AEAD ciphers: Add EECDH+CHACHA20 macro.

This adds the following two ciphers:

  ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH  Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
  ECDHE-RSA-CHACHA20-POLY1305   TLSv1.2 Kx=ECDH  Au=RSA   Enc=CHACHA20/POLY1305(256) Mac=AEAD

4 files changed, 5 insertions, 5 deletions

diff --git a/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf b/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf
index 250eec5..209347f 100644
--- a/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf
+++ b/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf
@@ -32,31 +32,31 @@ ssl_key = </etc/dovecot/ssl/imap.fripost.org.key
 # /etc/pki/tls/cert.pem in RedHat-based systems.
 #ssl_client_ca_dir =
 #ssl_client_ca_file =
 
 # Request client to send a certificate. If you also want to require it, set
 # auth_ssl_require_client_cert=yes in auth section.
 #ssl_verify_client_cert = no
 
 # Which field from certificate to use for username. commonName and
 # x500UniqueIdentifier are the usual choices. You'll also need to set
 # auth_ssl_username_from_cert=yes.
 #ssl_cert_username_field = commonName
 
 # DH parameters length to use.
 ssl_dh_parameters_length = 2048
 
 # SSL protocols to use
 #ssl_protocols = !SSLv3
 
 # SSL ciphers to use
-ssl_cipher_list = HIGH:!aNULL:!eNULL:!3DES:!MD5:@STRENGTH
+ssl_cipher_list = EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL
 
 # Prefer the server's order of ciphers over client's.
 #ssl_prefer_server_ciphers = no
 
 # SSL crypto device to use, for valid values run "openssl engine"
 #ssl_crypto_device =
 
 # SSL extra options. Currently supported options are:
 #   no_compression - Disable compression.
 ssl_options = no_compression
diff --git a/roles/common/templates/etc/postfix/master.cf.j2 b/roles/common/templates/etc/postfix/master.cf.j2
index 2c00250..65ca2b6 100644
--- a/roles/common/templates/etc/postfix/master.cf.j2
+++ b/roles/common/templates/etc/postfix/master.cf.j2
@@ -2,44 +2,44 @@
 # Postfix master process configuration file.  For details on the format
 # of the file, see the master(5) manual page (command: "man 5 master").
 #
 # {{ ansible_managed }}
 # Do NOT edit this file directly!
 #
 # ==========================================================================
 # service type  private unpriv  chroot  wakeup  maxproc command + args
 #               (yes)   (yes)   (yes)   (never) (100)
 # ==========================================================================
 
 {% if inst is not defined %}
 [127.0.0.1]:16132 inet n -      y       -       -       smtpd
 {% elif inst == 'MX' %}
 smtpd     pass  -       -       y       -       -       smtpd
 smtp      inet  n       -       y       -       1       postscreen
 tlsproxy  unix  -       -       y       -       0       tlsproxy
 dnsblog   unix  -       -       y       -       0       dnsblog
 {% elif inst == 'MSA' %}
 submission inet n       -       y       -       -       smtpd
-  -o tls_high_cipherlist=EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL
+  -o tls_high_cipherlist=EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL
 submissions inet n      -       y       -       -       smtpd
   -o smtpd_tls_wrappermode=yes
-  -o tls_high_cipherlist=EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL
+  -o tls_high_cipherlist=EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL
 {% if groups.webmail | difference([inventory_hostname]) | length > 0 %}
 [{{ postfix_instance.MSA.addr }}]:{{ postfix_instance.MSA.port }} inet n       -       y       -       -       smtpd
   -o broken_sasl_auth_clients=no
   -o smtpd_tls_security_level=none
   -o smtpd_sasl_security_options=noanonymous
   -o smtpd_sasl_exceptions_networks=
   -o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128{{ ipsec_subnet is defined | ternary(','+ipsec_subnet, '') }}
   -o smtpd_peername_lookup=no
 {% endif %}
 {% elif inst in ['IMAP', 'out', 'lists'] %}
 [{{ postfix_instance[inst].addr }}]:{{ postfix_instance[inst].port }} inet n       -       y       -       -       smtpd
   -o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128{{ ipsec_subnet is defined | ternary(','+ipsec_subnet, '') }}
   -o smtpd_peername_lookup=no
 {% endif %}
 pickup    unix  n       -       y       60      1       pickup
 cleanup   unix  n       -       y       -       0       cleanup
 qmgr      unix  n       -       n       300     1       qmgr
 tlsmgr    unix  -       -       y       1000?   1       tlsmgr
 rewrite   unix  -       -       y       -       -       trivial-rewrite
 bounce    unix  -       -       y       -       0       bounce
diff --git a/roles/lacme/files/etc/lacme/lacme.conf b/roles/lacme/files/etc/lacme/lacme.conf
index 6f1ee4b..b49c87a 100644
--- a/roles/lacme/files/etc/lacme/lacme.conf
+++ b/roles/lacme/files/etc/lacme/lacme.conf
@@ -37,41 +37,41 @@ group = nogroup
 # <https://acme-staging-v02.api.letsencrypt.org/directory> for testing
 # as it has relaxed rate-limiting.
 #
 #server = https://acme-v02.api.letsencrypt.org/directory
 
 # Timeout in seconds after which the client stops polling the ACME
 # server and considers the request failed.
 #
 #timeout = 10
 
 # Whether to verify the server certificate chain.
 #
 SSL_verify = yes
 
 # Specify the version of the SSL protocol used to transmit data.
 #
 SSL_version = SSLv23:!TLSv1_1:!TLSv1:!SSLv3:!SSLv2
 
 # Specify the cipher list for the connection.
 #
-SSL_cipher_list = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL
+SSL_cipher_list = EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL
 
 
 [webserver]
 
 # Comma- or space-separated list of addresses to listen on, for instance
 # "0.0.0.0:80 [::]:80".
 #
 #listen = /run/lacme-www.socket
 
 # Non-existent directory under which an external HTTP daemon is
 # configured to serve GET requests for challenge files under
 # "/.well-known/acme-challenge/" (for each virtual host requiring
 # authorization) as static files.
 #
 #challenge-directory =
 
 # username to drop privileges to (setting both effective and real uid).
 # Preserve root privileges if the value is empty (not recommended).
 #
 user = www-data
diff --git a/roles/webmail/files/etc/stunnel/ldap.conf b/roles/webmail/files/etc/stunnel/ldap.conf
index b8c7787..1a60a4f 100644
--- a/roles/webmail/files/etc/stunnel/ldap.conf
+++ b/roles/webmail/files/etc/stunnel/ldap.conf
@@ -26,32 +26,32 @@ socket = a:SO_BINDTODEVICE=lo
 ; Some performance tunings
 socket = l:TCP_NODELAY=1
 socket = r:TCP_NODELAY=1
 
 ; Prevent MITM attacks
 verify = 4
 
 ; Disable support for insecure protocols
 ;options = NO_SSLv2
 options = NO_SSLv3
 options = NO_TLSv1
 options = NO_TLSv1.1
 
 options = NO_COMPRESSION
 
 ; These options provide additional security at some performance degradation
 ;options = SINGLE_ECDH_USE
 ;options = SINGLE_DH_USE
 
 ; Select permitted SSL ciphers
-ciphers = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL
+ciphers = EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL
 
 ; **************************************************************************
 ; * Service definitions (remove all services for inetd mode)               *
 ; **************************************************************************
 
 [ldaps]
 accept  = localhost:389
 connect = ldap.fripost.org:636
 CAfile  = /etc/stunnel/certs/ldap.pem
 
 ; vim:ft=dosini