diff --git a/docs/releasenotes.rst b/docs/releasenotes.rst index 7c0a9a8d405b127d6c481243271b43d6da60bb00..3961f395604a5fb73c31e4806d703a72da835f63 100644 --- a/docs/releasenotes.rst +++ b/docs/releasenotes.rst @@ -17,6 +17,11 @@ Upgraded to Ansible 10.4.x. Dropped support for Debian 11 * ``passlib`` Python package is now (explicitly) required for using the roles. +* ``web_server`` role + + * The role no longer officially supports older versions of TLS + (TLSv1.1 and below). + **New features/improvements** * ``backup_client`` role @@ -24,6 +29,11 @@ Upgraded to Ansible 10.4.x. Dropped support for Debian 11 * Switched to using Paramiko + SFTP backend (instead of pexpect + SFTP), which should improve the backup performance. +* ``web_server`` role + + * TLSv1.3 is now enabled by default (in addition to TLSv1.2), + alongside the mandatory ciphers. + **Bug fixes:** * ``common`` role diff --git a/docs/rolereference.rst b/docs/rolereference.rst index 3fe7ddcd9e804ff2b6b3fff372ad81a2fe9540fe..0a3e1301378af4a052ce9b7b89f6bc6f2a79d961 100644 --- a/docs/rolereference.rst +++ b/docs/rolereference.rst @@ -1486,15 +1486,23 @@ Parameters Message for the default web page shown to users (if no other vhosts were matched). -**web_server_tls_protocols** (list, optional, ``[ "TLSv1.2" ]``) - List of TLS protocols the web server should support. Each value specified - should be compatible with Nginx configuration option ``ssl_protocols``. - -**web_server_tls_ciphers** (string, optional, ``DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:!aNULL:!MD5:!EXPORT``) - TLS ciphers to enable on the web server. This should be an OpenSSL-compatible - cipher specification. Value should be compatible with Nginx configuration - option ``ssl_ciphers``. Default value allows only TLSv1.2 and strong PFS - ciphers with RSA private keys. +**web_server_tls_protocols** (list, optional, ``[ "TLSv1.2", "TLSv1.3" ]``) + List of TLS protocols the web server should support. Each value + specified should be compatible with Nginx configuration option + ``ssl_protocols``. Older versions of TLS protocol (TLSv1.1 and + lower) are not fully supported by the role, and additional + configuration is required on the server to weaken the OpenSSL + security policies. + +**web_server_tls_ciphers** (string, optional, ``DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:!aNULL:!MD5:!EXPORT``) + TLS ciphers to enable on the web server. This should be an + OpenSSL-compatible cipher specification. Value should be compatible + with Nginx configuration option ``ssl_ciphers``. Default value + allows TLSv1.2 with strong PFS ciphers and RSA private keys. Ciphers + listed for use with TLSv1.3 (``TLS_*`` ones) are mandated by + relevant standards, and cannot be disabled if TLSv1.3 is + enabled. The TLSv1.3 ciphers are included in this list for + completeness' sake. Distribution compatibility diff --git a/roles/web_server/defaults/main.yml b/roles/web_server/defaults/main.yml index a8650ecab1b70da82c519c60059908d5355bcfba..ecf1e1f316f00d156fb2f549524a67a42ecee6a1 100644 --- a/roles/web_server/defaults/main.yml +++ b/roles/web_server/defaults/main.yml @@ -6,6 +6,10 @@ web_default_title: "Welcome" web_default_message: "You are attempting to access the web server using a wrong name or an IP address. Please check your URL." web_server_tls_protocols: - "TLSv1.2" + - "TLSv1.3" + +# TLS_* ciphers are mandated by the TLSv1.3-related standards and +# cannot be disabled when TLSv1.3 is enabled on the server. web_server_tls_ciphers: "\ DHE-RSA-AES128-GCM-SHA256:\ DHE-RSA-AES256-GCM-SHA384:\ @@ -13,6 +17,9 @@ DHE-RSA-CHACHA20-POLY1305:\ ECDHE-RSA-AES128-GCM-SHA256:\ ECDHE-RSA-AES256-GCM-SHA384:\ ECDHE-RSA-CHACHA20-POLY1305:\ +TLS_AES_128_GCM_SHA256:\ +TLS_AES_256_GCM_SHA384:\ +TLS_CHACHA20_POLY1305_SHA256:\ !aNULL:!MD5:!EXPORT" # Internal parameters diff --git a/roles/web_server/molecule/default/group_vars/parameters-optional.yml b/roles/web_server/molecule/default/group_vars/parameters-optional.yml index 29285bb38a8f0f3669ed61bf60750f4d38cb8ca1..f94a2b05f2883fb815d17c29d1d4ad667e1a9822 100644 --- a/roles/web_server/molecule/default/group_vars/parameters-optional.yml +++ b/roles/web_server/molecule/default/group_vars/parameters-optional.yml @@ -9,7 +9,6 @@ environment_indicator: web_default_title: "Optional Welcome" web_default_message: "Welcome to default virtual host." web_server_tls_protocols: - - TLSv1.1 - TLSv1.2 web_server_tls_ciphers: "DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:\ DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:\ diff --git a/roles/web_server/molecule/default/prepare.yml b/roles/web_server/molecule/default/prepare.yml index a2786386705b904507e654d59e321465baf3de2d..1f8511eb285996763fe68c0bf1465ff4e547b17d 100644 --- a/roles/web_server/molecule/default/prepare.yml +++ b/roles/web_server/molecule/default/prepare.yml @@ -56,29 +56,6 @@ - nmap state: present -- name: Prepare, test fixtures - hosts: bookworm - become: true - tasks: - - - name: Enable TLSv1.0+ in global OpenSSL configuration file in order to be able to test the web_server_tls_protocols parameter - ansible.builtin.blockinfile: - path: "/etc/ssl/openssl.cnf" - block: | - [openssl_init] - ssl_conf = ssl_sect - - [ssl_sect] - system_default = system_default_sect - - [system_default_sect] - MinProtocol = TLSv1.1 - CipherString = DEFAULT@SECLEVEL=0 - owner: root - group: root - mode: "0644" - state: present - - name: Prepare, test fixtures hosts: all become: true diff --git a/roles/web_server/molecule/default/tests/test_mandatory.py b/roles/web_server/molecule/default/tests/test_mandatory.py index b02071ed8d9586fa8b6bb886a4a0ee82575f0e7d..ef696b0e9e21fe47b6aaaccdece07c68c0722e41 100644 --- a/roles/web_server/molecule/default/tests/test_mandatory.py +++ b/roles/web_server/molecule/default/tests/test_mandatory.py @@ -13,9 +13,12 @@ def test_tls_version_and_ciphers(host): Tests if the correct TLS version and ciphers have been enabled. """ - expected_tls_versions = ["TLSv1.2"] + expected_tls_versions = ["TLSv1.2", "TLSv1.3"] expected_tls_ciphers = [ + "TLS_AKE_WITH_AES_128_GCM_SHA256", + "TLS_AKE_WITH_AES_256_GCM_SHA384", + "TLS_AKE_WITH_CHACHA20_POLY1305_SHA256", "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256", diff --git a/roles/web_server/molecule/default/tests/test_optional.py b/roles/web_server/molecule/default/tests/test_optional.py index d508f3db53271d77efb42cd4e1d05e07cb51954b..63d1fb1f5b14d73767688d3e0500807dad3a8d9b 100644 --- a/roles/web_server/molecule/default/tests/test_optional.py +++ b/roles/web_server/molecule/default/tests/test_optional.py @@ -13,7 +13,7 @@ def test_tls_version_and_ciphers(host): Tests if the correct TLS version and ciphers have been enabled. """ - expected_tls_versions = ["TLSv1.1", "TLSv1.2"] + expected_tls_versions = ["TLSv1.2"] expected_tls_ciphers = [ "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", diff --git a/testsite/group_vars/web.yml b/testsite/group_vars/web.yml index e19cfc1039aef634c3c3701e2fcb2c66135087a2..c9f1bcc6612f09c50c70c8633bae6cc348e24b31 100644 --- a/testsite/group_vars/web.yml +++ b/testsite/group_vars/web.yml @@ -25,7 +25,6 @@ http_header_overrides: web_server_tls_protocols: - TLSv1.2 - - TLSv1.1 web_server_tls_ciphers: "DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:\ DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:\