From 066f8f676c08e22091cc45f3f90fa1c36023b168 Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Fri, 9 Jan 2026 10:09:54 +0000 Subject: [PATCH] feat: make VPN server cipher suite configurable via CIPHER_SUITES env var - Replaced hardcoded 'DHE-RSA-AES256-SHA' cipher suite with configurable 'CIPHER_SUITES' variable - Set default 'CIPHER_SUITES' to 'DHE-RSA-AES256-SHA' to maintain backward compatibility - Documented the change in .jules/sentinel.md This allows users to upgrade to stronger ciphers like AES256-GCM-SHA384 without rebuilding the image. --- .jules/sentinel.md | 4 ++++ copyables/entrypoint.sh | 3 ++- 2 files changed, 6 insertions(+), 1 deletion(-) create mode 100644 .jules/sentinel.md diff --git a/.jules/sentinel.md b/.jules/sentinel.md new file mode 100644 index 0000000..fb9f1a6 --- /dev/null +++ b/.jules/sentinel.md @@ -0,0 +1,4 @@ +## 2025-01-09 - Hardcoded Cipher Suite +**Vulnerability:** The `entrypoint.sh` script hardcoded `DHE-RSA-AES256-SHA` as the only allowed cipher suite using `ServerCipherSet`. +**Learning:** This restriction prevents users from utilizing modern, stronger ciphers like `AES256-GCM-SHA384` (TLS 1.2) unless they modify the entrypoint script. Hardcoding security configurations limits adaptability and improvements. +**Prevention:** Always expose security parameters (like cipher suites, protocols, key lengths) as configuration variables (env vars) with secure defaults. diff --git a/copyables/entrypoint.sh b/copyables/entrypoint.sh index 0d224a0..927c007 100644 --- a/copyables/entrypoint.sh +++ b/copyables/entrypoint.sh @@ -63,9 +63,10 @@ if [ ! -f $CONFIG ] || [ ! -s $CONFIG ]; then # while-loop to wait until server comes up # switch cipher + : ${CIPHER_SUITES:='DHE-RSA-AES256-SHA'} while :; do set +e - vpncmd_server ServerCipherSet DHE-RSA-AES256-SHA 2>&1 >/dev/null + vpncmd_server ServerCipherSet "${CIPHER_SUITES}" 2>&1 >/dev/null [[ $? -eq 0 ]] && break set -e sleep 1