Skip to content

Commit

Permalink
Merge pull request #5988 from evilaliv3/feature/add-tls1.3-ciphers
Browse files Browse the repository at this point in the history 
Add support for support TLSv1.3 ciphersuites as for #4769
  • Loading branch information
@conorsch
conorsch authored Aug 2, 2021
2 parents a0ce3e7 + 3163bf9 commit c6cd624
Show file tree
Hide file tree
Showing 5 changed files with 20 additions and 16 deletions.
1 change: 1 addition & 0 deletions Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -136,6 +136,7 @@ safety: ## Run `safety check` to check python dependencies for vulnerabilities.
--ignore 39606 \
--ignore 39611 \
--ignore 39621 \
--ignore 41002 \
--full-report -r $$req_file \
&& echo -e '\n' \
|| exit 1; \
Expand Down
2 changes: 0 additions & 2 deletions install_files/ansible-base/roles/app/tasks/main.yml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,4 @@
---
- include_vars: "{{ ansible_distribution }}_{{ ansible_distribution_release }}.yml"

- include: app_install_fpf_deb_pkgs.yml
when: securedrop_app_install_from_repo

Expand Down
9 changes: 4 additions & 5 deletions install_files/ansible-base/roles/app/templates/sites-available/focal/source.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,11 +16,10 @@ SSLCertificateFile /var/lib/ssl/{{ securedrop_app_https_certificate_cert_src|bas
SSLCertificateKeyFile /var/lib/ssl/{{ securedrop_app_https_certificate_key_src|basename }}
SSLCertificateChainFile /var/lib/ssl/{{ securedrop_app_https_certificate_chain_src|basename }}

# Evaluate support for TLSv1.3 in Tor Browser for Onions, conservatively
# we'll continue to support TLSv1.2 for now.
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite {{ securedrop_app_https_ssl_ciphers|join(':') }}
SSLHonorCipherOrder on
# Support only TLSv1.3, all older versions are prohibited.
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2
SSLHonorCipherOrder off
SSLSessionTickets off
SSLCompression off
{% endif %}

Expand Down
9 changes: 0 additions & 9 deletions install_files/ansible-base/roles/app/vars/Ubuntu_focal.yml
View file

This file was deleted.

15 changes: 15 additions & 0 deletions install_files/securedrop-app-code/debian/postinst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -104,6 +104,18 @@ remove_bytecode() {
find "${SDVE}" -name '*.py[co]' -delete
}

#
# Modify existing instance to use only TLS1.3 for the source.
update_to_tls13(){
source_conf="/etc/apache2/sites-available/source.conf"
if grep -qP '^SSLProtocol all' "$source_conf"; then
sed -i '/^SSLProtocol all/c\SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2' "$source_conf"
sed -i '/^SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384/d' "$source_conf"
sed -i '/^SSLHonorCipherOrder on/c\SSLHonorCipherOrder off' "$source_conf"
sed -i '/^SSLCompression off/ a \\SSLSessionTickets off' "$source_conf"
fi
}

case "$1" in
configure)

Expand Down Expand Up @@ -169,6 +181,9 @@ case "$1" in
# Remove Python bytecode from virtualenv
remove_bytecode

# Add TLS1.3 configruation to the source configruation if required
update_to_tls13

# Restart apache so it loads with the apparmor profiles in enforce mode.
service apache2 restart

Expand Down

0 comments on commit c6cd624

Please sign in to comment.