* Upgraded to Ansible 10.4.x.

  * Dropped support for Debian 11 (Bullseye).

  * ``passlib`` Python package is now (explicitly) required for using

    the roles.

* ``web_server`` role

  * The role no longer officially supports older versions of TLS

**New features/improvements**

* ``backup_client`` role

  * Switched to using Paramiko + SFTP backend (instead of pexpect +

    SFTP), which should improve the backup performance.

* ``web_server`` role

  * TLSv1.3 is now enabled by default (in addition to TLSv1.2),

    alongside the mandatory ciphers.

**Bug fixes:**

  directory ``/etc/ssl/private/`` under name ``{{ ansible_fqdn }}_ldap.key``.

**ldap_server_ssf** (number, optional, ``128``)

  Minimum *Security Strength Factor* to require from all incoming

  connections. This applies for both remote and local connections.

  .. warning::

     Under Debian Bullseye and upwards, slapd does not use the DH

     parameters generated by the role, but instead uses them to pick

     one of the recommended DH parameters from `RFC-7919

     <https://www.ietf.org/rfc/rfc7919.txt>`_. This is based on the

     size of role-generated parameters.

Distribution compatibility

~~~~~~~~~~~~~~~~~~~~~~~~~~

Role is compatible with the following distributions:

    by dn="cn=admin,{{ ldap_server_int_basedn }}" write

    by users read

    by * none

ldap_tls_ciphers: "NONE:\

+VERS-TLS1.2:\

+CTYPE-X509:\

+COMP-NULL:\

+SIGN-RSA-SHA256:\

+SIGN-RSA-SHA384:\

+SIGN-RSA-SHA512:\

+DHE-RSA:\

+ECDHE-RSA:\

+SHA256:\

+SHA384:\

+SHA512:\

+AEAD:\

    state: absent

ldap_server_domain: "local"

ldap_server_organization: "Example"

ldap_server_log_level: 0

ldap_server_ssf: 0

+SIGN-RSA-SHA512:+DHE-RSA:+ECDHE-RSA:+SHA1:+SHA256:+SHA384:+AEAD:+AES-128-GCM:+AES-128-CBC:+AES-256-GCM:+AES-256-CBC:+CURVE-ALL"

# ldap_client

ldap_client_config:

  - comment: CA truststore

    option: TLS_CACERT

def test_tls_version_and_ciphers(host):

    """

    Tests if the correct TLS version and ciphers have been enabled.

    """

    expected_tls_ciphers = [

        "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",

        "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",

        "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256",

        "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",

        "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",

        "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",

def test_tls_version_and_ciphers(host):

    """

    Tests if the correct TLS version and ciphers have been enabled.

    """

    expected_tls_ciphers = [

        "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",

        "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",

        "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",

        "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",