majic-ansible-roles Changeset

Changeset - a9700f6fe020

Parent rev.

Child rev.

[Not reviewed]

0 6 0

Branko Majic (branko) - 10 months ago 2025-01-20 19:14:04
branko@majic.rs

MAR-230: Drop support for older TLS versions from the xmpp_server role:

- Update documentation.
- Include TLSv1.3 ciphers in default configuration for documentation
purposes - although ciphers are not configurable.
- Update the tests. Drop the workarounds for enabling the older
versions via OpenSSL policies.

6 files changed with 33 insertions and 37 deletions:

docs/releasenotes.rst

docs/rolereference.rst

roles/xmpp_server/defaults/main.yml

roles/xmpp_server/molecule/default/group_vars/parameters-optional.yml

roles/xmpp_server/molecule/default/prepare.yml

roles/xmpp_server/molecule/default/tests/test_optional.py

0 comments (0 inline, 0 general)

docs/releasenotes.rst

➞

Show inline comments

@@ @@ -29,12 +29,17 @@ Upgraded to Ansible 10.4.x. Dropped support for Debian 11 @@
 * ``web_server`` role
   * The role no longer officially supports older versions of TLS
     (TLSv1.1 and lower).
 * ``xmpp_server`` role
   * The role no longer officially supports older versions of TLS
     (TLSv1.1 and lower).
 **New features/improvements**
 * ``backup_client`` role
   * Switched to using Paramiko + SFTP backend (instead of pexpect +
     SFTP), which should improve the backup performance.
@@ @@ -51,12 +56,18 @@ Upgraded to Ansible 10.4.x. Dropped support for Debian 11 @@
 * ``web_server`` role
   * TLSv1.3 is now enabled by default (in addition to TLSv1.2),
     alongside the mandatory ciphers.
 * ``xmpp_server`` role
   * TLSv1.3 is now enabled by default (in addition to TLSv1.2),
     alongside the mandatory ciphers, for client-to-server
     communications.
 **Bug fixes:**
 * ``common`` role
   * Fixed permission errors with Python cache directories in the pip
     requirements upgrade checks virtual environment that can happen if

docs/rolereference.rst

➞

Show inline comments

@@ @@ -961,28 +961,34 @@ Parameters @@
   Message Archive Management
   <https://xmpp.org/extensions/xep-0313.html>`_. The value should be
   compatible with `Prosody mod_mam
   <https://prosody.im/doc/modules/mod_mam>`_ configuration option
   ``archive_expires_after``.
 **xmpp_server_tls_ciphers** (string, optional ``DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:!aNULL:!MD5:!EXPORT``)
+**xmpp_server_tls_ciphers** (string, optional ``DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:!aNULL:!MD5:!EXPORT``)
   TLS ciphers to enable on the XMPP server. This should be an
   OpenSSL-compatible cipher specification. Value should be compatible
   with Prosody's option ``ciphers`` normally defined within the
   ``ssl`` section of configuration file (see `official documentation
   <https://prosody.im/doc/advanced_ssl_config#ciphers>`_ for details).
   Default value allows only TLSv1.2 and strong PFS ciphers with RSA
   private keys.
   Default value allows TLSv1.2 with strong PFS ciphers and RSA
   private keys. Ciphers listed for use with TLSv1.3 (``TLS_*`` ones)
   are mandated by relevant standards, and cannot be disabled if
   TLSv1.3 is enabled. The TLSv1.3 ciphers are included in this list
   for completeness' sake.
 **xmpp_server_tls_protocol** (string, optional, ``tlsv1_2+``)
-  Protocol version the XMPP server should support for client
+  TLS protocol versions the XMPP server should support for client
   connections. The value specified should be compatible with Prosody's
   ``protocol`` option normally defined within the ``ssl`` section of
   configuration file (see `official documentation
   <https://prosody.im/doc/advanced_ssl_config#protocol>`__ for
   details).
   details). Older versions of TLS protocol (TLSv1.1 and lower) are not
   fully supported by the role, and additional configuration is
   required on the server to weaken the OpenSSL security policies to
   make them usable.
 **xmpp_tls_certificate** (string, mandatory)
   X.509 certificate used for TLS for XMPP service. The file will be stored in
   directory ``/etc/ssl/certs/`` under name ``{{ ansible_fqdn }}_xmpp.pem``.
 **xmpp_tls_key** (string, mandatory)

roles/xmpp_server/defaults/main.yml

➞

Show inline comments

 ---
 enable_backup: false
 xmpp_server_archive_expiration: "never"
 xmpp_server_tls_protocol: "tlsv1_2+"
 # TLS_* ciphers are mandated by the TLSv1.3-related standards and
 # cannot be disabled when TLSv1.3 is enabled on the server.
 xmpp_server_tls_ciphers: "\
 DHE-RSA-AES128-GCM-SHA256:\
 DHE-RSA-AES256-GCM-SHA384:\
 DHE-RSA-CHACHA20-POLY1305:\
 ECDHE-RSA-AES128-GCM-SHA256:\
 ECDHE-RSA-AES256-GCM-SHA384:\
 ECDHE-RSA-CHACHA20-POLY1305:\
 TLS_AES_128_GCM_SHA256:\
 TLS_AES_256_GCM_SHA384:\
 TLS_CHACHA20_POLY1305_SHA256:\
 !aNULL:!MD5:!EXPORT"

roles/xmpp_server/molecule/default/group_vars/parameters-optional.yml

➞

Show inline comments

@@ @@ -9,16 +9,16 @@ xmpp_domains: @@
 xmpp_ldap_base_dn: dc=local
 xmpp_ldap_password: prosodypassword
 xmpp_ldap_server: ldap-server
 xmpp_server_archive_expiration: "1w"
 xmpp_tls_certificate: "{{ lookup('file', 'tests/data/x509/server/{{ inventory_hostname }}_xmpp.cert.pem') }}"
 xmpp_tls_key: "{{ lookup('file', 'tests/data/x509/server/{{ inventory_hostname }}_xmpp.key.pem') }}"
 xmpp_server_tls_protocol: "tlsv1+"
 xmpp_server_tls_ciphers: "DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:\
 DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:\
 ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:!aNULL:!MD5:!EXPORT"
 xmpp_server_tls_protocol: "tlsv1_3+"
 # At least one non-TLSv1.3 cipher has to be included in order to
 # ensure TLSv1.3 gets initialised.
 xmpp_server_tls_ciphers: "ECDHE-RSA-CHACHA20-POLY1305:!aNULL:!MD5:!EXPORT"
 # common
 ca_certificates:
   testca: "{{ lookup('file', 'tests/data/x509/ca/level1.cert.pem') }}"
 # backup_client

roles/xmpp_server/molecule/default/prepare.yml

➞

Show inline comments

@@ @@ -76,30 +76,12 @@ @@
 - name: Prepare, test fixtures
   hosts: bookworm
   become: true
   tasks:
     - name: Enable TLSv1.0+ in global OpenSSL configuration file in order to be able to test the web_server_tls_protocols parameter
       ansible.builtin.blockinfile:
         path: "/etc/ssl/openssl.cnf"
         block: |
           [openssl_init]
           ssl_conf = ssl_sect
           [ssl_sect]
           system_default = system_default_sect
           [system_default_sect]
           MinProtocol = TLSv1.1
           CipherString = DEFAULT@SECLEVEL=0
         owner: root
         group: root
         mode: "0644"
         state: present
     - name: Set-up the hosts file
       ansible.builtin.lineinfile:
         path: /etc/hosts
         regexp: "^{{ item.key }}"
         line: "{{ item.key }} {{ item.value }}"
         owner: root

roles/xmpp_server/molecule/default/tests/test_optional.py

➞

Show inline comments

@@ @@ -52,26 +52,17 @@ Component "proxy.domain3" "proxy65" @@
 def test_xmpp_c2s_tls_version_and_ciphers(host, port):
     """
     Tests if the correct TLS version and ciphers have been enabled for
     XMPP C2S ports.
     """
-    expected_tls_versions = ["TLSv1.0", "TLSv1.1", "TLSv1.2", "TLSv1.3"]
     expected_tls_versions = ["TLSv1.3"]
     expected_tls_ciphers = [
         "TLS_AKE_WITH_AES_128_GCM_SHA256",
         "TLS_AKE_WITH_AES_256_GCM_SHA384",
         "TLS_AKE_WITH_CHACHA20_POLY1305_SHA256",
         "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
         "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
         "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
         "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
         "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
         "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
         "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
         "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
         "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+    ]
     # Run the nmap scanner against the server, and fetch the results.
     nmap = host.run("nmap -sV --script ssl-enum-ciphers -p %s domain2 -oX /tmp/report.xml", str(port))
     assert nmap.rc == 0
     report_content = host.file('/tmp/report.xml').content_string

0 comments (0 inline, 0 general)