nixos/nextcloud: fixup openssl compat change

Clone of https://github.com/NixOS/nixpkgs.git (to stress-test knotserver)

Upon testing the change itself I realized that it doesn't build properly
because

* the `pname` of a php extension is `php-<name>`, not `<name>`.
* calling the extension `openssl-legacy` resulted in PHP trying to compile
`ext/openssl-legacy` which broke since it doesn't exist:

source root is php-8.1.12
setting SOURCE_DATE_EPOCH to timestamp 1666719000 of file php-8.1.12/win32/wsyslog.c
patching sources
cdToExtensionRootPhase
/nix/store/48mnkga4kh84xyiqwzx8v7iv090i7z66-stdenv-linux/setup: line 1399: cd: ext/openssl-legacy: No such file or directory

I didn't encounter that one before because I was mostly interested in
having a sane behavior for everyone not using this "feature" and the
documentation around this. My findings about the behavior with turning
openssl1.1 on/off are still valid because I tested this on `master` with
manually replacing `openssl` by `openssl_1_1` in `php-packages.nix`.

To work around the issue I had to slightly modify the extension
build-system for PHP:

* The attribute `extensionName` is now relevant to determine the output
paths (e.g. `lib/openssl.so`). This is not a behavioral change for
existing extensions because then `extensionName==name`.

However when specifying `extName` in `php-packages.nix` this value is
overridden and it is made sure that the extension called `extName` NOT
`name` (i.e. `openssl` vs `openssl-legacy`) is built and installed.

The `name` still has to be kept to keep the legacy openssl available
as `php.extensions.openssl-legacy`.

Additionally I implemented a small VM test to check the behavior with
server-side encryption:

* For `stateVersion` below 22.11, OpenSSL 1.1 is used (in `basic.nix`
it's checked that OpenSSL 3 is used). With that the "default"
behavior of the module is checked.

* It is ensured that the PHP interpreter for Nextcloud's php-fpm
actually loads the correct openssl extension.

* It is tested that (encrypted) files remain usable when (temporarily)
installing OpenSSL3 (of course then they're not decryptable, but on a
rollback that should still be possible).

Finally, a few more documentation changes:

* I also mentioned the issue in `nextcloud.xml` to make sure the issue
is at least mentioned in the manual section about Nextcloud. Not too
much detail here, but the relevant option `enableBrokenCiphersForSSE`
is referenced.

* I fixed a few minor wording issues to also give the full context
(we're talking about Nextcloud; we're talking about the PHP extension
**only**; please check if you really need this even though it's
enabled by default).

This is because I felt that sometimes it might be hard to understand
what's going on when e.g. an eval-warning appears without telling where
exactly it comes from.

Maximilian Bosch 3 years ago 35b146ca 61128cba

+153 -25

9 changed files

expand all

unified split

nixos

doc

manual

from_md

release-notes

rl-2211.section.xml

release-notes

rl-2211.section.md

modules

services

web-apps

nextcloud.nix

nextcloud.xml

tests

nextcloud

basic.nix

default.nix

openssl-sse.nix

pkgs

development

interpreters

php

generic.nix

top-level

php-packages.nix

+1 -2

nixos/doc/manual/from_md/release-notes/rl-2211.section.xml

··· 610 610 <listitem> 611 611 <para> 612 612 The <literal>openssl</literal>-extension for the PHP 613 - interpreter used by <literal>services.nextcloud</literal> is 614 - built against OpenSSL 1.1 if 613 + interpreter used by Nextcloud is built against OpenSSL 1.1 if 615 614 <xref linkend="opt-system.stateVersion" /> is below 616 615 <literal>22.11</literal>. This is to make sure that people 617 616 using

+1 -1

nixos/doc/manual/release-notes/rl-2211.section.md

··· 196 196 197 197 - The `p4` package now only includes the open-source Perforce Helix Core command-line client and APIs. It no longer installs the unfree Helix Core Server binaries `p4d`, `p4broker`, and `p4p`. To install the Helix Core Server binaries, use the `p4d` package instead. 198 198 199 - - The `openssl`-extension for the PHP interpreter used by `services.nextcloud` is built against OpenSSL 1.1 if 199 + - The `openssl`-extension for the PHP interpreter used by Nextcloud is built against OpenSSL 1.1 if 200 200 [](#opt-system.stateVersion) is below `22.11`. This is to make sure that people using [server-side encryption](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html) 201 201 don't loose access to their files. 202 202

+18 -13

nixos/modules/services/web-apps/nextcloud.nix

··· 14 14 extensions = { enabled, all }: 15 15 (with all; 16 16 # disable default openssl extension 17 - (lib.filter (e: e.pname != "openssl") enabled) 17 + (lib.filter (e: e.pname != "php-openssl") enabled) 18 18 # use OpenSSL 1.1 for RC4 Nextcloud encryption if user 19 19 # has acknowledged the brokeness of the ciphers (RC4). 20 20 # TODO: remove when https://github.com/nextcloud/server/issues/32003 is fixed. ··· 91 91 default = versionOlder stateVersion "22.11"; 92 92 defaultText = literalExpression "versionOlder system.stateVersion \"22.11\""; 93 93 description = lib.mdDoc '' 94 - This option uses OpenSSL PHP extension linked against OpenSSL 1.1 rather 95 - than latest OpenSSL (≥ 3), this is not recommended except if you need 96 - it. 97 - 98 - Server-side encryption in Nextcloud uses RC4 ciphers, a broken cipher 99 - since ~2004. 94 + This option enables using the OpenSSL PHP extension linked against OpenSSL 1.1 95 + rather than latest OpenSSL (≥ 3), this is not recommended unless you need 96 + it for server-side encryption (SSE). SSE uses the legacy RC4 cipher which is 97 + considered broken for several years now. See also [RFC7465](https://datatracker.ietf.org/doc/html/rfc7465). 100 98 101 99 This cipher has been disabled in OpenSSL ≥ 3 and requires 102 100 a specific legacy profile to re-enable it. 103 101 104 - If you upgrade to a Nextcloud using OpenSSL ≥ 3 and have 102 + If you deploy Nextcloud using OpenSSL ≥ 3 for PHP and have 105 103 server-side encryption configured, you will not be able to access 106 104 your files anymore. Enabling this option can restore access to your files. 107 105 Upon testing we didn't encounter any data corruption when turning 108 106 this on and off again, but this cannot be guaranteed for 109 107 each Nextcloud installation. 110 108 111 - Unless you are using external storage, 112 - it is advised to [disable server-side encryption](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html#disabling-encryption) as it is unclear 113 - it provides any amount of security beyond encryption for external storage. 109 + It is `true` by default for systems with a [](#opt-system.stateVersion) below 110 + `22.11` to make sure that existing installations won't break on update. On newer 111 + NixOS systems you have to explicitly enable it on your own. 112 + 113 + Please note that this only provides additional value when using 114 + external storage such as S3 since it's not an end-to-end encryption. 115 + If this is not the case, 116 + it is advised to [disable server-side encryption](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html#disabling-encryption) and set this to `false`. 114 117 115 118 In the future, Nextcloud may move to AES-256-GCM, by then, 116 119 this option will be removed. ··· 690 693 This is only necessary if you're using Nextcloud's server-side encryption. 691 694 Please keep in mind that it's using the broken RC4 cipher. 692 695 693 - If you don't use that feature, you can switch to OpenSSL 3 by declaring 696 + If you don't use that feature, you can switch to OpenSSL 3 and get 697 + rid of this warning by declaring 694 698 695 699 services.nextcloud.enableBrokenCiphersForSSE = false; 696 700 701 + If you need to use server-side encryption you can ignore this waring. 697 702 Otherwise you'd have to disable server-side encryption first in order 698 - to be able to safely disable this option and get rid of that warning. 703 + to be able to safely disable this option and get rid of this warning. 699 704 See <https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html#disabling-encryption> on how to achieve this. 700 705 701 706 For more context, here is the implementing pull request: https://github.com/NixOS/nixpkgs/pull/198470

+14

nixos/modules/services/web-apps/nextcloud.xml

··· 170 170 </listitem> 171 171 </itemizedlist> 172 172 </listitem> 173 + <listitem> 174 + <formalpara> 175 + <title>Server-side encryption</title> 176 + <para> 177 + Nextcloud supports <link xlink:href="https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html">server-side encryption (SSE)</link>. 178 + This is not an end-to-end encryption, but can be used to encrypt files that will be persisted 179 + to external storage such as S3. Please note that this won't work anymore when using OpenSSL 3 180 + for PHP's openssl extension because this is implemented using the legacy cipher RC4. 181 + If <xref linkend="opt-system.stateVersion" /> is <emphasis>above</emphasis> <literal>22.05</literal>, 182 + this is disabled by default. To turn it on again and for further information please refer to 183 + <xref linkend="opt-services.nextcloud.enableBrokenCiphersForSSE" />. 184 + </para> 185 + </formalpara> 186 + </listitem> 173 187 </itemizedlist> 174 188 </section> 175 189

+6 -2

nixos/tests/nextcloud/basic.nix

··· 37 37 "d /var/lib/nextcloud-data 0750 nextcloud nginx - -" 38 38 ]; 39 39 40 - system.stateVersion = "22.11"; 40 + system.stateVersion = "22.11"; # stateVersion >=21.11 to make sure that we use OpenSSL3 41 41 42 42 services.nextcloud = { 43 43 enable = true; 44 44 datadir = "/var/lib/nextcloud-data"; 45 45 hostName = "nextcloud"; 46 - enableBrokenCiphersForSSE = args.enableBrokenCiphersForSSE or false; 47 46 config = { 48 47 # Don't inherit adminuser since "root" is supposed to be the default 49 48 adminpassFile = "${pkgs.writeText "adminpass" adminpass}"; # Don't try this at home! ··· 102 101 # This is just to ensure the nextcloud-occ program is working 103 102 nextcloud.succeed("nextcloud-occ status") 104 103 nextcloud.succeed("curl -sSf http://nextcloud/login") 104 + # Ensure that no OpenSSL 1.1 is used. 105 + nextcloud.succeed( 106 + "${nodes.nextcloud.services.phpfpm.pools.nextcloud.phpPackage}/bin/php -i | grep 'OpenSSL Library Version' | awk -F'=>' '{ print $2 }' | awk '{ print $2 }' | grep -v 1.1" 107 + ) 105 108 nextcloud.succeed( 106 109 "${withRcloneEnv} ${copySharedFile}" 107 110 ) ··· 111 114 "${withRcloneEnv} ${diffSharedFile}" 112 115 ) 113 116 assert "hi" in client.succeed("cat /mnt/dav/test-shared-file") 117 + nextcloud.succeed("grep -vE '^HBEGIN:oc_encryption_module' /var/lib/nextcloud-data/data/root/files/test-shared-file") 114 118 ''; 115 119 })) args

+1 -2

nixos/tests/nextcloud/default.nix

··· 8 8 foldl 9 9 (matrix: ver: matrix // { 10 10 "basic${toString ver}" = import ./basic.nix { inherit system pkgs; nextcloudVersion = ver; }; 11 - "with-legacy-openssl${toString ver}" = import ./basic.nix { 11 + "openssl-sse${toString ver}" = import ./openssl-sse.nix { 12 12 inherit system pkgs; 13 13 nextcloudVersion = ver; 14 - enableBrokenCiphersForSSE = true; 15 14 }; 16 15 "with-postgresql-and-redis${toString ver}" = import ./with-postgresql-and-redis.nix { 17 16 inherit system pkgs;

+105

nixos/tests/nextcloud/openssl-sse.nix

··· 1 + args@{ pkgs, nextcloudVersion ? 25, ... }: 2 + 3 + (import ../make-test-python.nix ({ pkgs, ...}: let 4 + adminuser = "root"; 5 + adminpass = "notproduction"; 6 + nextcloudBase = { 7 + networking.firewall.allowedTCPPorts = [ 80 ]; 8 + system.stateVersion = "22.05"; # stateVersions <22.11 use openssl 1.1 by default 9 + services.nextcloud = { 10 + enable = true; 11 + config.adminpassFile = "${pkgs.writeText "adminpass" adminpass}"; 12 + package = pkgs.${"nextcloud" + (toString nextcloudVersion)}; 13 + }; 14 + }; 15 + in { 16 + name = "nextcloud-openssl"; 17 + meta = with pkgs.lib.maintainers; { 18 + maintainers = [ ma27 ]; 19 + }; 20 + nodes.nextcloudwithopenssl1 = { 21 + imports = [ nextcloudBase ]; 22 + services.nextcloud.hostName = "nextcloudwithopenssl1"; 23 + }; 24 + nodes.nextcloudwithopenssl3 = { 25 + imports = [ nextcloudBase ]; 26 + services.nextcloud = { 27 + hostName = "nextcloudwithopenssl3"; 28 + enableBrokenCiphersForSSE = false; 29 + }; 30 + }; 31 + testScript = { nodes, ... }: let 32 + withRcloneEnv = host: pkgs.writeScript "with-rclone-env" '' 33 + #!${pkgs.runtimeShell} 34 + export RCLONE_CONFIG_NEXTCLOUD_TYPE=webdav 35 + export RCLONE_CONFIG_NEXTCLOUD_URL="http://${host}/remote.php/webdav/" 36 + export RCLONE_CONFIG_NEXTCLOUD_VENDOR="nextcloud" 37 + export RCLONE_CONFIG_NEXTCLOUD_USER="${adminuser}" 38 + export RCLONE_CONFIG_NEXTCLOUD_PASS="$(${pkgs.rclone}/bin/rclone obscure ${adminpass})" 39 + "''${@}" 40 + ''; 41 + withRcloneEnv1 = withRcloneEnv "nextcloudwithopenssl1"; 42 + withRcloneEnv3 = withRcloneEnv "nextcloudwithopenssl3"; 43 + copySharedFile1 = pkgs.writeScript "copy-shared-file" '' 44 + #!${pkgs.runtimeShell} 45 + echo 'hi' | ${withRcloneEnv1} ${pkgs.rclone}/bin/rclone rcat nextcloud:test-shared-file 46 + ''; 47 + copySharedFile3 = pkgs.writeScript "copy-shared-file" '' 48 + #!${pkgs.runtimeShell} 49 + echo 'bye' | ${withRcloneEnv3} ${pkgs.rclone}/bin/rclone rcat nextcloud:test-shared-file2 50 + ''; 51 + openssl1-node = nodes.nextcloudwithopenssl1.config.system.build.toplevel; 52 + openssl3-node = nodes.nextcloudwithopenssl3.config.system.build.toplevel; 53 + in '' 54 + nextcloudwithopenssl1.start() 55 + nextcloudwithopenssl1.wait_for_unit("multi-user.target") 56 + nextcloudwithopenssl1.succeed("nextcloud-occ status") 57 + nextcloudwithopenssl1.succeed("curl -sSf http://nextcloudwithopenssl1/login") 58 + 59 + with subtest("With OpenSSL 1 SSE can be enabled and used"): 60 + nextcloudwithopenssl1.succeed("nextcloud-occ app:enable encryption") 61 + nextcloudwithopenssl1.succeed("nextcloud-occ encryption:enable") 62 + 63 + with subtest("Upload file and ensure it's encrypted"): 64 + nextcloudwithopenssl1.succeed("${copySharedFile1}") 65 + nextcloudwithopenssl1.succeed("grep -E '^HBEGIN:oc_encryption_module' /var/lib/nextcloud/data/root/files/test-shared-file") 66 + nextcloudwithopenssl1.succeed("${withRcloneEnv1} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file | grep hi") 67 + 68 + with subtest("Switch to OpenSSL 3"): 69 + nextcloudwithopenssl1.succeed("${openssl3-node}/bin/switch-to-configuration test") 70 + nextcloudwithopenssl1.wait_for_open_port(80) 71 + nextcloudwithopenssl1.succeed("nextcloud-occ status") 72 + 73 + with subtest("Existing encrypted files cannot be read, but new files can be added"): 74 + nextcloudwithopenssl1.fail("${withRcloneEnv3} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file >&2") 75 + nextcloudwithopenssl1.succeed("nextcloud-occ encryption:disable") 76 + nextcloudwithopenssl1.succeed("${copySharedFile3}") 77 + nextcloudwithopenssl1.succeed("grep bye /var/lib/nextcloud/data/root/files/test-shared-file2") 78 + nextcloudwithopenssl1.succeed("${withRcloneEnv3} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file2 | grep bye") 79 + 80 + with subtest("Switch back to OpenSSL 1.1 and ensure that encrypted files are readable again"): 81 + nextcloudwithopenssl1.succeed("${openssl1-node}/bin/switch-to-configuration test") 82 + nextcloudwithopenssl1.wait_for_open_port(80) 83 + nextcloudwithopenssl1.succeed("nextcloud-occ status") 84 + nextcloudwithopenssl1.succeed("nextcloud-occ encryption:enable") 85 + nextcloudwithopenssl1.succeed("${withRcloneEnv1} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file2 | grep bye") 86 + nextcloudwithopenssl1.succeed("${withRcloneEnv1} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file | grep hi") 87 + nextcloudwithopenssl1.succeed("grep -E '^HBEGIN:oc_encryption_module' /var/lib/nextcloud/data/root/files/test-shared-file") 88 + nextcloudwithopenssl1.succeed("grep bye /var/lib/nextcloud/data/root/files/test-shared-file2") 89 + 90 + with subtest("Ensure that everything can be decrypted"): 91 + nextcloudwithopenssl1.succeed("echo y | nextcloud-occ encryption:decrypt-all >&2") 92 + nextcloudwithopenssl1.succeed("${withRcloneEnv1} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file2 | grep bye") 93 + nextcloudwithopenssl1.succeed("${withRcloneEnv1} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file | grep hi") 94 + nextcloudwithopenssl1.succeed("grep -vE '^HBEGIN:oc_encryption_module' /var/lib/nextcloud/data/root/files/test-shared-file") 95 + 96 + with subtest("Switch to OpenSSL 3 ensure that all files are usable now"): 97 + nextcloudwithopenssl1.succeed("${openssl3-node}/bin/switch-to-configuration test") 98 + nextcloudwithopenssl1.wait_for_open_port(80) 99 + nextcloudwithopenssl1.succeed("nextcloud-occ status") 100 + nextcloudwithopenssl1.succeed("${withRcloneEnv3} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file2 | grep bye") 101 + nextcloudwithopenssl1.succeed("${withRcloneEnv3} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file | grep hi") 102 + 103 + nextcloudwithopenssl1.shutdown() 104 + ''; 105 + })) args

+1 -1

pkgs/development/interpreters/php/generic.nix

··· 91 91 [ ] 92 92 allExtensionFunctions; 93 93 94 - getExtName = ext: lib.removePrefix "php-" (builtins.parseDrvName ext.name).name; 94 + getExtName = ext: ext.extensionName; 95 95 96 96 # Recursively get a list of all internal dependencies 97 97 # for a list of extensions.

+6 -4

pkgs/top-level/php-packages.nix

··· 71 71 # will mark the extension as a zend extension or not. 72 72 mkExtension = lib.makeOverridable 73 73 ({ name 74 - , configureFlags ? [ "--enable-${name}" ] 74 + , configureFlags ? [ "--enable-${extName}" ] 75 75 , internalDeps ? [ ] 76 76 , postPhpize ? "" 77 77 , buildInputs ? [ ] 78 78 , zendExtension ? false 79 79 , doCheck ? true 80 + , extName ? name 80 81 , ... 81 82 }@args: stdenv.mkDerivation ((builtins.removeAttrs args [ "name" ]) // { 82 83 pname = "php-${name}"; 83 - extensionName = name; 84 + extensionName = extName; 84 85 85 86 outputs = [ "out" "dev" ]; 86 87 ··· 103 104 104 105 cdToExtensionRootPhase = '' 105 106 # Go to extension source root. 106 - cd "ext/${name}" 107 + cd "ext/${extName}" 107 108 ''; 108 109 109 110 preConfigure = '' ··· 139 140 runHook preInstall 140 141 141 142 mkdir -p $out/lib/php/extensions 142 - cp modules/${name}.so $out/lib/php/extensions/${name}.so 143 + cp modules/${extName}.so $out/lib/php/extensions/${extName}.so 143 144 mkdir -p $dev/include 144 145 ${rsync}/bin/rsync -r --filter="+ */" \ 145 146 --filter="+ *.h" \ ··· 419 420 # without a specific openssl.cnf file 420 421 { 421 422 name = "openssl-legacy"; 423 + extName = "openssl"; 422 424 buildInputs = [ openssl_1_1 ]; 423 425 configureFlags = [ "--with-openssl" ]; 424 426 doCheck = false;