From a02cb9c4e4e48fc5df3526f56765d94627e1293b Mon Sep 17 00:00:00 2001
From: William Yardley <wby@axs.com>
Date: Sat, 8 Oct 2016 00:13:02 -0700
Subject: [PATCH] Default SSL cipher changes (#859), have mailhost use defaults
 too. Take defaults from
 https://mozilla.github.io/server-side-tls/ssl-config-generator/

---
 manifests/config.pp                 | 2 +-
 manifests/resource/mailhost.pp      | 7 +++++--
 manifests/resource/vhost.pp         | 2 +-
 templates/mailhost/mailhost_ssl.erb | 7 +------
 4 files changed, 8 insertions(+), 10 deletions(-)

diff --git a/manifests/config.pp b/manifests/config.pp
index 9d5801ec6..58f3a5a04 100644
--- a/manifests/config.pp
+++ b/manifests/config.pp
@@ -113,7 +113,7 @@
   $worker_processes               = '1',
   $worker_rlimit_nofile           = '1024',
   $ssl_protocols                  = 'TLSv1 TLSv1.1 TLSv1.2',
-  $ssl_ciphers                    = 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA',
+  $ssl_ciphers                    = 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS',
   ### END Nginx Configuration ###
 ) inherits ::nginx::params {
 
diff --git a/manifests/resource/mailhost.pp b/manifests/resource/mailhost.pp
index 85ff885db..7b14812bd 100644
--- a/manifests/resource/mailhost.pp
+++ b/manifests/resource/mailhost.pp
@@ -16,12 +16,13 @@
 #   [*index_files*]         - Default index files for NGINX to read when traversing a directory
 #   [*ssl*]                 - Indicates whether to setup SSL bindings for this mailhost.
 #   [*ssl_cert*]            - Pre-generated SSL Certificate file to reference for SSL Support. This is not generated by this module.
+#   [*ssl_ciphers*]         - Override default SSL ciphers (defaults to nginx::config::ssl_ciphers)
 #   [*ssl_key*]             - Pre-generated SSL Key file to reference for SSL Support. This is not generated by this module.
 #   [*ssl_port*]            - Default IP Port for NGINX to listen with this SSL vHost on. Defaults to TCP 443
-#   [*starttls*]            - enable STARTTLS support: (on|off|only)
+#   [*starttls*]            - Enable STARTTLS support: (on|off|only)
 #   [*protocol*]            - Mail protocol to use: (imap|pop3|smtp)
 #   [*auth_http*]           - With this directive you can set the URL to the external HTTP-like server for authorization.
-#   [*xclient*]             - wheter to use xclient for smtp (on|off)
+#   [*xclient*]             - Whether to use xclient for smtp (on|off)
 #   [*server_name*]         - List of mailhostnames for which this mailhost will respond. Default [$name].
 #
 # Actions:
@@ -52,6 +53,7 @@
   $ipv6_listen_options = 'default ipv6only=on',
   $ssl                 = false,
   $ssl_cert            = undef,
+  $ssl_ciphers         = $::nginx::config::ssl_ciphers,
   $ssl_key             = undef,
   $ssl_port            = undef,
   $starttls            = 'off',
@@ -99,6 +101,7 @@
   if ($ssl_cert != undef) {
     validate_string($ssl_cert)
   }
+  validate_string($ssl_ciphers)
   if ($ssl_key != undef) {
     validate_string($ssl_key)
   }
diff --git a/manifests/resource/vhost.pp b/manifests/resource/vhost.pp
index 3e17d581b..30318e85e 100644
--- a/manifests/resource/vhost.pp
+++ b/manifests/resource/vhost.pp
@@ -68,7 +68,7 @@
 #     TLSv1.2'.
 #   [*ssl_buffer_size*]     - Sets the size of the buffer used for sending data.
 #   [*ssl_ciphers*]         - SSL ciphers enabled. Defaults to
-#     'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'.
+#     nginx::config::ssl_ciphers
 #   [*ssl_stapling*]        - Bool: Enables or disables stapling of OCSP
 #     responses by the server. Defaults to false.
 #   [*ssl_stapling_file*]   - String: When set, the stapled OCSP response
diff --git a/templates/mailhost/mailhost_ssl.erb b/templates/mailhost/mailhost_ssl.erb
index 28975a125..f308d0580 100644
--- a/templates/mailhost/mailhost_ssl.erb
+++ b/templates/mailhost/mailhost_ssl.erb
@@ -28,14 +28,9 @@ server {
   ssl on;
   ssl_certificate      <%= @ssl_cert %>;
   ssl_certificate_key  <%= @ssl_key %>;
-
   ssl_session_timeout  5m;
 
   ssl_protocols TLSv1;
-
-  # Suggested from https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx
-  ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
-
+  ssl_ciphers <%= @ssl_ciphers %>;
   ssl_prefer_server_ciphers   on;
-
 }