Skip to content

Commit

Permalink
Default SSL cipher changes (voxpupuli#859), have mailhost use default…
Browse files Browse the repository at this point in the history
  • Loading branch information
William Yardley committed Oct 12, 2016
1 parent 5501e88 commit a02cb9c
Show file tree
Hide file tree
Showing 4 changed files with 8 additions and 10 deletions.
2 changes: 1 addition & 1 deletion manifests/config.pp
Original file line number Diff line number Diff line change
Expand Up @@ -113,7 +113,7 @@
$worker_processes = '1',
$worker_rlimit_nofile = '1024',
$ssl_protocols = 'TLSv1 TLSv1.1 TLSv1.2',
$ssl_ciphers = 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA',
$ssl_ciphers = 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS',
### END Nginx Configuration ###
) inherits ::nginx::params {

Expand Down
7 changes: 5 additions & 2 deletions manifests/resource/mailhost.pp
Original file line number Diff line number Diff line change
Expand Up @@ -16,12 +16,13 @@
# [*index_files*] - Default index files for NGINX to read when traversing a directory
# [*ssl*] - Indicates whether to setup SSL bindings for this mailhost.
# [*ssl_cert*] - Pre-generated SSL Certificate file to reference for SSL Support. This is not generated by this module.
# [*ssl_ciphers*] - Override default SSL ciphers (defaults to nginx::config::ssl_ciphers)
# [*ssl_key*] - Pre-generated SSL Key file to reference for SSL Support. This is not generated by this module.
# [*ssl_port*] - Default IP Port for NGINX to listen with this SSL vHost on. Defaults to TCP 443
# [*starttls*] - enable STARTTLS support: (on|off|only)
# [*starttls*] - Enable STARTTLS support: (on|off|only)
# [*protocol*] - Mail protocol to use: (imap|pop3|smtp)
# [*auth_http*] - With this directive you can set the URL to the external HTTP-like server for authorization.
# [*xclient*] - wheter to use xclient for smtp (on|off)
# [*xclient*] - Whether to use xclient for smtp (on|off)
# [*server_name*] - List of mailhostnames for which this mailhost will respond. Default [$name].
#
# Actions:
Expand Down Expand Up @@ -52,6 +53,7 @@
$ipv6_listen_options = 'default ipv6only=on',
$ssl = false,
$ssl_cert = undef,
$ssl_ciphers = $::nginx::config::ssl_ciphers,
$ssl_key = undef,
$ssl_port = undef,
$starttls = 'off',
Expand Down Expand Up @@ -99,6 +101,7 @@
if ($ssl_cert != undef) {
validate_string($ssl_cert)
}
validate_string($ssl_ciphers)
if ($ssl_key != undef) {
validate_string($ssl_key)
}
Expand Down
2 changes: 1 addition & 1 deletion manifests/resource/vhost.pp
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,7 @@
# TLSv1.2'.
# [*ssl_buffer_size*] - Sets the size of the buffer used for sending data.
# [*ssl_ciphers*] - SSL ciphers enabled. Defaults to
# 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'.
# nginx::config::ssl_ciphers
# [*ssl_stapling*] - Bool: Enables or disables stapling of OCSP
# responses by the server. Defaults to false.
# [*ssl_stapling_file*] - String: When set, the stapled OCSP response
Expand Down
7 changes: 1 addition & 6 deletions templates/mailhost/mailhost_ssl.erb
Original file line number Diff line number Diff line change
Expand Up @@ -28,14 +28,9 @@ server {
ssl on;
ssl_certificate <%= @ssl_cert %>;
ssl_certificate_key <%= @ssl_key %>;

ssl_session_timeout 5m;

ssl_protocols TLSv1;

# Suggested from https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

ssl_ciphers <%= @ssl_ciphers %>;
ssl_prefer_server_ciphers on;

}

0 comments on commit a02cb9c

Please sign in to comment.