NUKIB · ondj · Jan 21, 2022 · Jan 20, 2022 · Jan 21, 2022
diff --git a/Config/config.php b/Config/config.php
@@ -134,6 +134,7 @@
   array (
     'force_https' => {{ 'true' if MISP_BASEURL.startswith('https://') else 'false' }},
     'csp_enforce' => true,
+    'min_tls_version' => 'tls1_2',
     'require_password_confirmation' => true,
     'syslog' => true,
     'syslog_to_stderr' => false,

diff --git a/README.md b/README.md
@@ -132,6 +132,7 @@ If you want to generate new PGP keys for email signing, you can do it by running
 * `SECURITY_ADVANCED_AUTHKEYS` (optional, boolean, default `false`) - enable advanced auth keys support
 * `SECURITY_HIDE_ORGS` (optional, boolean, default `false`) - hide org names for normal users
 * `SECURITY_ENCRYPTION_KEY` (optional, string) - encryption key with at least 32 chars that will be used to encrypt sensitive information stored in database
+* `SECURITY_CRYPTO_POLICY` (optional, string, default: `DEFAULT:NO-SHA1`) - set container wide crypto policies. [More details](https://www.redhat.com/en/blog/consistent-security-crypto-policies-red-hat-enterprise-linux-8).
 
 ### Outgoing proxy
 

diff --git a/bin/docker-entrypoint.sh b/bin/docker-entrypoint.sh
@@ -10,6 +10,8 @@ if [ "$1" = 'supervisord' ]; then
 
     misp_create_configs.py
 
+    update-crypto-policies
+
     # Make config files not readable by others
     chown root:apache /var/www/MISP/app/Config/{config.php,database.php,email.php}
     chmod 440 /var/www/MISP/app/Config/{config.php,database.php,email.php}

diff --git a/bin/misp_create_configs.py b/bin/misp_create_configs.py
@@ -23,7 +23,7 @@
     "MISP_MODULE_URL", "MISP_ATTACHMENT_SCAN_MODULE", "SECURITY_ADVANCED_AUTHKEYS", "SECURITY_HIDE_ORGS",
     "OIDC_DEFAULT_ORG", "SENTRY_ENVIRONMENT", "MISP_DEBUG", "SUPPORT_EMAIL", "PHP_SNUFFLEUPAGUS",
     "SECURITY_ENCRYPTION_KEY", "PHP_TIMEZONE", "PHP_MEMORY_LIMIT", "PHP_MAX_EXECUTION_TIME", "PHP_UPLOAD_MAX_FILESIZE",
-    "MYSQL_PORT",
+    "MYSQL_PORT", "SECURITY_CRYPTO_POLICY",
 )
 bool_variables = (
     "PHP_XDEBUG_ENABLED", "PHP_SESSIONS_IN_REDIS", "ZEROMQ_ENABLED", "OIDC_LOGIN",
@@ -41,6 +41,7 @@
     "MYSQL_PORT": "3306",
     "SYSLOG_PORT": "601",
     "SYSLOG_PROTOCOL": "tcp",
+    "SECURITY_CRYPTO_POLICY": "DEFAULT:NO-SHA1",
 }
 
 
@@ -184,6 +185,11 @@ def generate_php_config(variables: dict):
     open("/etc/php.d/99-misp.ini", "w").write(template)
 
 
+def generate_crypto_policies(crypto_policy: Optional[str]):
+    if crypto_policy:
+        open("/etc/crypto-policies/config", "w").write(crypto_policy)
+
+
 def main():
     variables = collect()
 
@@ -234,6 +240,7 @@ def main():
     generate_rsyslog_config(variables["SYSLOG_TARGET"], variables["SYSLOG_PORT"], variables["SYSLOG_PROTOCOL"])
     generate_error_messages(variables["SUPPORT_EMAIL"])
     generate_php_config(variables)
+    generate_crypto_policies(variables["SECURITY_CRYPTO_POLICY"])
 
 
 if __name__ == "__main__":