diff options
author | Guilhem Moulin <guilhem@fripost.org> | 2020-05-18 04:34:00 +0200 |
---|---|---|
committer | Guilhem Moulin <guilhem@fripost.org> | 2020-05-18 04:34:17 +0200 |
commit | 61ba2a2fe12ffd5578429dfe1d354a1c5d16517a (patch) | |
tree | f6e37d60a9069672b2bc99a591dc34689f881346 /roles | |
parent | b1808ed6a25beb9b2a746a1d1bed3dd9a459a619 (diff) |
AEAD ciphers: Add EECDH+CHACHA20 macro.
This adds the following two ciphers:
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
Diffstat (limited to 'roles')
-rw-r--r-- | roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf | 2 | ||||
-rw-r--r-- | roles/common/templates/etc/postfix/master.cf.j2 | 4 | ||||
-rw-r--r-- | roles/lacme/files/etc/lacme/lacme.conf | 2 | ||||
-rw-r--r-- | roles/webmail/files/etc/stunnel/ldap.conf | 2 |
4 files changed, 5 insertions, 5 deletions
diff --git a/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf b/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf index 250eec5..209347f 100644 --- a/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf +++ b/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf @@ -49,7 +49,7 @@ ssl_dh_parameters_length = 2048 #ssl_protocols = !SSLv3 # SSL ciphers to use -ssl_cipher_list = HIGH:!aNULL:!eNULL:!3DES:!MD5:@STRENGTH +ssl_cipher_list = EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL # Prefer the server's order of ciphers over client's. #ssl_prefer_server_ciphers = no diff --git a/roles/common/templates/etc/postfix/master.cf.j2 b/roles/common/templates/etc/postfix/master.cf.j2 index 2c00250..65ca2b6 100644 --- a/roles/common/templates/etc/postfix/master.cf.j2 +++ b/roles/common/templates/etc/postfix/master.cf.j2 @@ -19,10 +19,10 @@ tlsproxy unix - - y - 0 tlsproxy dnsblog unix - - y - 0 dnsblog {% elif inst == 'MSA' %} submission inet n - y - - smtpd - -o tls_high_cipherlist=EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL + -o tls_high_cipherlist=EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL submissions inet n - y - - smtpd -o smtpd_tls_wrappermode=yes - -o tls_high_cipherlist=EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL + -o tls_high_cipherlist=EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL {% if groups.webmail | difference([inventory_hostname]) | length > 0 %} [{{ postfix_instance.MSA.addr }}]:{{ postfix_instance.MSA.port }} inet n - y - - smtpd -o broken_sasl_auth_clients=no diff --git a/roles/lacme/files/etc/lacme/lacme.conf b/roles/lacme/files/etc/lacme/lacme.conf index 6f1ee4b..b49c87a 100644 --- a/roles/lacme/files/etc/lacme/lacme.conf +++ b/roles/lacme/files/etc/lacme/lacme.conf @@ -54,7 +54,7 @@ SSL_version = SSLv23:!TLSv1_1:!TLSv1:!SSLv3:!SSLv2 # Specify the cipher list for the connection. # -SSL_cipher_list = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL +SSL_cipher_list = EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL [webserver] diff --git a/roles/webmail/files/etc/stunnel/ldap.conf b/roles/webmail/files/etc/stunnel/ldap.conf index b8c7787..1a60a4f 100644 --- a/roles/webmail/files/etc/stunnel/ldap.conf +++ b/roles/webmail/files/etc/stunnel/ldap.conf @@ -43,7 +43,7 @@ options = NO_COMPRESSION ;options = SINGLE_DH_USE ; Select permitted SSL ciphers -ciphers = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL +ciphers = EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL ; ************************************************************************** ; * Service definitions (remove all services for inetd mode) * |