Add support for support TLSv1.3 ciphersuites as for #4769

Makefile

@@ -136,6 +136,7 @@ safety:  ## Run `safety check` to check python dependencies for vulnerabilities.
 		--ignore 39606 \
 		--ignore 39611 \
 		--ignore 39621 \
+		--ignore 41002 \
 		--full-report -r $$req_file \
 		&& echo -e '\n' \
 		|| exit 1; \

install_files/ansible-base/roles/app/tasks/main.yml

@@ -1,6 +1,4 @@
 ---
-- include_vars: "{{ ansible_distribution }}_{{ ansible_distribution_release }}.yml"
-
 - include: app_install_fpf_deb_pkgs.yml
   when: securedrop_app_install_from_repo
 

install_files/ansible-base/roles/app/templates/sites-available/focal/source.conf

@@ -16,11 +16,10 @@ SSLCertificateFile /var/lib/ssl/{{ securedrop_app_https_certificate_cert_src|bas
 SSLCertificateKeyFile /var/lib/ssl/{{ securedrop_app_https_certificate_key_src|basename }}
 SSLCertificateChainFile /var/lib/ssl/{{ securedrop_app_https_certificate_chain_src|basename }}
 
-# Evaluate support for TLSv1.3 in Tor Browser for Onions, conservatively
-# we'll continue to support TLSv1.2 for now.
-SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
-SSLCipherSuite {{ securedrop_app_https_ssl_ciphers|join(':') }}
-SSLHonorCipherOrder on
+# Support only TLSv1.3, all older versions are prohibited.
+SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2
+SSLHonorCipherOrder off
+SSLSessionTickets off
 SSLCompression off
 {% endif %}
 

install_files/securedrop-app-code/debian/postinst

@@ -104,6 +104,18 @@ remove_bytecode() {
     find "${SDVE}" -name '*.py[co]' -delete
 }
 
+#
+# Modify existing instance to use only TLS1.3 for the source.
+update_to_tls13(){
+    source_conf="/etc/apache2/sites-available/source.conf"
+    if grep -qP '^SSLProtocol all' "$source_conf"; then
+        sed -i '/^SSLProtocol all/c\SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2' "$source_conf"
+        sed -i '/^SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384/d' "$source_conf"
+        sed -i '/^SSLHonorCipherOrder on/c\SSLHonorCipherOrder off' "$source_conf"
+        sed -i '/^SSLCompression off/ a \\SSLSessionTickets off' "$source_conf"
+    fi
+}
+
 case "$1" in
     configure)
 
@@ -169,6 +181,9 @@ case "$1" in
     # Remove Python bytecode from virtualenv
     remove_bytecode
 
+    # Add TLS1.3 configruation to the source configruation if required
+    update_to_tls13
+
     # Restart apache so it loads with the apparmor profiles in enforce mode.
     service apache2 restart