Nextcloud TLS status

saltymedic · January 10, 2024, 6:08pm

I use Linode/Akamai for hosting my Nextcloud. I also use their object storage for handling the files that NC shares

I got this notice from them about an upgrade for TLS in their system. How do I find out of I’m using an older TLS version for the object storage?

I asked their support about this and they showed in NC documentation where you can see in settings where the SSL/TLS certificate manager for external storages is located. However, I’m not seeing that option in my settings. Any idea of where I can look to see if this is a problem?

Thanks

Jason

We are reaching out because you have one or more Object Storage buckets that may be impacted by an upcoming change on our platform. If you have received our previous communications on November 16th, 2023 and have already taken any actions necessary, then you may disregard this message.

Akamai is preparing to remove support for TLS 1.0/1.1 in accordance with industry standards for Object Storage in our Newark, Atlanta, Frankfurt, and Singapore data centers. This is a necessary update as a part of our ongoing work towards upgrading the entirety of our infrastructure and has already been implemented in all of our other locations.This change will be occurring on January 18th, 2024.

What is Affected?

After the changes are implemented on the aforementioned date, any HTTP clients that only support TLS 1.0 or 1.1 will be unable to access Object Storage using HTTPS / TLS / SSL in the above locations. HTTP requests will not be affected. Please note that most clients use HTTPS by default, though this is dependent on the configuration of your application or website.

wwe · January 10, 2024, 8:48pm

I don’t have any reference handy but from my understanding NC uses the tls/libraries provided by the OS for external communication e.g. external storage access. The hoster is definitely in charge to support you with the OS.

Moved to the Hosting providers category

ernolf · January 10, 2024, 9:33pm

Which TLS versions are supported by your server (Apache/Nginx) or your php SAPI (libapache-mod-php/php-fpm) depends on which SSL version it was built against.

Find out openssl version on your server:

openssl version

Additionally, you can check the protocol versions supported by OpenSSL on your server:

openssl ciphers -v

On Ubuntu, Apache2 and PHP (8.1+) are linked against SSL3. This means that php should support the protocols tcp, udp, unix, udg, ssl, tls, tlsv1.0, tlsv1.1, tlsv1.2 and tlsv1.3.

Apache2:

The protocols used by your server are defined in the apache.conf for your ssl virtual host.

This:

      SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1

… means, that all protocols are used but SSLv3, TLSv1 and TLSv1.1

You should tweek the ssl settings of your web server with the → Mozilla SSL-Config Generator ←

PHP:

You can list the protocols supported by the php of your server with this query:

php -r '$protocols = stream_get_transports(); echo "Supported protocols: " . implode(", ", $protocols) . PHP_EOL;'

If you want to check it with your browser, create this little php script:
list_protocols.php

<?php
$protocols = stream_get_transports();
echo "Supported protocols: " . implode(", ", $protocols);
?>

and open it in your browser to see the supported tls versions by the php-SAPI on your server.

You can list the ciphers supported by the php of your server with this query:

php -r 'echo implode(", ", openssl_get_cipher_methods()) . PHP_EOL;'

If you want to check it with your browser, create this little php script:
list_ciphers.php

<?php
echo implode(", ", openssl_get_cipher_methods());
?>

and open it in your browser to see the supported encryption algorithms by the php-SAPI on your server.

ernolf