Update recommended cipher/TLS-version specification

03d83125 · Robin Sonnabend · f164d9ea · 03d83125 · 03d83125 · 03d83125
Commit 03d83125 authored Jul 9, 2019 by Robin Sonnabend
--- a/webserver/tasks/main.yml
+++ b/webserver/tasks/main.yml
 ---
 # file: webserver/tasks/main.yml

+- include_vars:
+    file: "{{debian_version|default('fallback')}}.yml"
+
 - name: ensure nginx is installed
  apt:
    name:

--- a/webserver/templates/nginx-proxy.conf
+++ b/webserver/templates/nginx-proxy.conf
@@ -48,7 +48,10 @@ http {
    ssl_session_tickets off;

    ssl_protocols {{protocols[cipher_strength]}};
+    {% if ciphers[cipher_strength] is not none %}
    ssl_ciphers '{{ciphers[cipher_strength]}}';
+    {% endif %}
+
    ssl_prefer_server_ciphers on;

    ssl_stapling on;

--- a/webserver/templates/nginx.conf
+++ b/webserver/templates/nginx.conf
@@ -41,7 +41,10 @@ http {
    ssl_session_tickets off;

    ssl_protocols {{protocols[cipher_strength]}};
+    {% if ciphers[cipher_strength] is not none %}
    ssl_ciphers '{{ciphers[cipher_strength]}}';
+    {% endif %}
+
    ssl_prefer_server_ciphers on;
    #add_header Strict-Transport-Security max-age=15768000; # Only in proxy


--- a/webserver/templates/sites/tlsproxy.conf
+++ b/webserver/templates/sites/tlsproxy.conf
@@ -18,8 +18,10 @@ server {

    {% if server.cipher_strength is defined %}
    ssl_protocols {{protocols[server.cipher_strength]}};
+    {% if ciphers[server.cipher_strength] is not none %}
    ssl_ciphers '{{ciphers[server.cipher_strength]}}';
    {% endif %}
+    {% endif %}
    {% if server.use_sso is defined and server.use_sso %}

    set $sso_group "{{server.sso_group}}";

--- a/webserver/vars/buster.yml
+++ b/webserver/vars/buster.yml
+---
+# yamllint disable rule:line-length
+
+protocols:
+  modern: 'TLSv1.3'
+  intermediate: 'TLSv1.2 TLSv1.3'
+ciphers:
+  modern: null
+  intermediate: 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'
--- a/webserver/vars/main.yml
+++ b/webserver/vars/main.yml
--- a/webserver/vars/stretch.yml
+++ b/webserver/vars/stretch.yml
+---
+# yamllint disable rule:line-length
+
+protocols:
+  modern: 'TLSv1.2'
+  intermediate: 'TLSv1 TLSv1.1 TLSv1.2'
+ciphers:
+  modern: 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'
+  intermediate: 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'