summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2020-05-18 04:34:00 +0200
committerGuilhem Moulin <guilhem@fripost.org>2020-05-18 04:34:17 +0200
commit61ba2a2fe12ffd5578429dfe1d354a1c5d16517a (patch)
treef6e37d60a9069672b2bc99a591dc34689f881346
parentb1808ed6a25beb9b2a746a1d1bed3dd9a459a619 (diff)
AEAD ciphers: Add EECDH+CHACHA20 macro.
This adds the following two ciphers: ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
-rw-r--r--roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf2
-rw-r--r--roles/common/templates/etc/postfix/master.cf.j24
-rw-r--r--roles/lacme/files/etc/lacme/lacme.conf2
-rw-r--r--roles/webmail/files/etc/stunnel/ldap.conf2
4 files changed, 5 insertions, 5 deletions
diff --git a/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf b/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf
index 250eec5..209347f 100644
--- a/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf
+++ b/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf
@@ -49,7 +49,7 @@ ssl_dh_parameters_length = 2048
#ssl_protocols = !SSLv3
# SSL ciphers to use
-ssl_cipher_list = HIGH:!aNULL:!eNULL:!3DES:!MD5:@STRENGTH
+ssl_cipher_list = EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL
# Prefer the server's order of ciphers over client's.
#ssl_prefer_server_ciphers = no
diff --git a/roles/common/templates/etc/postfix/master.cf.j2 b/roles/common/templates/etc/postfix/master.cf.j2
index 2c00250..65ca2b6 100644
--- a/roles/common/templates/etc/postfix/master.cf.j2
+++ b/roles/common/templates/etc/postfix/master.cf.j2
@@ -19,10 +19,10 @@ tlsproxy unix - - y - 0 tlsproxy
dnsblog unix - - y - 0 dnsblog
{% elif inst == 'MSA' %}
submission inet n - y - - smtpd
- -o tls_high_cipherlist=EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL
+ -o tls_high_cipherlist=EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL
submissions inet n - y - - smtpd
-o smtpd_tls_wrappermode=yes
- -o tls_high_cipherlist=EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL
+ -o tls_high_cipherlist=EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL
{% if groups.webmail | difference([inventory_hostname]) | length > 0 %}
[{{ postfix_instance.MSA.addr }}]:{{ postfix_instance.MSA.port }} inet n - y - - smtpd
-o broken_sasl_auth_clients=no
diff --git a/roles/lacme/files/etc/lacme/lacme.conf b/roles/lacme/files/etc/lacme/lacme.conf
index 6f1ee4b..b49c87a 100644
--- a/roles/lacme/files/etc/lacme/lacme.conf
+++ b/roles/lacme/files/etc/lacme/lacme.conf
@@ -54,7 +54,7 @@ SSL_version = SSLv23:!TLSv1_1:!TLSv1:!SSLv3:!SSLv2
# Specify the cipher list for the connection.
#
-SSL_cipher_list = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL
+SSL_cipher_list = EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL
[webserver]
diff --git a/roles/webmail/files/etc/stunnel/ldap.conf b/roles/webmail/files/etc/stunnel/ldap.conf
index b8c7787..1a60a4f 100644
--- a/roles/webmail/files/etc/stunnel/ldap.conf
+++ b/roles/webmail/files/etc/stunnel/ldap.conf
@@ -43,7 +43,7 @@ options = NO_COMPRESSION
;options = SINGLE_DH_USE
; Select permitted SSL ciphers
-ciphers = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL
+ciphers = EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL
; **************************************************************************
; * Service definitions (remove all services for inetd mode) *