majic-ansible-roles Changeset

Changeset - a7e783c2d7d6

Parent rev.

Child rev.

[Not reviewed]

0 6 0

Branko Majic (branko) - 3 months ago 2025-01-09 11:17:10
branko@majic.rs

MAR-230: Add support for TLSv1.3 to the ldap_server role and drop TLSv1.1 from tests:

- Update the role defaults, make sure to include additional priority
strings for TLSv1.3.
- Document the specifics of TLSv1.3 cipher configuration.
- Update tests.

6 files changed with 27 insertions and 10 deletions:

docs/releasenotes.rst

docs/rolereference.rst

roles/ldap_server/defaults/main.yml

roles/ldap_server/molecule/default/group_vars/parameters-optional.yml

roles/ldap_server/molecule/default/tests/test_mandatory.py

roles/ldap_server/molecule/default/tests/test_optional.py

0 comments (0 inline, 0 general) First comment

docs/releasenotes.rst

➞

Show inline comments

@@ @@ -17,10 +17,15 @@ Upgraded to Ansible 10.4.x. Dropped support for Debian 11 @@
   * ``passlib`` Python package is now (explicitly) required for using
     the roles.
 * ``ldap_server`` role
   * The role no longer officially supports older versions of TLS
     (TLSv1.1 and lower).
 * ``web_server`` role
   * The role no longer officially supports older versions of TLS
-    (TLSv1.1 and below).
+    (TLSv1.1 and lower).
 **New features/improvements**
@@ @@ -29,6 +34,11 @@ Upgraded to Ansible 10.4.x. Dropped support for Debian 11 @@
   * Switched to using Paramiko + SFTP backend (instead of pexpect +
     SFTP), which should improve the backup performance.
 * ``ldap_server`` role
   * TLSv1.3 is now enabled by default (in addition to TLSv1.2),
     alongside the mandatory ciphers.
 * ``web_server`` role
   * TLSv1.3 is now enabled by default (in addition to TLSv1.2),

docs/rolereference.rst

➞

Show inline comments

@@ @@ -765,7 +765,7 @@ Parameters @@
   Minimum *Security Strength Factor* to require from all incoming
   connections. This applies for both remote and local connections.
 **ldap_tls_ciphers** (string, optional ``NONE:+VERS-TLS1.2:+CTYPE-X509:+COMP-NULL:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512:+DHE-RSA:+ECDHE-RSA:+SHA256:+SHA384:+SHA512:+AEAD:+AES-128-GCM:+AES-256-GCM:+CHACHA20-POLY1305:+CURVE-ALL``)
+**ldap_tls_ciphers** (string, optional ``NONE:+VERS-TLS1.2:+CTYPE-X509:+COMP-NULL:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512:+SIGN-RSA-PSS-RSAE-SHA256:+SIGN-RSA-PSS-RSAE-SHA384:+SIGN-RSA-PSS-RSAE-SHA512:+DHE-RSA:+ECDHE-RSA:+SHA256:+SHA384:+SHA512:+AEAD:+AES-128-GCM:+AES-256-GCM:+CHACHA20-POLY1305:+CURVE-ALL``)
   .. warning::
      Under Debian Bullseye and upwards, slapd does not use the DH
@@ @@ -774,11 +774,11 @@ Parameters @@
      <https://www.ietf.org/rfc/rfc7919.txt>`_. This is based on the
      size of role-generated parameters.
   TLS ciphers to enable on the LDAP server. This should be a GnuTLS-compatible
   cipher specification that should also include what TLS protocol versions
   should be used. Value should be compatible with OpenLDAP server option
   ``olcTLSCipherSuite``. Default value allows only TLSv1.2 and strong PFS
   ciphers.
   TLS ciphers to enable on the LDAP server. This should be a
   GnuTLS-compatible cipher specification that should also include what
   TLS protocol versions should be used. Value should be compatible
   with OpenLDAP server option ``olcTLSCipherSuite``. Default value
   allows TLSv1.2/TLSv1.3 with strong PFS ciphers and RSA private keys.
 Distribution compatibility

roles/ldap_server/defaults/main.yml

➞

Show inline comments

@@ @@ -32,11 +32,15 @@ ldap_permissions: @@
 ldap_tls_ciphers: "NONE:\
 +VERS-TLS1.2:\
 +VERS-TLS1.3:\
 +CTYPE-X509:\
 +COMP-NULL:\
 +SIGN-RSA-SHA256:\
 +SIGN-RSA-SHA384:\
 +SIGN-RSA-SHA512:\
 +SIGN-RSA-PSS-RSAE-SHA256:\
 +SIGN-RSA-PSS-RSAE-SHA384:\
 +SIGN-RSA-PSS-RSAE-SHA512:\
 +DHE-RSA:\
 +ECDHE-RSA:\
 +SHA256:\

roles/ldap_server/molecule/default/group_vars/parameters-optional.yml

➞

Show inline comments

@@ @@ -55,7 +55,7 @@ ldap_server_domain: "local" @@
 ldap_server_organization: "Example"
 ldap_server_log_level: 0
 ldap_server_ssf: 0
-ldap_tls_ciphers: "NONE:+VERS-TLS1.1:+VERS-TLS1.2:+CTYPE-X509:+COMP-NULL:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:\
 ldap_tls_ciphers: "NONE:+VERS-TLS1.2:+CTYPE-X509:+COMP-NULL:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:\
 +SIGN-RSA-SHA512:+DHE-RSA:+ECDHE-RSA:+SHA1:+SHA256:+SHA384:+AEAD:+AES-128-GCM:+AES-128-CBC:+AES-256-GCM:+AES-256-CBC:+CURVE-ALL"
 # ldap_client

roles/ldap_server/molecule/default/tests/test_mandatory.py

➞

Show inline comments

@@ @@ -73,9 +73,12 @@ def test_tls_version_and_ciphers(host): @@
     Tests if the correct TLS version and ciphers have been enabled.
     """
     expected_tls_versions = ["TLSv1.2"]
+    expected_tls_versions = ["TLSv1.2", "TLSv1.3"]
     expected_tls_ciphers = [
         "TLS_AKE_WITH_AES_128_GCM_SHA256",
         "TLS_AKE_WITH_AES_256_GCM_SHA384",
         "TLS_AKE_WITH_CHACHA20_POLY1305_SHA256",
         "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
         "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
         "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256",

roles/ldap_server/molecule/default/tests/test_optional.py

➞

Show inline comments

@@ @@ -75,7 +75,7 @@ def test_tls_version_and_ciphers(host): @@
     Tests if the correct TLS version and ciphers have been enabled.
     """
-    expected_tls_versions = ["TLSv1.1", "TLSv1.2"]
     expected_tls_versions = ["TLSv1.2"]
     expected_tls_ciphers = [
         "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",

0 comments (0 inline, 0 general) First comment