From e765aae84c792b5ae24e84b79dd966f390f2439c Mon Sep 17 00:00:00 2001
From: Giovanni Pellerano <giovanni.pellerano@globaleaks.org>
Date: Fri, 11 Jun 2021 11:58:30 +0200
Subject: [PATCH 1/4] Add support for support TLSv1.3 ciphersuites as for #4769

---
 install_files/ansible-base/roles/app/vars/Ubuntu_focal.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/install_files/ansible-base/roles/app/vars/Ubuntu_focal.yml b/install_files/ansible-base/roles/app/vars/Ubuntu_focal.yml
index e31697d0ef..ba5189c346 100644
--- a/install_files/ansible-base/roles/app/vars/Ubuntu_focal.yml
+++ b/install_files/ansible-base/roles/app/vars/Ubuntu_focal.yml
@@ -3,6 +3,9 @@
 # The `SSLHonorCipherOrder` option is set to true, so ciphers below are
 # listed in order of preference.
 securedrop_app_https_ssl_ciphers:
+  - TLS13-AES-256-GCM-SHA384
+  - TLS13-CHACHA20-POLY1305-SHA256
+  - TLS13-AES-128-GCM-SHA256
   - ECDHE-ECDSA-AES256-GCM-SHA384
   - ECDHE-RSA-AES256-GCM-SHA384
   - ECDHE-ECDSA-AES128-GCM-SHA256

From af515f9b8de1ca199fdc4fb691e6232fd50f8e58 Mon Sep 17 00:00:00 2001
From: Giovanni Pellerano <giovanni.pellerano@globaleaks.org>
Date: Tue, 20 Jul 2021 18:34:56 +0200
Subject: [PATCH 2/4] Drop TLSv1.2 support

---
 .../roles/app/templates/sites-available/focal/source.conf    | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/install_files/ansible-base/roles/app/templates/sites-available/focal/source.conf b/install_files/ansible-base/roles/app/templates/sites-available/focal/source.conf
index 647fb155e4..31e229d589 100644
--- a/install_files/ansible-base/roles/app/templates/sites-available/focal/source.conf
+++ b/install_files/ansible-base/roles/app/templates/sites-available/focal/source.conf
@@ -18,9 +18,10 @@ SSLCertificateChainFile /var/lib/ssl/{{ securedrop_app_https_certificate_chain_s
 
 # Evaluate support for TLSv1.3 in Tor Browser for Onions, conservatively
 # we'll continue to support TLSv1.2 for now.
-SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
+SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2
 SSLCipherSuite {{ securedrop_app_https_ssl_ciphers|join(':') }}
-SSLHonorCipherOrder on
+SSLHonorCipherOrder off
+SSLSessionTickets off
 SSLCompression off
 {% endif %}
 

From fe893797a673e9f55915237c181ee22dedc15bec Mon Sep 17 00:00:00 2001
From: Kushal Das <mail@kushaldas.in>
Date: Fri, 30 Jul 2021 20:01:03 +0530
Subject: [PATCH 3/4] Adds TLSv1.3 to apache source interface

We now only provide TLSv1.3 on the source interface if there
is TLS certificate is enabled.
---
 .../ansible-base/roles/app/tasks/main.yml         |  2 --
 .../templates/sites-available/focal/source.conf   |  4 +---
 .../ansible-base/roles/app/vars/Ubuntu_focal.yml  | 12 ------------
 install_files/securedrop-app-code/debian/postinst | 15 +++++++++++++++
 4 files changed, 16 insertions(+), 17 deletions(-)
 delete mode 100644 install_files/ansible-base/roles/app/vars/Ubuntu_focal.yml

diff --git a/install_files/ansible-base/roles/app/tasks/main.yml b/install_files/ansible-base/roles/app/tasks/main.yml
index fdebbd7024..baecf7b04a 100644
--- a/install_files/ansible-base/roles/app/tasks/main.yml
+++ b/install_files/ansible-base/roles/app/tasks/main.yml
@@ -1,6 +1,4 @@
 ---
-- include_vars: "{{ ansible_distribution }}_{{ ansible_distribution_release }}.yml"
-
 - include: app_install_fpf_deb_pkgs.yml
   when: securedrop_app_install_from_repo
 
diff --git a/install_files/ansible-base/roles/app/templates/sites-available/focal/source.conf b/install_files/ansible-base/roles/app/templates/sites-available/focal/source.conf
index 31e229d589..2e01022f4f 100644
--- a/install_files/ansible-base/roles/app/templates/sites-available/focal/source.conf
+++ b/install_files/ansible-base/roles/app/templates/sites-available/focal/source.conf
@@ -16,10 +16,8 @@ SSLCertificateFile /var/lib/ssl/{{ securedrop_app_https_certificate_cert_src|bas
 SSLCertificateKeyFile /var/lib/ssl/{{ securedrop_app_https_certificate_key_src|basename }}
 SSLCertificateChainFile /var/lib/ssl/{{ securedrop_app_https_certificate_chain_src|basename }}
 
-# Evaluate support for TLSv1.3 in Tor Browser for Onions, conservatively
-# we'll continue to support TLSv1.2 for now.
+# Support only TLSv1.3, all older versions are prohibited.
 SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2
-SSLCipherSuite {{ securedrop_app_https_ssl_ciphers|join(':') }}
 SSLHonorCipherOrder off
 SSLSessionTickets off
 SSLCompression off
diff --git a/install_files/ansible-base/roles/app/vars/Ubuntu_focal.yml b/install_files/ansible-base/roles/app/vars/Ubuntu_focal.yml
deleted file mode 100644
index ba5189c346..0000000000
--- a/install_files/ansible-base/roles/app/vars/Ubuntu_focal.yml
+++ /dev/null
@@ -1,12 +0,0 @@
----
-# List of SSL ciphers honored by Source Interface vhost. Order matters!
-# The `SSLHonorCipherOrder` option is set to true, so ciphers below are
-# listed in order of preference.
-securedrop_app_https_ssl_ciphers:
-  - TLS13-AES-256-GCM-SHA384
-  - TLS13-CHACHA20-POLY1305-SHA256
-  - TLS13-AES-128-GCM-SHA256
-  - ECDHE-ECDSA-AES256-GCM-SHA384
-  - ECDHE-RSA-AES256-GCM-SHA384
-  - ECDHE-ECDSA-AES128-GCM-SHA256
-  - ECDHE-RSA-AES128-GCM-SHA256
diff --git a/install_files/securedrop-app-code/debian/postinst b/install_files/securedrop-app-code/debian/postinst
index dd68e9eed4..94b997be85 100644
--- a/install_files/securedrop-app-code/debian/postinst
+++ b/install_files/securedrop-app-code/debian/postinst
@@ -104,6 +104,18 @@ remove_bytecode() {
     find "${SDVE}" -name '*.py[co]' -delete
 }
 
+#
+# Modify existing instance to use only TLS1.3 for the source.
+update_to_tls13(){
+    source_conf="/etc/apache2/sites-available/source.conf"
+    if grep -qP '^SSLProtocol all' "$source_conf"; then
+        sed -i '/^SSLProtocol all/c\SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2' "$source_conf"
+        sed -i '/^SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384/d' "$source_conf"
+        sed -i '/^SSLHonorCipherOrder on/c\SSLHonorCipherOrder off' "$source_conf"
+        sed -i '/^SSLCompression off/ a \\SSLSessionTickets off' "$source_conf"
+    fi
+}
+
 case "$1" in
     configure)
 
@@ -169,6 +181,9 @@ case "$1" in
     # Remove Python bytecode from virtualenv
     remove_bytecode
 
+    # Add TLS1.3 configruation to the source configruation if required
+    update_to_tls13
+
     # Restart apache so it loads with the apparmor profiles in enforce mode.
     service apache2 restart
 

From 3163bf95df1cf126eebd9a1fe562d37b99b5ab77 Mon Sep 17 00:00:00 2001
From: Kushal Das <mail@kushaldas.in>
Date: Mon, 2 Aug 2021 10:52:59 +0530
Subject: [PATCH 4/4] Ignores safety change 41002

coverage, installed 5.3, affected <6.0b1, id 41002
It is not released yet.
---
 Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Makefile b/Makefile
index e23745ad8a..b8e8d28206 100644
--- a/Makefile
+++ b/Makefile
@@ -136,6 +136,7 @@ safety:  ## Run `safety check` to check python dependencies for vulnerabilities.
 		--ignore 39606 \
 		--ignore 39611 \
 		--ignore 39621 \
+		--ignore 41002 \
 		--full-report -r $$req_file \
 		&& echo -e '\n' \
 		|| exit 1; \