majic-ansible-roles Changeset

Changeset - 7e21feb6e4ee

Parent rev.

Child rev.

[Not reviewed]

0 8 0

Branko Majic (branko) - 3 months ago 2025-01-09 00:15:05
branko@majic.rs

MAR-230: Add support for TLSv1.3 to the web_server role and drop TLSv1.1 from tests:

- Update the role defaults, make sure to include additional ciphers
for TLSv1.3.
- Document the specifics of TLSv1.3 cipher configuration.
- Update tests, dropping the hack/workaround that allows use of weaker
TLS protocols.

8 files changed with 39 insertions and 36 deletions:

docs/releasenotes.rst

docs/rolereference.rst

roles/web_server/defaults/main.yml

roles/web_server/molecule/default/group_vars/parameters-optional.yml

roles/web_server/molecule/default/prepare.yml

roles/web_server/molecule/default/tests/test_mandatory.py

roles/web_server/molecule/default/tests/test_optional.py

testsite/group_vars/web.yml

0 comments (0 inline, 0 general) First comment

docs/releasenotes.rst

➞

Show inline comments

@@ @@ -17,6 +17,11 @@ Upgraded to Ansible 10.4.x. Dropped support for Debian 11 @@
   * ``passlib`` Python package is now (explicitly) required for using
     the roles.
 * ``web_server`` role
   * The role no longer officially supports older versions of TLS
     (TLSv1.1 and below).
 **New features/improvements**
 * ``backup_client`` role
@@ @@ -24,6 +29,11 @@ Upgraded to Ansible 10.4.x. Dropped support for Debian 11 @@
   * Switched to using Paramiko + SFTP backend (instead of pexpect +
     SFTP), which should improve the backup performance.
 * ``web_server`` role
   * TLSv1.3 is now enabled by default (in addition to TLSv1.2),
     alongside the mandatory ciphers.
 **Bug fixes:**
 * ``common`` role

docs/rolereference.rst

➞

Show inline comments

@@ @@ -1486,15 +1486,23 @@ Parameters @@
   Message for the default web page shown to users (if no other vhosts were
   matched).
 **web_server_tls_protocols** (list, optional, ``[ "TLSv1.2" ]``)
   List of TLS protocols the web server should support. Each value specified
   should be compatible with Nginx configuration option ``ssl_protocols``.
 **web_server_tls_ciphers** (string, optional, ``DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:!aNULL:!MD5:!EXPORT``)
   TLS ciphers to enable on the web server. This should be an OpenSSL-compatible
   cipher specification. Value should be compatible with Nginx configuration
   option ``ssl_ciphers``. Default value allows only TLSv1.2 and strong PFS
   ciphers with RSA private keys.
 **web_server_tls_protocols** (list, optional, ``[ "TLSv1.2", "TLSv1.3" ]``)
   List of TLS protocols the web server should support. Each value
   specified should be compatible with Nginx configuration option
   ``ssl_protocols``. Older versions of TLS protocol (TLSv1.1 and
   lower) are not fully supported by the role, and additional
   configuration is required on the server to weaken the OpenSSL
   security policies.
 **web_server_tls_ciphers** (string, optional, ``DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:!aNULL:!MD5:!EXPORT``)
   TLS ciphers to enable on the web server. This should be an
   OpenSSL-compatible cipher specification. Value should be compatible
   with Nginx configuration option ``ssl_ciphers``. Default value
   allows TLSv1.2 with strong PFS ciphers and RSA private keys. Ciphers
   listed for use with TLSv1.3 (``TLS_*`` ones) are mandated by
   relevant standards, and cannot be disabled if TLSv1.3 is
   enabled. The TLSv1.3 ciphers are included in this list for
   completeness' sake.
 Distribution compatibility

roles/web_server/defaults/main.yml

➞

Show inline comments

@@ @@ -6,6 +6,10 @@ web_default_title: "Welcome" @@
 web_default_message: "You are attempting to access the web server using a wrong name or an IP address. Please check your URL."
 web_server_tls_protocols:
   - "TLSv1.2"
   - "TLSv1.3"
 # TLS_* ciphers are mandated by the TLSv1.3-related standards and
 # cannot be disabled when TLSv1.3 is enabled on the server.
 web_server_tls_ciphers: "\
 DHE-RSA-AES128-GCM-SHA256:\
 DHE-RSA-AES256-GCM-SHA384:\
@@ @@ -13,6 +17,9 @@ DHE-RSA-CHACHA20-POLY1305:\ @@
 ECDHE-RSA-AES128-GCM-SHA256:\
 ECDHE-RSA-AES256-GCM-SHA384:\
 ECDHE-RSA-CHACHA20-POLY1305:\
 TLS_AES_128_GCM_SHA256:\
 TLS_AES_256_GCM_SHA384:\
 TLS_CHACHA20_POLY1305_SHA256:\
 !aNULL:!MD5:!EXPORT"
 # Internal parameters

roles/web_server/molecule/default/group_vars/parameters-optional.yml

➞

Show inline comments

@@ @@ -9,7 +9,6 @@ environment_indicator: @@
 web_default_title: "Optional Welcome"
 web_default_message: "Welcome to default virtual host."
 web_server_tls_protocols:
   - TLSv1.1
   - TLSv1.2
 web_server_tls_ciphers: "DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:\
 DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:\

roles/web_server/molecule/default/prepare.yml

➞

Show inline comments

@@ @@ -56,29 +56,6 @@ @@
           - nmap
         state: present
 - name: Prepare, test fixtures
   hosts: bookworm
   become: true
   tasks:
     - name: Enable TLSv1.0+ in global OpenSSL configuration file in order to be able to test the web_server_tls_protocols parameter
       ansible.builtin.blockinfile:
         path: "/etc/ssl/openssl.cnf"
         block: |
           [openssl_init]
           ssl_conf = ssl_sect
           [ssl_sect]
           system_default = system_default_sect
           [system_default_sect]
           MinProtocol = TLSv1.1
           CipherString = DEFAULT@SECLEVEL=0
         owner: root
         group: root
         mode: "0644"
         state: present
 - name: Prepare, test fixtures
   hosts: all
   become: true

roles/web_server/molecule/default/tests/test_mandatory.py

➞

Show inline comments

@@ @@ -13,9 +13,12 @@ def test_tls_version_and_ciphers(host): @@
     Tests if the correct TLS version and ciphers have been enabled.
     """
     expected_tls_versions = ["TLSv1.2"]
+    expected_tls_versions = ["TLSv1.2", "TLSv1.3"]
     expected_tls_ciphers = [
         "TLS_AKE_WITH_AES_128_GCM_SHA256",
         "TLS_AKE_WITH_AES_256_GCM_SHA384",
         "TLS_AKE_WITH_CHACHA20_POLY1305_SHA256",
         "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
         "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
         "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256",

roles/web_server/molecule/default/tests/test_optional.py

➞

Show inline comments

@@ @@ -13,7 +13,7 @@ def test_tls_version_and_ciphers(host): @@
     Tests if the correct TLS version and ciphers have been enabled.
     """
-    expected_tls_versions = ["TLSv1.1", "TLSv1.2"]
     expected_tls_versions = ["TLSv1.2"]
     expected_tls_ciphers = [
         "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",

testsite/group_vars/web.yml

➞

Show inline comments

@@ @@ -25,7 +25,6 @@ http_header_overrides: @@
 web_server_tls_protocols:
   - TLSv1.2
   - TLSv1.1
 web_server_tls_ciphers: "DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:\
 DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:\

0 comments (0 inline, 0 general) First comment