From a9700f6fe02012c5462cca2324a1e13f13cc3aa8 2025-01-20 19:14:04 From: Branko Majic Date: 2025-01-20 19:14:04 Subject: [PATCH] MAR-230: Drop support for older TLS versions from the xmpp_server role: - Update documentation. - Include TLSv1.3 ciphers in default configuration for documentation purposes - although ciphers are not configurable. - Update the tests. Drop the workarounds for enabling the older versions via OpenSSL policies. --- diff --git a/docs/releasenotes.rst b/docs/releasenotes.rst index e9b246b7368933f217e2f9cd1afaeb1d5ca3578a..0baed8431f38095df8770a8a4964306c6aea90d0 100644 --- a/docs/releasenotes.rst +++ b/docs/releasenotes.rst @@ -32,6 +32,11 @@ Upgraded to Ansible 10.4.x. Dropped support for Debian 11 * The role no longer officially supports older versions of TLS (TLSv1.1 and lower). +* ``xmpp_server`` role + + * The role no longer officially supports older versions of TLS + (TLSv1.1 and lower). + **New features/improvements** * ``backup_client`` role @@ -54,6 +59,12 @@ Upgraded to Ansible 10.4.x. Dropped support for Debian 11 * TLSv1.3 is now enabled by default (in addition to TLSv1.2), alongside the mandatory ciphers. +* ``xmpp_server`` role + + * TLSv1.3 is now enabled by default (in addition to TLSv1.2), + alongside the mandatory ciphers, for client-to-server + communications. + **Bug fixes:** * ``common`` role diff --git a/docs/rolereference.rst b/docs/rolereference.rst index 0898c344e1f6522523bb659e975a94bc3e7a090b..decf74ffa8b9b1160cf491918c0d67ec61cd7116 100644 --- a/docs/rolereference.rst +++ b/docs/rolereference.rst @@ -964,22 +964,28 @@ Parameters `_ configuration option ``archive_expires_after``. -**xmpp_server_tls_ciphers** (string, optional ``DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:!aNULL:!MD5:!EXPORT``) +**xmpp_server_tls_ciphers** (string, optional ``DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:!aNULL:!MD5:!EXPORT``) TLS ciphers to enable on the XMPP server. This should be an OpenSSL-compatible cipher specification. Value should be compatible with Prosody's option ``ciphers`` normally defined within the ``ssl`` section of configuration file (see `official documentation `_ for details). - Default value allows only TLSv1.2 and strong PFS ciphers with RSA - private keys. + Default value allows TLSv1.2 with strong PFS ciphers and RSA + private keys. Ciphers listed for use with TLSv1.3 (``TLS_*`` ones) + are mandated by relevant standards, and cannot be disabled if + TLSv1.3 is enabled. The TLSv1.3 ciphers are included in this list + for completeness' sake. **xmpp_server_tls_protocol** (string, optional, ``tlsv1_2+``) - Protocol version the XMPP server should support for client + TLS protocol versions the XMPP server should support for client connections. The value specified should be compatible with Prosody's ``protocol`` option normally defined within the ``ssl`` section of configuration file (see `official documentation `__ for - details). + details). Older versions of TLS protocol (TLSv1.1 and lower) are not + fully supported by the role, and additional configuration is + required on the server to weaken the OpenSSL security policies to + make them usable. **xmpp_tls_certificate** (string, mandatory) X.509 certificate used for TLS for XMPP service. The file will be stored in diff --git a/roles/xmpp_server/defaults/main.yml b/roles/xmpp_server/defaults/main.yml index ec4073bfb6a983c04fc44fb0c68043aed1ff728c..aecf13a40ea3f59b1b389d451a0903f6fea8bfa0 100644 --- a/roles/xmpp_server/defaults/main.yml +++ b/roles/xmpp_server/defaults/main.yml @@ -3,6 +3,9 @@ enable_backup: false xmpp_server_archive_expiration: "never" xmpp_server_tls_protocol: "tlsv1_2+" + +# TLS_* ciphers are mandated by the TLSv1.3-related standards and +# cannot be disabled when TLSv1.3 is enabled on the server. xmpp_server_tls_ciphers: "\ DHE-RSA-AES128-GCM-SHA256:\ DHE-RSA-AES256-GCM-SHA384:\ @@ -10,4 +13,7 @@ DHE-RSA-CHACHA20-POLY1305:\ ECDHE-RSA-AES128-GCM-SHA256:\ ECDHE-RSA-AES256-GCM-SHA384:\ ECDHE-RSA-CHACHA20-POLY1305:\ +TLS_AES_128_GCM_SHA256:\ +TLS_AES_256_GCM_SHA384:\ +TLS_CHACHA20_POLY1305_SHA256:\ !aNULL:!MD5:!EXPORT" diff --git a/roles/xmpp_server/molecule/default/group_vars/parameters-optional.yml b/roles/xmpp_server/molecule/default/group_vars/parameters-optional.yml index 7ae223054d1beb669968757e87768a3b6c2e59a6..870edd3f47f9adfe62862c97841a633e9d1610de 100644 --- a/roles/xmpp_server/molecule/default/group_vars/parameters-optional.yml +++ b/roles/xmpp_server/molecule/default/group_vars/parameters-optional.yml @@ -12,10 +12,10 @@ xmpp_ldap_server: ldap-server xmpp_server_archive_expiration: "1w" xmpp_tls_certificate: "{{ lookup('file', 'tests/data/x509/server/{{ inventory_hostname }}_xmpp.cert.pem') }}" xmpp_tls_key: "{{ lookup('file', 'tests/data/x509/server/{{ inventory_hostname }}_xmpp.key.pem') }}" -xmpp_server_tls_protocol: "tlsv1+" -xmpp_server_tls_ciphers: "DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:\ -DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:\ -ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:!aNULL:!MD5:!EXPORT" +xmpp_server_tls_protocol: "tlsv1_3+" +# At least one non-TLSv1.3 cipher has to be included in order to +# ensure TLSv1.3 gets initialised. +xmpp_server_tls_ciphers: "ECDHE-RSA-CHACHA20-POLY1305:!aNULL:!MD5:!EXPORT" # common ca_certificates: diff --git a/roles/xmpp_server/molecule/default/prepare.yml b/roles/xmpp_server/molecule/default/prepare.yml index fb2465aa17e5353492bebbc7f4e4377a76d0efca..43db75b622315b31829c5d01f54bf28dfda094ef 100644 --- a/roles/xmpp_server/molecule/default/prepare.yml +++ b/roles/xmpp_server/molecule/default/prepare.yml @@ -79,24 +79,6 @@ become: true tasks: - - name: Enable TLSv1.0+ in global OpenSSL configuration file in order to be able to test the web_server_tls_protocols parameter - ansible.builtin.blockinfile: - path: "/etc/ssl/openssl.cnf" - block: | - [openssl_init] - ssl_conf = ssl_sect - - [ssl_sect] - system_default = system_default_sect - - [system_default_sect] - MinProtocol = TLSv1.1 - CipherString = DEFAULT@SECLEVEL=0 - owner: root - group: root - mode: "0644" - state: present - - name: Set-up the hosts file ansible.builtin.lineinfile: path: /etc/hosts diff --git a/roles/xmpp_server/molecule/default/tests/test_optional.py b/roles/xmpp_server/molecule/default/tests/test_optional.py index f1ea126df3ecba81a8fcfd48330051c02a7d7564..3199a6bc11e863630140a3a34fe1a03d77b41e3a 100644 --- a/roles/xmpp_server/molecule/default/tests/test_optional.py +++ b/roles/xmpp_server/molecule/default/tests/test_optional.py @@ -55,20 +55,11 @@ def test_xmpp_c2s_tls_version_and_ciphers(host, port): XMPP C2S ports. """ - expected_tls_versions = ["TLSv1.0", "TLSv1.1", "TLSv1.2", "TLSv1.3"] + expected_tls_versions = ["TLSv1.3"] expected_tls_ciphers = [ "TLS_AKE_WITH_AES_128_GCM_SHA256", "TLS_AKE_WITH_AES_256_GCM_SHA384", "TLS_AKE_WITH_CHACHA20_POLY1305_SHA256", - "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", - "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", - "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", ] # Run the nmap scanner against the server, and fetch the results.