @@ function nginx_http_redirect {
 function nginx_ssl {
     # creates the SSL/TLS section for a website
     domain_name=$1
+    mobile_ciphers=$2
     filename=/etc/nginx/sites-available/$domain_name
 
     echo '    ssl_stapling off;' >> $filename
@@ -136,7 +141,12 @@ function nginx_ssl {
     echo '    ssl_session_timeout 60m;' >> $filename
     echo '    ssl_prefer_server_ciphers on;' >> $filename
     echo "    ssl_protocols $SSL_PROTOCOLS;" >> $filename
-    echo "    ssl_ciphers '$SSL_CIPHERS';" >> $filename
+    if [ $mobile_ciphers ]; then
+        echo "    # Mobile compatible ciphers" >> $filename
+        echo "    ssl_ciphers '$SSL_CIPHERS_MOBILE';" >> $filename
+    else
+        echo "    ssl_ciphers '$SSL_CIPHERS';" >> $filename
+    fi
     echo "    add_header Content-Security-Policy \"default-src https:; script-src https: 'unsafe-inline'; style-src https: 'unsafe-inline'\";" >> $filename
     echo '    add_header X-XSS-Protection "1; mode=block";' >> $filename
     echo '    add_header X-Robots-Tag none;' >> $filename