ꦫꦣꦺꦤ꧀ꦄꦤ꧀ꦠꦱꦺꦤ

PATH: usr / local / cpanel / scripts

#!/usr/local/cpanel/3rdparty/bin/perl
# cpanel - scripts/fixtlsversions                    Copyright 2022 cPanel, L.L.C.
#                                                           All rights reserved.
# copyright@cpanel.net                                         http://cpanel.net
# This code is subject to the cPanel license. Unauthorized copying is prohibited

package scripts::fixtlsversions;

# This script is related to CPANEL-33512 and is expected to be
# of limited usefulness outside of the one-time task to ensure
# that TLSv1.2 is active for cpsrvd and other services.

use strict;
use warnings;
use Cpanel::LoadModule     ();
use Cpanel::SSL::Protocols ();
use Cpanel::ServerTasks    ();
use Cpanel::Imports;

use Getopt::Long 'GetOptionsFromArray';

exit run(@ARGV) unless caller;

sub run {
    my @args = @_;
    my ( $help, $dry_run, $update );
    GetOptionsFromArray(
        \@args,
        'help'    => \$help,
        'dry-run' => \$dry_run,
        'update'  => \$update,
    ) || return _usage(1);
    return _usage(0) if $help;
    return _usage(1) unless $dry_run xor $update;

my $obj = __PACKAGE__->new( update => $update );

$obj->logmsg('Ensuring that web-accessible services have TLSv1.2 active …');

for my $try ( 1, 2 ) {
        $obj->adjust_cpsrvd_and_cpdavd();
        $obj->adjust_apache();

if ( $obj->{failed} ) {
            $obj->logmsg( sprintf( '%d error(s) occurred.', $obj->{failed} ) );
            if ( $try == 1 ) {
                $obj->logmsg('Trying again …');
                delete $obj->{failed};
                sleep 2;
            }
        }
        else {
            $obj->logmsg('Done.');
            last;
        }
    }

return $obj->{failed} ? 1 : 0;
}

sub new {
    my ( $package, %opts ) = @_;
    return bless {%opts}, $package;
}

sub adjust_cpsrvd_and_cpdavd {
    my ($self) = @_;

for my $service (qw(cpsrvd cpdavd)) {
        my $module = "Cpanel::ServiceConfig::$service";
        Cpanel::LoadModule::load_perl_module($module);

my $conf_obj    = $module->new();
        my $settings_hr = $conf_obj->get_config(1);

my $old_string = $settings_hr->{SSLVersion};
        my $new_string = Cpanel::SSL::Protocols::upgrade_version_string_for_tls_1_2( $settings_hr->{SSLVersion}, '_' );
        $settings_hr->{SSLVersion} = $new_string;

if ( $new_string ne $old_string ) {
            if ( $self->{update} ) {
                eval {
                    $conf_obj->validate($settings_hr) or die "Failed to validate configuration\n";
                    my ( $save_ok, $save_msg ) = $conf_obj->save_datastore($settings_hr);
                    $conf_obj->update_config($settings_hr);
                    Cpanel::ServerTasks::queue_task( ['CpServicesTasks'], "restartsrv $service" );
                };
                if ( my $exception = $@ ) {
                    $self->logmsg("'$service' failed to update TLS protocols: $exception");
                    ++$self->{failed};
                }
                else {
                    $self->logmsg("'$service' switched $old_string to $new_string");
                }
            }
        }
        else {
            $self->logmsg("'$service' left $old_string unchanged");
        }
    }
    return;
}

sub adjust_apache {
    my ($self) = @_;

require Cpanel::EA4::Conf;
    my $conf       = Cpanel::EA4::Conf->instance();
    my $old_string = $conf->sslprotocol;
    my $new_string = Cpanel::SSL::Protocols::upgrade_version_string_for_tls_1_2_apache($old_string);
    my $current    = $conf->sslprotocol($new_string);
    if ( $new_string ne $old_string ) {
        if ( $self->{update} ) {
            eval {
                $conf->save;
                Cpanel::ServerTasks::queue_task( ['ApacheTasks'], 'build_apache_conf' );
            };
            if ( my $exception = $@ ) {
                $self->logmsg("'httpd' failed to update TLS protocols: $exception");
                ++$self->{failed};

# rebuild conf but save restart for the next time it's necessary
            }
            else {
                $self->logmsg("'httpd' switched $old_string to $new_string");
            }
        }
    }
    else {
        $self->logmsg("'httpd' left $old_string unchanged");
    }
    return;
}

sub logmsg {
    my ( $self, $msg ) = @_;
    return logger()->info( sprintf( '%s%s', $self->{update} ? '' : '(dry run) ', $msg ) );
}

sub _usage {
    my ($error) = @_;
    my $usage = <<EOU;
usage: $0 --dry-run | --update

You must specify one or the other, and you may not specify both.

--dry-run: Do everything (including log messages) except make the actual changes

--update: Make the changes
EOU

if ($error) {
        print STDERR $usage;
        return 1;
    }
    print $usage;
    return 0;
}

[+] ..
[-] rebuild_whm_chrome [edit]
[-] check_mail_spamassassin_compiledregexps_body_0 [edit]
[-] transfer_accounts_as_root [edit]
[-] cphulkdblacklist [edit]
[-] fixquotas [edit]
[-] archive_sync_zones [edit]
[-] listsubdomains [edit]
[-] suspendmysqlusers [edit]
[-] userdata_wildcard_cleanup [edit]
[-] perlinstaller [edit]
[-] mkwwwacctconf [edit]
[-] realrawchpass [edit]
[-] find_pids_with_inotify_watch_on_path [edit]
[-] update_mysql_systemd_config [edit]
[-] oopscheck [edit]
[-] hackcheck [edit]
[-] spamboxdisable [edit]
[-] check_cpanel_pkgs [edit]
[-] installpkg [edit]
[-] removeacct [edit]
[-] initsuexec [edit]
[-] checkalldomainsmxs [edit]
[-] mainipcheck [edit]
[-] restartsrv_nscd [edit]
[-] cleandns8 [edit]
[-] quickwhoisips [edit]
[-] make_hostname_unowned [edit]
[-] perform_sqlite_auto_rebuild_db_maintenance [edit]
[-] fix_pear_registry [edit]
[-] importmydnsdb [edit]
[-] builddovecotconf [edit]
[-] check_valid_server_hostname [edit]
[-] cphulkdwhitelist [edit]
[-] verify_vhost_includes [edit]
[-] make_config [edit]
[-] compilerscheck [edit]
[-] apachelimits [edit]
[-] restartsrv_unknown [edit]
[-] purge_old_config_caches [edit]
[-] checkbashshell [edit]
[-] cpbackup_transport_file [edit]
[-] check_unmonitored_enabled_services [edit]
[-] wwwacct [edit]
[-] listcheck [edit]
[-] sync_child_accounts [edit]
[-] ensure_includes [edit]
[-] fix_addon_permissions [edit]
[-] update_spamassassin_config [edit]
[-] fixmailinglistperms [edit]
[-] fixwebalizer [edit]
[-] restartsrv_xinetd [edit]
[-] gensysinfo [edit]
[-] buildeximconf [edit]
[-] resetquotas [edit]
[-] restartsrv_base [edit]
[-] disable_sqloptimizer [edit]
[-] configure_rh_ipv6_firewall_for_cpanel [edit]
[-] securerailsapps [edit]
[-] unlink_service_account [edit]
[-] resetmailmanurls [edit]
[-] locale_export [edit]
[-] dovecot_set_defaults.pl [edit]
[-] updatenow [edit]
[-] run_plugin_lifecycle [edit]
[-] set_php_memory_limits [edit]
[-] linksubemailtomainacct [edit]
[-] increase_filesystem_limits [edit]
[-] restartsrv_cpanel_php_fpm [edit]
[-] try-later [edit]
[-] restartsrv [edit]
[-] addpop [edit]
[-] upcp [edit]
[-] export_horde_contacts_to_vcf [edit]
[-] restorecpuserfromcache [edit]
[-] perlmods [edit]
[-] upcp-running [edit]
[-] modify_accounts [edit]
[-] restartsrv_cpanalyticsd [edit]
[-] restartsrv_cpanellogd [edit]
[-] cleansessions [edit]
[-] delpop [edit]
[-] sync_contact_emails_to_cpanel_users_files [edit]
[-] addsystemuser [edit]
[-] migrate_whmtheme_file_to_userdata [edit]
[-] rebuildinstalledssldb [edit]
[-] whoowns [edit]
[-] fix-cpanel-perl [edit]
[-] editquota [edit]
[-] setpostgresconfig [edit]
[-] killpvhost [edit]
[-] check_users_my_cnf [edit]
[-] check_domain_tls_service_domains.pl [edit]
[-] restorepkg [edit]
[-] cpdig [edit]
[-] maintenance [edit]
[-] securetmp [edit]
[-] restartsrv_clamd [edit]
[-] expunge_expired_certificates_from_sslstorage [edit]
[-] updatenameserverips [edit]
[-] runstatsonce [edit]
[-] restartsrv_pdns [edit]
[-] unsuspendmysqlusers [edit]
[-] named.rfc1912.zones [edit]
[-] update_dkim_keys [edit]
[-] restartsrv_tailwatchd [edit]
[-] restartsrv_cpipv6 [edit]
[-] realadduser [edit]
[-] rebuildippool [edit]
[-] dav_change_hostname [edit]
[-] restartsrv_ftpd [edit]
[-] rpmup [edit]
[-] post_snapshot [edit]
[-] gencrt [edit]
[-] xferpoint [edit]
[-] convert_and_migrate_from_legacy_backup [edit]
[-] transfermysqlusers [edit]
[-] unslavenamedconf [edit]
[-] comparecdb [edit]
[-] email_hold_maintenance [edit]
[-] userdirctl [edit]
[-] install_dovecot_fts [edit]
[-] grpck [edit]
[-] ensure_hostname_resolves [edit]
[-] set_mailman_archive_perms [edit]
[-] check_cpanel_rpms [edit]
[-] sshcontrol [edit]
[-] check_security_advice_changes [edit]
[-] fastmail [edit]
[-] fixnamedviews [edit]
[+] cpan_sandbox
[-] eximstats_spam_check [edit]
[-] updatessldomains [edit]
[-] restartsrv_ftpserver [edit]
[-] post_sync_cleanup [edit]
[-] restartsrv_rsyslog [edit]
[-] proxydomains [edit]
[-] patch_mail_spamassassin_compiledregexps_body_0 [edit]
[-] convert_accesshash_to_token [edit]
[-] nixstatsagent.sh [edit]
[-] restartsrv_exim [edit]
[-] check_mount_procfs [edit]
[-] rebuildnsdzones [edit]
[-] killspamkeys [edit]
[-] ckillall [edit]
[-] check_maxmem_against_domains_count [edit]
[-] pwck [edit]
[-] uninstall_cpanel_analytics [edit]
[-] cpservice [edit]
[-] remote_log_transfer [edit]
[-] initquotas [edit]
[-] wwwacct2 [edit]
[-] refresh-dkim-validity-cache [edit]
[-] spamassassindisable [edit]
[-] rsync-user-homedir.pl [edit]
[-] dnscluster [edit]
[-] convert2dovecot [edit]
[-] installpostgres [edit]
[-] copy_user_mail_as_root [edit]
[-] rebuild_provider_openid_connect_links_db [edit]
[-] fixrndc [edit]
[-] restartsrv_sshd [edit]
[-] enable_spf_dkim_globally [edit]
[-] restartsrv_syslogd [edit]
[-] killdns [edit]
[-] dcpumon-wrapper [edit]
[-] dumpstor [edit]
[-] ptycheck [edit]
[-] initfpsuexec [edit]
[-] updatesigningkey [edit]
[-] update_local_rpm_versions [edit]
[-] expunge_expired_transfer_sessions [edit]
[-] find_outdated_services [edit]
[-] ipusage [edit]
[-] check_unreliable_resolvers [edit]
[-] restartsrv_pop3 [edit]
[-] restartsrv_postgresql [edit]
[-] restartsrv_dnsadmin [edit]
[-] vps_optimizer [edit]
[-] email_archive_maintenance [edit]
[-] ensure_crontab_permissions [edit]
[-] buildhttpdconf [edit]
[-] cpanpingtest [edit]
[-] build_mail_sni [edit]
[-] get_locale_from_legacy_name_info [edit]
[-] fixrelayd [edit]
[-] gemwrapper [edit]
[-] snapshot_prep [edit]
[-] restartsrv_p0f [edit]
[-] test_sa_compiled [edit]
[-] gather_update_logs_setupcrontab [edit]
[-] installsqlite3 [edit]
[-] autorepair [edit]
[-] featuremod [edit]
[-] vzzo-fixer [edit]
[-] mysqlpasswd [edit]
[-] ssl_crt_status [edit]
[-] mailperm [edit]
[-] restartsrv_named [edit]
[-] build_bandwidthdb_root_cache_in_background [edit]
[-] backups_clean_metadata_for_missing_backups [edit]
[-] realperlinstaller [edit]
[-] update-packages [edit]
[-] ftpfetch [edit]
[-] ftpsfetch [edit]
[-] import_exim_data [edit]
[-] restartsrv_cphulkd [edit]
[-] unsuspendacct [edit]
[-] setup_greylist_db [edit]
[-] setupmailserver [edit]
[-] maildir_converter [edit]
[-] fixtar [edit]
[-] cleanphpsessions.php [edit]
[-] restartsrv_lmtp [edit]
[-] getremotecpmove [edit]
[-] biglogcheck [edit]
[-] chkpaths [edit]
[-] litespeed-check [edit]
[-] quota_auto_fix [edit]
[-] generate_account_suspension_include [edit]
[-] fixvaliases [edit]
[-] checknsddirs [edit]
[-] synctransfers [edit]
[-] upgrade_bandwidth_dbs [edit]
[-] phpini_tidy [edit]
[-] cleanupmysqlprivs [edit]
[-] restartsrv_imap [edit]
[-] killdns-dnsadmin [edit]
[-] ccs-check [edit]
[-] spamassassin_dbm_cleaner [edit]
[-] process_pending_cpanel_php_pear_registration [edit]
[-] setup_modsec_db [edit]
[-] restartsrv_cpsrvd [edit]
[-] enable_sqloptimizer [edit]
[-] slurp_exim_mainlog [edit]
[-] balance_linked_node_quotas [edit]
[-] smartcheck [edit]
[-] smtpmailgidonly [edit]
[-] notify_expiring_certificates [edit]
[-] pedquota [edit]
[-] syslog_check [edit]
[-] killmysqlwildcard [edit]
[-] fetchfile [edit]
[-] setup_systemd_timer_for_plugins [edit]
[-] postupcp [edit]
[-] mailscannerupdate [edit]
[-] MirrorSearch_pingtest [edit]
[-] cpbackup [edit]
[-] named.ca [edit]
[-] build_cpnat [edit]
[-] cpanelsync [edit]
[-] mysqlconnectioncheck [edit]
[-] ensure_dovecot_memory_limits_meet_minimum [edit]
[-] checkccompiler [edit]
[-] zoneexists [edit]
[-] fixheaders [edit]
[-] validate_sshkey_passphrase [edit]
[-] rawchpass [edit]
[-] compilers [edit]
[-] update_exim_rejects [edit]
[+] php_sandbox
[-] restartsrv_crond [edit]
[-] cpaddonsup [edit]
[-] create_default_featurelist [edit]
[-] rebuild_dbmap [edit]
[-] restartsrv_mysql [edit]
[-] servicedomains [edit]
[-] dnsqueuecron [edit]
[-] build_maxemails_config [edit]
[-] install_plugin [edit]
[-] expunge_expired_pkgacct_sessions [edit]
[-] cleanupinterchange [edit]
[-] manage_extra_marketing [edit]
[-] find_and_fix_rpm_issues [edit]
[-] rebuild_available_rpm_addons_cache [edit]
[-] httpspamdetect [edit]
[-] restartsrv_apache [edit]
[-] restartsrv_mydns [edit]
[-] convert_whmxfer_to_sqlite [edit]
[-] jetbackup-check [edit]
[-] dumpcdb [edit]
[-] clear_cpaddon_ui_caches [edit]
[-] update_users_vhosts [edit]
[-] rebuildhttpdconf [edit]
[-] generate_maildirsize [edit]
[-] modify_packages [edit]
[-] checkusers [edit]
[-] generate_google_drive_oauth_uri [edit]
[-] fix-listen-on-localhost [edit]
[-] exportmydnsdb [edit]
[-] update_apachectl [edit]
[-] fixndc [edit]
[-] sendicq [edit]
[-] restartsrv_nsd [edit]
[-] restartsrv_apache_php_fpm [edit]
[-] cleanphpsessions [edit]
[-] clear_orphaned_virtfs_mounts [edit]
[-] check_immutable_files [edit]
[-] rebuild_available_addons_packages_cache [edit]
[-] restartsrv_queueprocd [edit]
[-] updateuserdomains [edit]
[-] clean_dead_mailman_locks [edit]
[-] magicloader [edit]
[-] restartsrv_bind [edit]
[-] update_existing_mail_quotas_for_account [edit]
[-] ensure_autoenabled_features [edit]
[-] fix_dns_zone_ttls [edit]
[-] unblockip [edit]
[-] dovecot_maintenance [edit]
[-] reset_mail_quotas_to_sane_values [edit]
[-] cpfetch [edit]
[-] restartsrv_ipaliases [edit]
[-] convert_mdbox_to_maildir [edit]
[-] cpuser_service_manager [edit]
[-] exim_tidydb [edit]
[-] upcp.static [edit]
[-] restartsrv_rsyslogd [edit]
[-] locale_info [edit]
[-] convert_roundcube_mysql2sqlite [edit]
[-] transfer_in_progress.pod [edit]
[-] modsec_vendor [edit]
[-] backups_list_user_files [edit]
[-] upgrade_subaccount_databases [edit]
[-] sysup [edit]
[-] synccpaddonswithsqlhost [edit]
[-] simpleps [edit]
[-] update_sa_config [edit]
[-] restartsrv_cpdavd [edit]
[-] enablefileprotect [edit]
[-] restartsrv_spamd [edit]
[-] distro_changed_hook [edit]
[-] install_cpanel_analytics [edit]
[-] restartsrv_inetd [edit]
[-] run_if_exists [edit]
[-] convert_to_dovecot_delivery [edit]
[-] clean_up_temp_wheel_users [edit]
[-] fix_reseller_acls [edit]
[-] update_mailman_cache [edit]
[-] killmysqluserprivs [edit]
[-] restartsrv_dovecot [edit]
[-] transfer_account_as_user [edit]
[-] restartsrv_proftpd [edit]
[-] generate_google_drive_credentials [edit]
[-] hook [edit]
[-] clean_user_php_sessions [edit]
[-] restartsrv_pureftpd [edit]
[-] wpt_license [edit]
[-] logo.dat [edit]
[-] isdedicatedip [edit]
[-] dumpinodes [edit]
[-] ftpupdate [edit]
[-] rdate [edit]
[-] backups_create_metadata [edit]
[-] link_3rdparty_binaries [edit]
[-] check_mysql [edit]
[-] checkexim.pl [edit]
[-] quickdnslookup [edit]
[-] updatenow.static [edit]
[-] transfer_in_progress [edit]
[-] runweblogs [edit]
[-] unpkgacct [edit]
[-] cpanelsync_postprocessor [edit]
[-] xfer_rcube_uid_resolver.pl [edit]
[-] export_horde_calendars_to_ics [edit]
[-] update_users_jail [edit]
[-] fixetchosts [edit]
[-] hulk-unban-ip [edit]
[-] custom_backup_destination.pl.sample [edit]
[-] restartsrv_mailman [edit]
[-] checklink [edit]
[-] add_dns [edit]
[-] fixtlsversions [edit]
[-] realchpass [edit]
[-] quotacheck [edit]
[-] copy_user_mail_as_user [edit]
[-] cleandns [edit]
[-] restartsrv_postgres [edit]
[-] rebuilduserssldb [edit]
[-] update_neighbor_netblocks [edit]
[-] disablefileprotect [edit]
[-] restartsrv_httpd [edit]
[-] uninstall_plugin [edit]
[-] buildnsdconf [edit]
[-] gather_update_log_stats [edit]
[-] rfc1912_zones.tar [edit]
[-] xfertool [edit]
[-] pkgacct [edit]
[-] edit_cpanelsync_exclude_list [edit]
[-] dnssec-cluster-keys [edit]
[-] chkmydns [edit]
[-] remove_dovecot_index_files [edit]
[-] ea4_fresh_install [edit]
[-] setupnameserver [edit]
[-] manage_mysql_profiles [edit]
[-] swapip [edit]
[-] process_site_templates [edit]
[-] verify_api_spec_files [edit]
[-] restartsrv_powerdns [edit]
[-] regenerate_tokens [edit]
[-] notify_expiring_certificates_on_linked_nodes [edit]
[-] adduser [edit]
[-] restartsrv_eximstats [edit]
[-] migrate_local_ini_to_php_ini [edit]
[-] safetybits.pl [edit]
[-] initacls [edit]
[-] chpass [edit]
[-] cpanel_initial_install [edit]
[-] cpuser_port_authority [edit]
[-] manage_greylisting [edit]
[-] patchfdsetsize [edit]
[-] cleanmsglog [edit]
[-] suspendacct [edit]
[-] install_tuxcare_els_php [edit]
[-] fixmailman [edit]
[-] secureit [edit]
[-] optimize_eximstats [edit]
[-] ipcheck [edit]
[-] disable_prelink [edit]
[-] cpan_config [edit]
[-] rebuilddnsconfig [edit]
[-] ensure_cpuser_file_ip [edit]
[-] securemysql [edit]
[-] ensure_conf_dir_crt_key [edit]
[-] configure_firewall_for_cpanel [edit]
[-] setupftpserver [edit]
[-] eximconfgen [edit]
[-] custom_backup_destination.pl.skeleton [edit]
[-] convert_maildir_to_mdbox [edit]
[-] rebuild_bandwidthdb_root_cache [edit]
[-] elevate-cpanel [edit]
[-] fix-web-vhost-configuration [edit]
[-] primary_virtual_host_migration [edit]
[-] ensure_vhost_includes [edit]
[-] purge_modsec_log [edit]
[-] restartsrv_cpgreylistd [edit]
[-] sync-mysql-users-from-grants [edit]
[-] update_known_proxy_ips [edit]
[-] activesync-invite-reply [edit]
[-] rescan_user_dovecot_fts [edit]
[-] sa-update_wrapper [edit]
[-] adddns [edit]
[-] whmlogin [edit]
[-] php_fpm_config [edit]
[-] shrink_modsec_ip_database [edit]
[-] updatedomainips [edit]
[-] restartsrv_chkservd [edit]
[-] auto-adjust-mysql-limits [edit]
[-] configure_rh_firewall_for_cpanel [edit]
[-] updateuserdatacache [edit]
[-] update_db_cache [edit]
[-] detect_env_capabilities [edit]
[-] locale_import [edit]
[-] modify_featurelist [edit]
[-] fix_innodb_tables [edit]
[-] postupcp.cloudlinux-linksafe.bak [edit]
[-] createacct [edit]
[-] migrate-pdns-conf [edit]
[-] ftpquotacheck [edit]
[-] updatesupportauthorizations [edit]
[-] reloadnsd [edit]
[-] cleanquotas [edit]
[-] dumpquotas [edit]
[-] forcelocaldomain [edit]
[-] uninstall_dovecot_fts [edit]
[-] buildpureftproot [edit]
[-] verify_pidfile [edit]
[-] xfer_rcube_schema_migrate.pl [edit]