Add optimised gnutls cipher string to SSL cookbook and use it for exim

diff --git a/.rubocop_todo.yml b/.rubocop_todo.yml
index 02bdf670183366174f407edd586b69259d1aa9c6..c0e6c97babfa71a799c46a6c14fa12f2d41fa6b2 100644 (file)
--- a/.rubocop_todo.yml
+++ b/.rubocop_todo.yml
@@ -23,7 +23,7 @@ Metrics/CyclomaticComplexity:
 # Configuration parameters: AllowHeredoc, AllowURI, URISchemes, IgnoreCopDirectives.
 # URISchemes: http, https
 Metrics/LineLength:
 # Configuration parameters: AllowHeredoc, AllowURI, URISchemes, IgnoreCopDirectives.
 # URISchemes: http, https
 Metrics/LineLength:

-  Max: 696
+  Max: 704

 
 # Offense count: 24
 # Configuration parameters: CountComments.
 
 # Offense count: 24
 # Configuration parameters: CountComments.

diff --git a/cookbooks/apache/templates/default/ssl.erb b/cookbooks/apache/templates/default/ssl.erb
index ffbbcbb5e7259e0ec5fbb48b8932a867048348ac..9f20fb63274d6d30f269a68a13823698a5f4bbbf 100644 (file)
--- a/cookbooks/apache/templates/default/ssl.erb
+++ b/cookbooks/apache/templates/default/ssl.erb
@@ -3,7 +3,7 @@
 SSLProtocol All -SSLv2 -SSLv3
 
 SSLHonorCipherOrder On
 SSLProtocol All -SSLv2 -SSLv3
 
 SSLHonorCipherOrder On

-SSLCipherSuite <%= node[:ssl][:ciphers] %>
+SSLCipherSuite <%= node[:ssl][:openssl_ciphers] %>

 <% if node[:lsb][:release].to_f < 16.04 -%>
 
 SSLCertificateChainFile /etc/ssl/certs/letsencrypt.pem
 <% if node[:lsb][:release].to_f < 16.04 -%>
 
 SSLCertificateChainFile /etc/ssl/certs/letsencrypt.pem

diff --git a/cookbooks/exim/metadata.rb b/cookbooks/exim/metadata.rb
index eb25776e1ace635c450434c49babc7ea01cec59d..19ab6af9d4a0304b9fa13317d9ec232bc60af5e9 100644 (file)
--- a/cookbooks/exim/metadata.rb
+++ b/cookbooks/exim/metadata.rb
@@ -7,3 +7,4 @@ long_description  IO.read(File.join(File.dirname(__FILE__), "README.md"))
 version           "1.0.0"
 supports          "ubuntu"
 depends           "networking"
 version           "1.0.0"
 supports          "ubuntu"
 depends           "networking"

+depends           "ssl"

diff --git a/cookbooks/exim/templates/default/exim4.conf.erb b/cookbooks/exim/templates/default/exim4.conf.erb
index e0224872e5373bcf5802273c2a3bd2ddae495d04..f541cec1765d60be1fbc7fc137ca6c927762dd8b 100644 (file)
--- a/cookbooks/exim/templates/default/exim4.conf.erb
+++ b/cookbooks/exim/templates/default/exim4.conf.erb
@@ -148,7 +148,7 @@ tls_advertise_hosts = <; !127.0.0.1 ; !::1
 
 # Configured TLS cipher selection.
 
 
 # Configured TLS cipher selection.
 

-tls_require_ciphers = NORMAL:-VERS-SSL3.0:-CIPHER-ALL:-SHA1:-MD5:+SHA1:+AES-256-GCM:+AES-256-CBC:+CAMELLIA-256-CBC:+AES-128-GCM:+AES-128-CBC:+CAMELLIA-128-CBC:%SERVER_PRECEDENCE
+tls_require_ciphers = <%= node[:ssl][:gnutls_ciphers] %>:%SERVER_PRECEDENCE

 
 # Specify the location of the Exim server's TLS certificate and private key.
 # The private key must not be encrypted (password protected). You can put
 
 # Specify the location of the Exim server's TLS certificate and private key.
 # The private key must not be encrypted (password protected). You can put


@@ -662,7 +662,7 @@ begin transports
 remote_smtp:
   driver = smtp
   multi_domain = false
 remote_smtp:
   driver = smtp
   multi_domain = false

-  tls_require_ciphers = NORMAL:-VERS-SSL3.0:-CIPHER-ALL:-SHA1:-MD5:+SHA1:+AES-256-GCM:+AES-256-CBC:+CAMELLIA-256-CBC:+AES-128-GCM:+AES-128-CBC:+CAMELLIA-128-CBC:%SERVER_PRECEDENCE
+  tls_require_ciphers = <%= node[:ssl][:gnutls_ciphers] %>:%LATEST_RECORD_VERSION

 
 
 # This transport is used for handling pipe deliveries generated by alias or
 
 
 # This transport is used for handling pipe deliveries generated by alias or

diff --git a/cookbooks/nginx/templates/default/nginx.conf.erb b/cookbooks/nginx/templates/default/nginx.conf.erb
index 429716d04150bfce44404c1f6f12084b93d7de8d..77820eb91fe374f89cee1ecae9f3fef196c87cac 100644 (file)
--- a/cookbooks/nginx/templates/default/nginx.conf.erb
+++ b/cookbooks/nginx/templates/default/nginx.conf.erb
@@ -34,7 +34,7 @@ http {
     server_tokens off;
 
     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
     server_tokens off;
 
     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

-    ssl_ciphers <%= node[:ssl][:ciphers] -%>;
+    ssl_ciphers <%= node[:ssl][:openssl_ciphers] -%>;

     ssl_prefer_server_ciphers on;
     ssl_session_cache shared:SSL:50m;
     ssl_session_timeout 30m;
     ssl_prefer_server_ciphers on;
     ssl_session_cache shared:SSL:50m;
     ssl_session_timeout 30m;

diff --git a/cookbooks/ssl/attributes/default.rb b/cookbooks/ssl/attributes/default.rb
index 614e0bda9ada95e0527d6803cb7b746aaced8dcb..e990eed724546c477aa294de7cb1fb606f54c17f 100644 (file)
--- a/cookbooks/ssl/attributes/default.rb
+++ b/cookbooks/ssl/attributes/default.rb
@@ -1,2 +1,7 @@
-default[:ssl][:ciphers] = "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"
+default[:ssl][:openssl_ciphers] = "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"
+default[:ssl][:gnutls_ciphers] = if node[:lsb][:release].to_f >= 18.04
+                                   "NONE:+AEAD:+SHA256:+SHA1:+SHA384:+SHA512:+CURVE-X25519:+CURVE-SECP256R1:+CURVE-SECP384R1:+CURVE-SECP521R1:+SIGN-ALL:-SIGN-RSA-MD5:-SIGN-DSA-SHA1:-SIGN-DSA-SHA224:-SIGN-DSA-SHA256:-SIGN-DSA-SHA384:-SIGN-DSA-SHA512:+AES-256-GCM:+AES-256-CCM:+CHACHA20-POLY1305:+CAMELLIA-256-GCM:+AES-256-CBC:+CAMELLIA-256-CBC:+AES-128-GCM:+AES-128-CCM:+CAMELLIA-128-GCM:+AES-128-CBC:+CAMELLIA-128-CBC:+ECDHE-RSA:+ECDHE-ECDSA:+RSA:+DHE-RSA:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+VERS-DTLS1.2:+VERS-DTLS1.0:+COMP-NULL:%PROFILE_LOW"
+                                 else
+                                   "NONE:+AEAD:+SHA256:+SHA1:+SHA384:+SHA512:+CURVE-SECP256R1:+CURVE-SECP384R1:+CURVE-SECP521R1:+SIGN-ALL:-SIGN-RSA-MD5:-SIGN-DSA-SHA1:-SIGN-DSA-SHA224:-SIGN-DSA-SHA256:+AES-256-GCM:+CAMELLIA-256-GCM:+AES-256-CBC:+CAMELLIA-256-CBC:+AES-128-GCM:+CAMELLIA-128-GCM:+AES-128-CBC:+CAMELLIA-128-CBC:+ECDHE-RSA:+ECDHE-ECDSA:+RSA:+DHE-RSA:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+VERS-DTLS1.2:+VERS-DTLS1.0:+COMP-NULL"
+                                 end

 default[:ssl][:strict_transport_security] = "max-age=31536000; includeSubDomains; preload"
 default[:ssl][:strict_transport_security] = "max-age=31536000; includeSubDomains; preload"