From 0f75220c723a2cb137b6404d48653d44f845ed37 Mon Sep 17 00:00:00 2001
From: Zolfa <zolfa@lilik.it>
Date: Wed, 22 Apr 2020 03:46:17 +0200
Subject: [PATCH] Force TLSv1.3 when feasible

Affected roles:

- gitlab
- nginx
- ldap
---
 roles/gitlab/templates/gitlab.rb.j2 | 11 ++++++-----
 roles/ldap/tasks/4_setup_tls.yaml   |  1 +
 roles/nginx/tasks/main.yaml         |  6 ------
 roles/nginx/templates/base.j2       | 24 +++++++-----------------
 4 files changed, 14 insertions(+), 28 deletions(-)

diff --git a/roles/gitlab/templates/gitlab.rb.j2 b/roles/gitlab/templates/gitlab.rb.j2
index 2de061e..86f4e5e 100644
--- a/roles/gitlab/templates/gitlab.rb.j2
+++ b/roles/gitlab/templates/gitlab.rb.j2
@@ -1134,18 +1134,19 @@ external_url 'http://{{ server_fqdn }}'
 
 # nginx['ssl_certificate'] = "/etc/gitlab/ssl/#{node['fqdn']}.crt"
 # nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/#{node['fqdn']}.key"
-# nginx['ssl_ciphers'] = "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256"
-# nginx['ssl_prefer_server_ciphers'] = "on"
+ nginx['ssl_ciphers'] = nil
+ nginx['ssl_prefer_server_ciphers'] = "off"
 
 ##! **Recommended by: https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
 ##!                   https://cipherli.st/**
-# nginx['ssl_protocols'] = "TLSv1.2 TLSv1.3"
+ nginx['ssl_protocols'] = "TLSv1.3"
 
 ##! **Recommended in: https://nginx.org/en/docs/http/ngx_http_ssl_module.html**
-# nginx['ssl_session_cache'] = "builtin:1000  shared:SSL:10m"
+ nginx['ssl_session_cache'] = "builtin:1000  shared:MozSSL:10m"
 
 ##! **Default according to https://nginx.org/en/docs/http/ngx_http_ssl_module.html**
-# nginx['ssl_session_timeout'] = "5m"
+ nginx['ssl_session_timeout'] = "5m"
+ nginx['ssl_session_tickets'] = "off"
 
 # nginx['ssl_dhparam'] = nil # Path to dhparams.pem, eg. /etc/gitlab/ssl/dhparams.pem
 # nginx['listen_addresses'] = ['*', '[::]']
diff --git a/roles/ldap/tasks/4_setup_tls.yaml b/roles/ldap/tasks/4_setup_tls.yaml
index f217deb..d3e9b85 100644
--- a/roles/ldap/tasks/4_setup_tls.yaml
+++ b/roles/ldap/tasks/4_setup_tls.yaml
@@ -120,6 +120,7 @@
     - { name: 'olcTLSCertificateKeyFile', value: '/etc/ldap/slapd.key' }
     - { name: 'olcTLSCACertificateFile', value: '/etc/ldap/ssl_ca.crt' }
     - { name: 'olcTLSVerifyClient', value: 'try' }  # TLS Client Auth
+    - { name: 'olcTLSCipherSuite', value: 'SECURE:-VERS-ALL:+VERS-TLS1.3' } # TLSv1.3 Only
   tags:
     - 'tls_int'
 
diff --git a/roles/nginx/tasks/main.yaml b/roles/nginx/tasks/main.yaml
index 93e16b9..ed43bc0 100644
--- a/roles/nginx/tasks/main.yaml
+++ b/roles/nginx/tasks/main.yaml
@@ -31,12 +31,6 @@
     dest: '/etc/nginx/sites-available/{{ server_fqdn }}.conf'
   notify: 'restart nginx'
 
-- name: create Diffie Hellman exchange parameters
-  command: openssl dhparam -out /etc/nginx/dhparam.pem 2048
-  args:
-    creates: /etc/nginx/dhparam.pem
-  notify: restart nginx
-
 - name: 'enable nginx configurations'
   file:
     src: '/etc/nginx/sites-available/{{ server_fqdn }}.conf'
diff --git a/roles/nginx/templates/base.j2 b/roles/nginx/templates/base.j2
index 8412449..120eb5c 100644
--- a/roles/nginx/templates/base.j2
+++ b/roles/nginx/templates/base.j2
@@ -2,32 +2,22 @@ server {
     listen 443 ssl http2;
     listen [::]:443 ssl http2;
 
-    # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
     ssl_certificate /etc/letsencrypt/live/{{ server_fqdn }}/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/{{ server_fqdn }}/privkey.pem;
-    ssl_session_timeout 1d;
-    ssl_session_cache shared:SSL:50m;
-    ssl_session_tickets off;
-
-    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
-    ssl_dhparam /etc/nginx/dhparam.pem;
 
-    # intermediate configuration. tweak to your needs.
-    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
-    ssl_prefer_server_ciphers on;
+    ssl_session_timeout 5m;
+    ssl_session_cache shared:MozSSL:10m;
+    ssl_session_tickets off;
 
-    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
-    add_header Strict-Transport-Security max-age=15768000;
+    ssl_protocols TLSv1.3;
+    ssl_prefer_server_ciphers off;
 
-    # OCSP Stapling ---
-    # fetch OCSP records from URL in ssl_certificate and cache them
     ssl_stapling on;
     ssl_stapling_verify on;
 
-    ## verify chain of trust of OCSP response using Root CA and Intermediate certs
+    add_header Strict-Transport-Security "max-age=63072000" always;
+
     ssl_trusted_certificate /etc/letsencrypt/live/{{ server_fqdn }}/chain.pem;
 
     include     /etc/nginx/locations/{{ server_fqdn }}/*.conf;
-
 }