From 430eb250e244729e0a29a3ede370004d6f7c7fc9 2017-02-11 19:21:10 From: Branko Majic Date: 2017-02-11 19:21:10 Subject: [PATCH] MAR-90: Added option to ldap_server role for specifying TLS version/ciphers. Updated role reference documentation. Update usage instructions to mention the TLS ciphers/versions are configurable. --- diff --git a/docs/rolereference.rst b/docs/rolereference.rst index ad0df851a0deb64a13a5564dc8e89b7ab80bd8c0..5f9f3e4fa3009f8679ae641a514b924901468178 100644 --- a/docs/rolereference.rst +++ b/docs/rolereference.rst @@ -484,7 +484,7 @@ destination machine. The role implements the following: * Deploys LDAP TLS private key and certificate. -* Hardens TLS configuration by allowing only TLSv1.2 and PFS ciphers. +* Configures TLS versions and ciphers suppported by the server. * Installs OpenLDAP server (package ``slapd``). * Configures OpenLDAP server (base DN - domain, organisation, TLS, SSF, log levels). * Sets-up separate log file for OpenLDAP server at ``/var/log/slapd.log`` (with @@ -643,6 +643,12 @@ Parameters Minimum *Security Strength Factor* to require from all incoming connections. This applies for both remote and local connections. +**ldap_tls_ciphers** (string, optional ``NONE:+VERS-TLS1.2:+CTYPE-X509:+COMP-NULL:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512:+DHE-RSA:+ECDHE-RSA:+SHA256:+SHA384:+AEAD:+AES-128-GCM:+AES-128-CBC:+AES-256-GCM:+AES-256-CBC:+CURVE-ALL``) + TLS ciphers to enable on the LDAP server. This should be a GnuTLS-compatible + cipher specification that should also include what TLS protocol versions + should be used. Value should be compatible with OpenLDAP server option + ``olcTLSCipherSuite``. Default value only TLSv1.2 and strong PFS ciphers. + Examples ~~~~~~~~ diff --git a/docs/usage.rst b/docs/usage.rst index 5f552dd1d26227e63f02af803388c4b950d57680..007d14eda7cd232b38db739582e404c46d9d6091 100644 --- a/docs/usage.rst +++ b/docs/usage.rst @@ -817,7 +817,8 @@ role. Of course, free feel to also test out the mail server using any mail client of your choice. When doing so, use port 587 for SMTP. Port 25 is reserved for unauthenticated server-to-server mail deliveries. TLS has also been hardened - on port 587 to allow only TLSv1.2 and PFS ciphers. + on port 587 to allow only TLSv1.2 and PFS ciphers (you can override TLS + versions/ciphers via role configuration). Setting-up mail relaying from web and backup servers diff --git a/roles/ldap_server/defaults/main.yml b/roles/ldap_server/defaults/main.yml index 1177a9c94dc8f378470068df78b46b950e418b11..ec2a72b76c43a9e4079b40dbc54e8840388e997a 100644 --- a/roles/ldap_server/defaults/main.yml +++ b/roles/ldap_server/defaults/main.yml @@ -32,3 +32,5 @@ ldap_permissions: by dn="cn=admin,{{ ldap_server_int_basedn }}" write by users read by * none + +ldap_tls_ciphers: "NONE:+VERS-TLS1.2:+CTYPE-X509:+COMP-NULL:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512:+DHE-RSA:+ECDHE-RSA:+SHA256:+SHA384:+AEAD:+AES-128-GCM:+AES-128-CBC:+AES-256-GCM:+AES-256-CBC:+CURVE-ALL" \ No newline at end of file diff --git a/roles/ldap_server/tasks/main.yml b/roles/ldap_server/tasks/main.yml index 9c471a52128b9e4b2757fc2cd236d9225430c04e..54d2896a7cb1a3c9ffa18565083d7895ccacc338 100644 --- a/roles/ldap_server/tasks/main.yml +++ b/roles/ldap_server/tasks/main.yml @@ -68,7 +68,7 @@ - name: Configure TLS for slapd (includes hardening) ldap_entry: dn=cn=config state=replace olcTLSCertificateFile="/etc/ssl/certs/{{ ansible_fqdn }}_ldap.pem" olcTLSCertificateKeyFile="/etc/ssl/private/{{ ansible_fqdn }}_ldap.key" - olcTLSCipherSuite="NONE:+VERS-TLS1.2:+CTYPE-X509:+COMP-NULL:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512:+DHE-RSA:+ECDHE-RSA:+SHA256:+SHA384:+AEAD:+AES-128-GCM:+AES-128-CBC:+AES-256-GCM:+AES-256-CBC:+CURVE-ALL" + olcTLSCipherSuite="{{ ldap_tls_ciphers }}" notify: - Restart slapd