Majic Projects
Majic Ansible Roles
Go to the previous open issue
Go to the previous issue (open or closed)
star_faded.png
Please log in to bookmark issues
icon_project.png Majic Ansible Roles / Closed Feature request MAR-49 TLS hardening
action_vote_minus_faded.png
0
Votes
 action_vote_plus_faded.png
Go to the next issue (open or closed)
Go to the next open issue
This issue has been closed with status "Closed" and resolution "RESOLVED".
Issue basics
  • Type of issue
    Feature request
  • Category
    Security
  • Targetted for
    1.0.0
  • Status
    Closed
  • Progress
  • Priority
    Normal
User pain
  • Type of bug
    Not triaged
  • Likelihood
    Not triaged
  • Effect
    Not triaged
Affected by this issue (0)
There are no items
People involved
Times and dates
  • Posted at
  • Last updated
  • Estimated time
    8 hours
  • Time spent
    No time spent
    Click here to see time logged against this issue
Issue details
  • Resolution
    RESOLVED
Attachments (0)
There is nothing attached to this issue
Duplicate issues (0)
This issue does not have any duplicates
Show / hide more details »
Description
Currently all of the services deployed with TLS use default TLS configuration, whatever the underlying software configures as such.

It would be beneficial if some additional TLS hardening were applied to all such roles. In particular, the following would be good to implement:
* Enable only TLS 1.2.
* Explicitly specify the list of allowed ciphers, limiting them to ciphers that support perfect forward secrecy.
* Validate the deployments are not vulnerable against the multitude of TLS attacks from last couple of years.

At least the following roles would need updates:
* web_server (nginx)
* ldap_server (slapd)
* xmpp_server (Prosody)
* mail_server (Dovecot, Postfix)
Todos (0 / 0)
Options
Issue created