majic-ansible-roles Changeset

Changeset - 7e21feb6e4ee

Parent rev.

Child rev.

[Not reviewed]

0 8 0

Branko Majic (branko) - 11 months ago 2025-01-09 00:15:05
branko@majic.rs

MAR-230: Add support for TLSv1.3 to the web_server role and drop TLSv1.1 from tests:

- Update the role defaults, make sure to include additional ciphers
for TLSv1.3.
- Document the specifics of TLSv1.3 cipher configuration.
- Update tests, dropping the hack/workaround that allows use of weaker
TLS protocols.

8 files changed with 39 insertions and 36 deletions:

docs/releasenotes.rst

docs/rolereference.rst

roles/web_server/defaults/main.yml

roles/web_server/molecule/default/group_vars/parameters-optional.yml

roles/web_server/molecule/default/prepare.yml

roles/web_server/molecule/default/tests/test_mandatory.py

roles/web_server/molecule/default/tests/test_optional.py

testsite/group_vars/web.yml

0 comments (0 inline, 0 general)

docs/releasenotes.rst

➞

Show inline comments

@@ @@ -14,19 +14,29 @@ Upgraded to Ansible 10.4.x. Dropped support for Debian 11 @@
   * Upgraded to Ansible 10.4.x.
   * Dropped support for Debian 11 (Bullseye).
   * ``passlib`` Python package is now (explicitly) required for using
     the roles.
 * ``web_server`` role
   * The role no longer officially supports older versions of TLS
     (TLSv1.1 and below).
 **New features/improvements**
 * ``backup_client`` role
   * Switched to using Paramiko + SFTP backend (instead of pexpect +
     SFTP), which should improve the backup performance.
 * ``web_server`` role
   * TLSv1.3 is now enabled by default (in addition to TLSv1.2),
     alongside the mandatory ciphers.
 **Bug fixes:**
 * ``common`` role
   * Fixed permission errors with Python cache directories in the pip
     requirements upgrade checks virtual environment that can happen if

docs/rolereference.rst

➞

Show inline comments

@@ @@ -1483,21 +1483,29 @@ Parameters @@
   Title for the default web page shown to users (if no other vhosts were matched).
 **web_default_message** (string, optional, ``You are attempting to access the web server using a wrong name or an IP address. Please check your URL.``)
   Message for the default web page shown to users (if no other vhosts were
   matched).
 **web_server_tls_protocols** (list, optional, ``[ "TLSv1.2" ]``)
   List of TLS protocols the web server should support. Each value specified
   should be compatible with Nginx configuration option ``ssl_protocols``.
 **web_server_tls_ciphers** (string, optional, ``DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:!aNULL:!MD5:!EXPORT``)
   TLS ciphers to enable on the web server. This should be an OpenSSL-compatible
   cipher specification. Value should be compatible with Nginx configuration
   option ``ssl_ciphers``. Default value allows only TLSv1.2 and strong PFS
   ciphers with RSA private keys.
 **web_server_tls_protocols** (list, optional, ``[ "TLSv1.2", "TLSv1.3" ]``)
   List of TLS protocols the web server should support. Each value
   specified should be compatible with Nginx configuration option
   ``ssl_protocols``. Older versions of TLS protocol (TLSv1.1 and
   lower) are not fully supported by the role, and additional
   configuration is required on the server to weaken the OpenSSL
   security policies.
 **web_server_tls_ciphers** (string, optional, ``DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:!aNULL:!MD5:!EXPORT``)
   TLS ciphers to enable on the web server. This should be an
   OpenSSL-compatible cipher specification. Value should be compatible
   with Nginx configuration option ``ssl_ciphers``. Default value
   allows TLSv1.2 with strong PFS ciphers and RSA private keys. Ciphers
   listed for use with TLSv1.3 (``TLS_*`` ones) are mandated by
   relevant standards, and cannot be disabled if TLSv1.3 is
   enabled. The TLSv1.3 ciphers are included in this list for
   completeness' sake.
 Distribution compatibility
 ~~~~~~~~~~~~~~~~~~~~~~~~~~
 Role is compatible with the following distributions:

roles/web_server/defaults/main.yml

➞

Show inline comments

@@ @@ -3,19 +3,26 @@ @@
 environment_indicator: null
 web_default_title: "Welcome"
 web_default_message: "You are attempting to access the web server using a wrong name or an IP address. Please check your URL."
 web_server_tls_protocols:
   - "TLSv1.2"
   - "TLSv1.3"
 # TLS_* ciphers are mandated by the TLSv1.3-related standards and
 # cannot be disabled when TLSv1.3 is enabled on the server.
 web_server_tls_ciphers: "\
 DHE-RSA-AES128-GCM-SHA256:\
 DHE-RSA-AES256-GCM-SHA384:\
 DHE-RSA-CHACHA20-POLY1305:\
 ECDHE-RSA-AES128-GCM-SHA256:\
 ECDHE-RSA-AES256-GCM-SHA384:\
 ECDHE-RSA-CHACHA20-POLY1305:\
 TLS_AES_128_GCM_SHA256:\
 TLS_AES_256_GCM_SHA384:\
 TLS_CHACHA20_POLY1305_SHA256:\
 !aNULL:!MD5:!EXPORT"
 # Internal parameters
 php_fpm_service_name_per_release:
   bookworm: "php8.2-fpm"

roles/web_server/molecule/default/group_vars/parameters-optional.yml

➞

Show inline comments

@@ @@ -6,13 +6,12 @@ environment_indicator: @@
   background_colour: "#ff0000"
   text_colour: "#00ff00"
   text: "parameters-optional"
 web_default_title: "Optional Welcome"
 web_default_message: "Welcome to default virtual host."
 web_server_tls_protocols:
   - TLSv1.1
   - TLSv1.2
 web_server_tls_ciphers: "DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:\
 DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:\
 ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:!aNULL:!MD5:!EXPORT"
 # common

roles/web_server/molecule/default/prepare.yml

➞

Show inline comments

@@ @@ -53,35 +53,12 @@ @@
       ansible.builtin.apt:
         name:
           - gnutls-bin
           - nmap
         state: present
 - name: Prepare, test fixtures
   hosts: bookworm
   become: true
   tasks:
     - name: Enable TLSv1.0+ in global OpenSSL configuration file in order to be able to test the web_server_tls_protocols parameter
       ansible.builtin.blockinfile:
         path: "/etc/ssl/openssl.cnf"
         block: |
           [openssl_init]
           ssl_conf = ssl_sect
           [ssl_sect]
           system_default = system_default_sect
           [system_default_sect]
           MinProtocol = TLSv1.1
           CipherString = DEFAULT@SECLEVEL=0
         owner: root
         group: root
         mode: "0644"
         state: present
 - name: Prepare, test fixtures
   hosts: all
   become: true
   tasks:
     - name: Set-up the hosts file

roles/web_server/molecule/default/tests/test_mandatory.py

➞

Show inline comments

 def test_tls_version_and_ciphers(host):
     """
     Tests if the correct TLS version and ciphers have been enabled.
     """
     expected_tls_versions = ["TLSv1.2"]
+    expected_tls_versions = ["TLSv1.2", "TLSv1.3"]
     expected_tls_ciphers = [
         "TLS_AKE_WITH_AES_128_GCM_SHA256",
         "TLS_AKE_WITH_AES_256_GCM_SHA384",
         "TLS_AKE_WITH_CHACHA20_POLY1305_SHA256",
         "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
         "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
         "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
         "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
         "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
         "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",

roles/web_server/molecule/default/tests/test_optional.py

➞

Show inline comments

 def test_tls_version_and_ciphers(host):
     """
     Tests if the correct TLS version and ciphers have been enabled.
     """
-    expected_tls_versions = ["TLSv1.1", "TLSv1.2"]
     expected_tls_versions = ["TLSv1.2"]
     expected_tls_ciphers = [
         "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
         "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
         "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
         "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",

testsite/group_vars/web.yml

➞

Show inline comments

@@ @@ -22,11 +22,10 @@ environment_indicator: @@
 http_header_overrides:
   Accept-Encoding: "gzip"
 web_server_tls_protocols:
   - TLSv1.2
   - TLSv1.1
 web_server_tls_ciphers: "DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:\
 DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:\
 ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA:!aNULL:!MD5:!EXPORT"

0 comments (0 inline, 0 general)