From 15d537029af67b9cec13d7b6cc553364578c7ef3 Mon Sep 17 00:00:00 2001 From: Giovanni Pellerano Date: Mon, 2 Sep 2019 10:12:29 +0200 Subject: [PATCH 1/2] Enable TLSv1.3 ciphers --- install_files/ansible-base/roles/app/defaults/main.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/install_files/ansible-base/roles/app/defaults/main.yml b/install_files/ansible-base/roles/app/defaults/main.yml index f6953d364d..5496e925f1 100644 --- a/install_files/ansible-base/roles/app/defaults/main.yml +++ b/install_files/ansible-base/roles/app/defaults/main.yml @@ -34,6 +34,9 @@ securedrop_app_https_certificate_chain_src: DigiCertCA.crt # The `SSLHonorCipherOrder` option is set to true, so ciphers below are # listed in order of preference. securedrop_app_https_ssl_ciphers: + - TLS13-AES-256-GCM-SHA384 + - TLS13-CHACHA20-POLY1305-SHA256 + - TLS13-AES-128-GCM-SHA256 - ECDHE-ECDSA-AES256-GCM-SHA384 - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 From 766d52163475a92a32e3fed7671ca845dcc64af7 Mon Sep 17 00:00:00 2001 From: Giovanni Pellerano Date: Wed, 4 Sep 2019 22:50:22 +0200 Subject: [PATCH 2/2] Revise order of ciphers for TLSv1.3 --- install_files/ansible-base/roles/app/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install_files/ansible-base/roles/app/defaults/main.yml b/install_files/ansible-base/roles/app/defaults/main.yml index 5496e925f1..9fef7a65f6 100644 --- a/install_files/ansible-base/roles/app/defaults/main.yml +++ b/install_files/ansible-base/roles/app/defaults/main.yml @@ -34,9 +34,9 @@ securedrop_app_https_certificate_chain_src: DigiCertCA.crt # The `SSLHonorCipherOrder` option is set to true, so ciphers below are # listed in order of preference. securedrop_app_https_ssl_ciphers: + - TLS13-AES-128-GCM-SHA256 - TLS13-AES-256-GCM-SHA384 - TLS13-CHACHA20-POLY1305-SHA256 - - TLS13-AES-128-GCM-SHA256 - ECDHE-ECDSA-AES256-GCM-SHA384 - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305