[BUG] Incorrect (obsolete) TLS settings #129

AlexMKX · 2025-01-18T07:04:18Z

Is there an existing issue for this?

I have searched the existing issues

Current Behavior

The current settings for the unifi are :
unifi.https.sslEnabledProtocols=TLSv1,SSLv2Hello
This prevents traefik to work properly as a frontend (post data are not transferred) as well as browser clients are unable to connect to controller even with "continue to unsecure site" button clicked.

By setting the v1.2 as enabled TLS protocl the issue is resolved completely.

Expected Behavior

unifi.https.sslEnabledProtocols=TLSv1.2,SSLv2Hello

Steps To Reproduce

Just setup and try to connect with browser

Environment

- OS:
- How docker service was installed:

CPU architecture

x86-64

Docker creation

:
  unifi-db:
    image: docker.io/mongo:4.4
    container_name: unifi-db
    environment:
      - MONGO_INITDB_ROOT_USERNAME=root
      - MONGO_INITDB_ROOT_PASSWORD=${UNIFI_MONGO_ROOT_PASSWORD}
      - MONGO_USER=unifi
      - MONGO_PASS=${UNIFI_MONGO_PASSWORD}
      - MONGO_DBNAME=unifi
      - MONGO_AUTHSOURCE=admin
    volumes:
      - unifi_mongo_data:/data/db
      - /opt/svcs/unifi/initdb.sh:/docker-entrypoint-initdb.d/init-mongo.sh:ro

    restart: unless-stopped
    unifi:
      image: lscr.io/linuxserver/unifi-network-application:latest
      container_name: unifi-network-application
      environment:
        - PUID=1000
        - PGID=1000
        - TZ=Etc/UTC
        - MONGO_USER=unifi
        - MONGO_PASS=${UNIFI_MONGO_PASSWORD}
        - MONGO_HOST=unifi-db
        - MONGO_PORT=27017
        - MONGO_DBNAME=unifi
        - MONGO_AUTHSOURCE=admin
      volumes:
        - ./unifi/config:/config
      ports:
        - 8443:8443
        - 3478:3478/udp
        - 10001:10001/udp
        - 8080:8080
        - 1900:1900/udp #optional
        - 8843:8843 #optional
        - 8880:8880 #optional
        - 6789:6789 #optional
        - 5514:5514/udp #optional
      labels:
        - "traefik.enable=true"
        - "traefik.http.routers.unifi.rule=Host(`${UNIFI_HOSTNAME}`)"
        - "traefik.http.routers.unifi.entrypoints=websecure"
        - "traefik.http.routers.unifi.tls=true"
        - "traefik.http.routers.unifi.tls.certresolver=myresolver"
        - "traefik.http.services.unifi.loadbalancer.server.port=8443"
        - "traefik.http.services.unifi.loadbalancer.server.scheme=https"
        - "traefik.http.services.unifi.loadbalancer.serverstransport=ignorecert"
        - "traefik.http.serversTransports.ignorecert.insecureSkipVerify=true"
        - "traefik.http.routers.unifi.middlewares=unifi-cn"
        - "traefik.http.middlewares.unifi-cn.headers.customrequestheaders.Host=unifi"
      restart: unless-stopped
volumes:
  unifi_data:
  unifi_mongo_data:

Container logs

unifi-network-application  | [migrations] started
unifi-network-application  | [migrations] no migrations found
unifi-network-application  | ───────────────────────────────────────
unifi-network-application  | 
unifi-network-application  |       ██╗     ███████╗██╗ ██████╗
unifi-network-application  |       ██║     ██╔════╝██║██╔═══██╗
unifi-network-application  |       ██║     ███████╗██║██║   ██║
unifi-network-application  |       ██║     ╚════██║██║██║   ██║
unifi-network-application  |       ███████╗███████║██║╚██████╔╝
unifi-network-application  |       ╚══════╝╚══════╝╚═╝ ╚═════╝
unifi-network-application  | 
unifi-network-application  |    Brought to you by linuxserver.io
unifi-network-application  | ───────────────────────────────────────
unifi-network-application  | 
unifi-network-application  | To support LSIO projects visit:
unifi-network-application  | https://www.linuxserver.io/donate/
unifi-network-application  | 
unifi-network-application  | ───────────────────────────────────────
unifi-network-application  | GID/UID
unifi-network-application  | ───────────────────────────────────────
unifi-network-application  | 
unifi-network-application  | User UID:    1000
unifi-network-application  | User GID:    1000
unifi-network-application  | ───────────────────────────────────────
unifi-network-application  | Linuxserver.io version: 9.0.108-ls74
unifi-network-application  | Build-date: 2025-01-06T09:58:35+00:00
unifi-network-application  | ───────────────────────────────────────
unifi-network-application  |     
unifi-network-application  | [custom-init] No custom files found, skipping...
unifi-network-application  | [ls.io-init] done.

github-actions · 2025-01-18T07:04:39Z

Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.

thespad · 2025-01-18T14:32:38Z

None of those settings are enabled by default, they're provided commented out as part of example options that are additionally available to set in the system.properties file. It's expected that if you're going to change those settings you understand what they do and the consequences of setting them.

Ubiquiti do not publish a comprehensive list of default or available settings so we can't keep the example file up to date with what the actual values used by the controller are at any given time.

LinuxServer-CI moved this to Issues in Issue & PR Tracker Jan 18, 2025

LinuxServer-CI added this to Issue & PR Tracker Jan 18, 2025

thespad closed this as completed Jan 18, 2025

LinuxServer-CI moved this from Issues to Done in Issue & PR Tracker Jan 18, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[BUG] Incorrect (obsolete) TLS settings #129

[BUG] Incorrect (obsolete) TLS settings #129

AlexMKX commented Jan 18, 2025

github-actions bot commented Jan 18, 2025

thespad commented Jan 18, 2025

[BUG] Incorrect (obsolete) TLS settings #129

[BUG] Incorrect (obsolete) TLS settings #129

Comments

AlexMKX commented Jan 18, 2025

Is there an existing issue for this?

Current Behavior

Expected Behavior

Steps To Reproduce

Environment

CPU architecture

Docker creation

Container logs

github-actions bot commented Jan 18, 2025

thespad commented Jan 18, 2025