From: Tom Hughes Date: Fri, 5 Oct 2018 15:09:20 +0000 (+0100) Subject: Add optimised gnutls cipher string to SSL cookbook and use it for exim X-Git-Url: https://git.openstreetmap.org/chef.git/commitdiff_plain/429671f3522169d59628ad61852712f6ef840145?ds=sidebyside Add optimised gnutls cipher string to SSL cookbook and use it for exim --- diff --git a/.rubocop_todo.yml b/.rubocop_todo.yml index 02bdf6701..c0e6c97ba 100644 --- a/.rubocop_todo.yml +++ b/.rubocop_todo.yml @@ -23,7 +23,7 @@ Metrics/CyclomaticComplexity: # Configuration parameters: AllowHeredoc, AllowURI, URISchemes, IgnoreCopDirectives. # URISchemes: http, https Metrics/LineLength: - Max: 696 + Max: 704 # Offense count: 24 # Configuration parameters: CountComments. diff --git a/cookbooks/apache/templates/default/ssl.erb b/cookbooks/apache/templates/default/ssl.erb index ffbbcbb5e..9f20fb632 100644 --- a/cookbooks/apache/templates/default/ssl.erb +++ b/cookbooks/apache/templates/default/ssl.erb @@ -3,7 +3,7 @@ SSLProtocol All -SSLv2 -SSLv3 SSLHonorCipherOrder On -SSLCipherSuite <%= node[:ssl][:ciphers] %> +SSLCipherSuite <%= node[:ssl][:openssl_ciphers] %> <% if node[:lsb][:release].to_f < 16.04 -%> SSLCertificateChainFile /etc/ssl/certs/letsencrypt.pem diff --git a/cookbooks/exim/metadata.rb b/cookbooks/exim/metadata.rb index eb25776e1..19ab6af9d 100644 --- a/cookbooks/exim/metadata.rb +++ b/cookbooks/exim/metadata.rb @@ -7,3 +7,4 @@ long_description IO.read(File.join(File.dirname(__FILE__), "README.md")) version "1.0.0" supports "ubuntu" depends "networking" +depends "ssl" diff --git a/cookbooks/exim/templates/default/exim4.conf.erb b/cookbooks/exim/templates/default/exim4.conf.erb index e0224872e..f541cec17 100644 --- a/cookbooks/exim/templates/default/exim4.conf.erb +++ b/cookbooks/exim/templates/default/exim4.conf.erb @@ -148,7 +148,7 @@ tls_advertise_hosts = <; !127.0.0.1 ; !::1 # Configured TLS cipher selection. -tls_require_ciphers = NORMAL:-VERS-SSL3.0:-CIPHER-ALL:-SHA1:-MD5:+SHA1:+AES-256-GCM:+AES-256-CBC:+CAMELLIA-256-CBC:+AES-128-GCM:+AES-128-CBC:+CAMELLIA-128-CBC:%SERVER_PRECEDENCE +tls_require_ciphers = <%= node[:ssl][:gnutls_ciphers] %>:%SERVER_PRECEDENCE # Specify the location of the Exim server's TLS certificate and private key. # The private key must not be encrypted (password protected). You can put @@ -662,7 +662,7 @@ begin transports remote_smtp: driver = smtp multi_domain = false - tls_require_ciphers = NORMAL:-VERS-SSL3.0:-CIPHER-ALL:-SHA1:-MD5:+SHA1:+AES-256-GCM:+AES-256-CBC:+CAMELLIA-256-CBC:+AES-128-GCM:+AES-128-CBC:+CAMELLIA-128-CBC:%SERVER_PRECEDENCE + tls_require_ciphers = <%= node[:ssl][:gnutls_ciphers] %>:%LATEST_RECORD_VERSION # This transport is used for handling pipe deliveries generated by alias or diff --git a/cookbooks/nginx/templates/default/nginx.conf.erb b/cookbooks/nginx/templates/default/nginx.conf.erb index 429716d04..77820eb91 100644 --- a/cookbooks/nginx/templates/default/nginx.conf.erb +++ b/cookbooks/nginx/templates/default/nginx.conf.erb @@ -34,7 +34,7 @@ http { server_tokens off; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers <%= node[:ssl][:ciphers] -%>; + ssl_ciphers <%= node[:ssl][:openssl_ciphers] -%>; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:50m; ssl_session_timeout 30m; diff --git a/cookbooks/ssl/attributes/default.rb b/cookbooks/ssl/attributes/default.rb index 614e0bda9..e990eed72 100644 --- a/cookbooks/ssl/attributes/default.rb +++ b/cookbooks/ssl/attributes/default.rb @@ -1,2 +1,7 @@ -default[:ssl][:ciphers] = "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS" +default[:ssl][:openssl_ciphers] = "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS" +default[:ssl][:gnutls_ciphers] = if node[:lsb][:release].to_f >= 18.04 + "NONE:+AEAD:+SHA256:+SHA1:+SHA384:+SHA512:+CURVE-X25519:+CURVE-SECP256R1:+CURVE-SECP384R1:+CURVE-SECP521R1:+SIGN-ALL:-SIGN-RSA-MD5:-SIGN-DSA-SHA1:-SIGN-DSA-SHA224:-SIGN-DSA-SHA256:-SIGN-DSA-SHA384:-SIGN-DSA-SHA512:+AES-256-GCM:+AES-256-CCM:+CHACHA20-POLY1305:+CAMELLIA-256-GCM:+AES-256-CBC:+CAMELLIA-256-CBC:+AES-128-GCM:+AES-128-CCM:+CAMELLIA-128-GCM:+AES-128-CBC:+CAMELLIA-128-CBC:+ECDHE-RSA:+ECDHE-ECDSA:+RSA:+DHE-RSA:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+VERS-DTLS1.2:+VERS-DTLS1.0:+COMP-NULL:%PROFILE_LOW" + else + "NONE:+AEAD:+SHA256:+SHA1:+SHA384:+SHA512:+CURVE-SECP256R1:+CURVE-SECP384R1:+CURVE-SECP521R1:+SIGN-ALL:-SIGN-RSA-MD5:-SIGN-DSA-SHA1:-SIGN-DSA-SHA224:-SIGN-DSA-SHA256:+AES-256-GCM:+CAMELLIA-256-GCM:+AES-256-CBC:+CAMELLIA-256-CBC:+AES-128-GCM:+CAMELLIA-128-GCM:+AES-128-CBC:+CAMELLIA-128-CBC:+ECDHE-RSA:+ECDHE-ECDSA:+RSA:+DHE-RSA:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+VERS-DTLS1.2:+VERS-DTLS1.0:+COMP-NULL" + end default[:ssl][:strict_transport_security] = "max-age=31536000; includeSubDomains; preload"