Unify all ssl cipher suite configurations

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>

files/httpd/newvirtualhost.conf.j2

@@ -15,13 +15,12 @@
   #   SSL Protocol support:
   # List the enable protocol levels with which clients will be able to
   # connect.  Disable SSLv2 access by default:
-  SSLProtocol all -SSLv2
+  SSLProtocol {{ ssl_protocols }}
 
   #   SSL Cipher Suite:
   # List the ciphers that the client is permitted to negotiate.
   # See the mod_ssl documentation for a complete list.
-  #SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
+  SSLCipherSuite {{ ssl_ciphers }}
-  SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
 
   #   Server Certificate:
   # Point SSLCertificateFile at a PEM encoded certificate.  If

files/lists-dev/apache.conf.j2

@@ -11,7 +11,7 @@
     SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
     #SSLCertificateChainFile /etc/pki/tls/cert.pem
     SSLHonorCipherOrder On
-    SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
+    SSLCipherSuite {{ ssl_ciphers }}
-    SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
+    SSLProtocol {{ ssl_protocols }}
 </VirtualHost>
 

roles/batcave/tasks/main.yml

@@ -252,7 +252,7 @@
   - httpd
 
 - name: install web server config for batcave (main config)
-  copy: src=infrastructure.fedoraproject.org.conf dest=/etc/httpd/conf.d/infrastructure.fedoraproject.org.conf mode=0644
+  template: src=infrastructure.fedoraproject.org.conf.j2 dest=/etc/httpd/conf.d/infrastructure.fedoraproject.org.conf mode=0644
   tags:
   - batcave
   - config

roles/batcave/templates/infrastructure.fedoraproject.org.conf.j2

@@ -121,8 +121,8 @@ ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
   # https://fedorahosted.org/fedora-infrastructure/ticket/4101#comment:14
   # If you change the protocols or cipher suites, you should probably update
   # modules/squid/files/squid.conf-el6 too, to keep it in sync.
-  SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
+  SSLProtocol {{ ssl_protocols }}
-  SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
+  SSLCipherSuite {{ ssl_ciphers }}
 
 # robots location
 Alias /robots.txt /srv/web/robots.txt.lockbox01

roles/copr/frontend/tasks/main.yml

@@ -44,7 +44,7 @@
   - config
 
 - name: install copr-frontend ssl vhost for production
-  copy: src="httpd/coprs_ssl.conf" dest="/etc/httpd/conf.d/copr_ssl.conf"
+  template: src="httpd/coprs_ssl.conf.j2" dest="/etc/httpd/conf.d/copr_ssl.conf"
   when: not devel
   tags:
   - config

roles/copr/frontend/templates/httpd/coprs_ssl.conf

@@ -1,8 +1,8 @@
 <VirtualHost *:443>
     SSLEngine on
-    SSLProtocol all -SSLv2 -SSLv3
+    SSLProtocol {{ ssl_protocols }}
     # Use secure TLSv1.1 and TLSv1.2 ciphers
-    SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:RC4-SHA:AES128-SHA:HIGH:!aNULL:!MD5
+    SSLCipherSuite {{ ssl_ciphers }}
     SSLHonorCipherOrder on
     Header always add Strict-Transport-Security "max-age=15768000; preload"
 
@@ -44,9 +44,9 @@
 
 <VirtualHost *:443>
     SSLEngine on
-    SSLProtocol all -SSLv2 -SSLv3
+    SSLProtocol {{ ssl_protocols }}
     # Use secure TLSv1.1 and TLSv1.2 ciphers
-    SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:RC4-SHA:AES128-SHA:HIGH:!aNULL:!MD5
+    SSLCipherSuite {{ ssl_ciphers }}
     SSLHonorCipherOrder on
     Header always add Strict-Transport-Security "max-age=15768000; preload"
 

roles/distgit/tasks/main.yml

@@ -274,7 +274,7 @@
 # -- Lookaside Cache -------------------------------------
 # This is the annex to Dist Git, where we host source tarballs.
 - name: install the Lookaside Cache httpd configs
-  copy: src={{item}} dest=/etc/httpd/conf.d/pkgs.fedoraproject.org/{{item}}
+  template: src={{item}} dest=/etc/httpd/conf.d/pkgs.fedoraproject.org/{{item}}
   with_items:
   - lookaside.conf
   - lookaside-upload.conf

roles/distgit/templates/lookaside-upload.conf

@@ -28,7 +28,8 @@ SSLCryptoDevice builtin
     SSLCACertificateFile  conf/cacert.pem
     SSLCARevocationFile  /etc/pki/tls/crl.pem
 
-    SSLCipherSuite RSA:!EXPORT:!DH:!LOW:!NULL:+MEDIUM:+HIGH
+    SSLProtocol {{ ssl_protocols }}
+    SSLCipherSuite {{ ssl_ciphers }}
 
 # Must be 'optional' everywhere in order to have POST operations work to upload.cgi
     SSLVerifyClient optional

roles/download/tasks/main.yml

@@ -68,7 +68,7 @@
   copy: src="{{private}}/files/httpd/wildcard-2014.fedoraproject.org.intermediate.cert" dest=/etc/pki/tls/certs/wildcard-2014.fedoraproject.org.intermediate.cert owner=root group=root mode=0644
 
 - name: Configure httpd dl main conf
-  copy: src=httpd/dl.fedoraproject.org.conf dest=/etc/httpd/conf.d/dl.fedoraproject.org.conf
+  template: src=httpd/dl.fedoraproject.org.conf dest=/etc/httpd/conf.d/dl.fedoraproject.org.conf
   notify:
   - reload httpd
 

roles/download/templates/httpd/dl.fedoraproject.org.conf

@@ -24,8 +24,8 @@
   # If you change the protocols or cipher suites, you should probably update
   # modules/squid/files/squid.conf-el6 too, to keep it in sync.
 
-   SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
+   SSLProtocol {{ ssl_protocols }}
-   SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
+   SSLCipherSuite {{ ssl_ciphers }}
 
   Include "conf.d/dl.fedoraproject.org/*.conf"
 </VirtualHost>

roles/graphite/grafana/templates/grafana.conf

@@ -19,8 +19,8 @@
   SSLCertificateKeyFile /etc/letsencrypt/live/grafana.cloud.fedoraproject.org/privkey.pem
   SSLCertificateChainFile /etc/letsencrypt/live/grafana.cloud.fedoraproject.org/fullchain.pem
   SSLHonorCipherOrder On
-  SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL
+  SSLCipherSuite {{ ssl_ciphers }}
-  SSLProtocol ALL -SSLv2
+  SSLProtocol {{ ssl_protocols }}
 
   ProxyPass / http://localhost:3000/
   ProxyPassReverse / http://localhost:3000/

roles/graphite/graphite/templates/graphite-web.conf

@@ -37,8 +37,8 @@
   SSLCertificateKeyFile /etc/letsencrypt/live/graphite.cloud.fedoraproject.org/privkey.pem
   SSLCertificateChainFile /etc/letsencrypt/live/graphite.cloud.fedoraproject.org/fullchain.pem
   SSLHonorCipherOrder On
-  SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL
+  SSLCipherSuite {{ ssl_ciphers }}
-  SSLProtocol ALL -SSLv2
+  SSLProtocol {{ ssl_protocols }}
 
   ProxyPass / http://graphite.cloud.fedoraproject.org/
   ProxyPassReverse / http://graphite.cloud.fedoraproject.org/

roles/httpd/templates/website.conf.j2

@@ -42,8 +42,8 @@
   # https://fedorahosted.org/fedora-infrastructure/ticket/4101#comment:14
   # If you change the protocols or cipher suites, you should probably update
   # modules/squid/files/squid.conf-el6 too, to keep it in sync.
-  SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
+  SSLProtocol {{ ssl_protocols }}
-  SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
+  SSLCipherSuite {{ ssl_ciphers }}
 
   Include "conf.d/{{ name }}/*.conf"
 </VirtualHost>

roles/httpd/website/templates/website.conf

@@ -42,8 +42,8 @@
   # https://fedorahosted.org/fedora-infrastructure/ticket/4101#comment:14
   # If you change the protocols or cipher suites, you should probably update
   # modules/squid/files/squid.conf-el6 too, to keep it in sync.
-  SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
+  SSLProtocol {{ ssl_protocols }}
-  SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
+  SSLCipherSuite {{ ssl_ciphers }}
 
 {% if sslonly %}
   Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"

roles/infinote/tasks/main.yml

@@ -21,7 +21,7 @@
   - config
 
 - name: Setup basic apache config
-  copy: src=infinote.fedoraproject.org.conf dest=/etc/httpd/conf.d/infinote.fedoraproject.org.conf
+  template: src=infinote.fedoraproject.org.conf dest=/etc/httpd/conf.d/infinote.fedoraproject.org.conf
   tags:
   - infinote
   - config

roles/infinote/templates/infinote.fedoraproject.org.conf

@@ -82,8 +82,8 @@ ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
   # https://fedorahosted.org/fedora-infrastructure/ticket/4101#comment:14
   # If you change the protocols or cipher suites, you should probably update
   # modules/squid/files/squid.conf-el6 too, to keep it in sync.
-  SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
+  SSLProtocol {{ ssl_protocols }}
-  SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
+  SSLCipherSuite {{ ssl_ciphers }}
 
 # robots location
 Alias /robots.txt /srv/web/robots.txt.lockbox01

roles/keyserver/tasks/main.yml

@@ -43,12 +43,12 @@
   - config
 
 - name: /etc/httpd/conf.d/sks.conf
-  copy: src="sks.conf" dest=/etc/httpd/conf.d/sks.conf owner=root group=root mode=0644
+  template: src="sks.conf" dest=/etc/httpd/conf.d/sks.conf owner=root group=root mode=0644
   tags:
   - config
 
 - name: /etc/httpd/conf.d/ssl.conf
-  copy: src="ssl.conf" dest=/etc/httpd/conf.d/ssl.conf owner=root group=root mode=0644
+  template: src="ssl.conf" dest=/etc/httpd/conf.d/ssl.conf owner=root group=root mode=0644
   tags:
   - config
 

roles/keyserver/templates/sks.conf

@@ -56,8 +56,8 @@ NameVirtualHost *:443
         SSLCertificateFile /etc/pki/tls/wildcard-2014.fedoraproject.org.cert
 	SSLCertificateChainFile /etc/pki/tls/wildcard-2014.fedoraproject.org.intermediate.cert
         SSLCertificateKeyFile /etc/pki/tls/wildcard-2014.fedoraproject.org.key
-        SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
+        SSLProtocol {{ ssl_protocols }}
-	SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
+	SSLCipherSuite {{ ssl_ciphers }}
 
 	ProxyPass / http://localhost:11371/
 	ProxyPassReverse / http://localhost:11371/
@@ -73,8 +73,8 @@ NameVirtualHost *:443
         SSLEngine on
         SSLCertificateFile /etc/pki/tls/keys_fedoraproject_org.crt.pem
         SSLCertificateKeyFile /etc/pki/tls/keys_fedoraproject_org.key
-	SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
+	SSLProtocol {{ ssl_protocols }}
-	SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
+	SSLCipherSuite {{ ssl_ciphers }}
 
         ProxyPass / http://localhost:11371/
         ProxyPassReverse / http://localhost:11371/

roles/keyserver/templates/ssl.conf

@@ -92,12 +92,12 @@ SSLEngine on
 #   SSL Protocol support:
 # List the enable protocol levels with which clients will be able to
 # connect.  Disable SSLv2 access by default:
-SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
+SSLProtocol {{ ssl_protocols }}
 
 #   SSL Cipher Suite:
 # List the ciphers that the client is permitted to negotiate.
 # See the mod_ssl documentation for a complete list.
-SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
+SSLCipherSuite {{ ssl_ciphers }}
 
 #   Server Certificate:
 # Point SSLCertificateFile at a PEM encoded certificate.  If

roles/koji_hub/tasks/main.yml

@@ -297,7 +297,7 @@
   when: env == "staging"
 
 - name: koji staging ssl config
-  copy: src=koji-ssl.conf.stg dest=/etc/httpd/conf.d/ssl.conf
+  template: src=koji-ssl.conf.stg dest=/etc/httpd/conf.d/ssl.conf
   tags:
   - config
   - koji_hub
@@ -305,7 +305,7 @@
   when: env == "staging"
 
 - name: koji ssl config
-  copy: src=koji-ssl.conf dest=/etc/httpd/conf.d/ssl.conf
+  template: src=koji-ssl.conf dest=/etc/httpd/conf.d/ssl.conf
   tags:
   - config
   - koji_hub

roles/koji_hub/templates/koji-ssl.conf

@@ -72,12 +72,12 @@ SSLEngine on
 #   SSL Protocol support:
 # List the enable protocol levels with which clients will be able to
 # connect.  Disable SSLv2 access by default:
-SSLProtocol all -SSLv2
+SSLProtocol {{ ssl_protocols }}
 
 #   SSL Cipher Suite:
 #   List the ciphers that the client is permitted to negotiate.
 #   See the mod_ssl documentation for a complete list.
-SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
+SSLCipherSuite {{ ssl_ciphers }}
 
 #   Speed-optimized SSL Cipher configuration:
 #   If speed is your main concern (on busy HTTPS servers e.g.),

roles/koji_hub/templates/koji-ssl.conf.arm

@@ -72,12 +72,12 @@ SSLEngine on
 #   SSL Protocol support:
 # List the enable protocol levels with which clients will be able to
 # connect.  Disable SSLv2 access by default:
-SSLProtocol all -SSLv2
+SSLProtocol {{ ssl_protocols }}
 
 #   SSL Cipher Suite:
 #   List the ciphers that the client is permitted to negotiate.
 #   See the mod_ssl documentation for a complete list.
-SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
+SSLCipherSuite {{ ssl_ciphers }}
 
 #   Speed-optimized SSL Cipher configuration:
 #   If speed is your main concern (on busy HTTPS servers e.g.),

roles/koji_hub/templates/koji-ssl.conf.ppc

@@ -72,12 +72,12 @@ SSLEngine on
 #   SSL Protocol support:
 # List the enable protocol levels with which clients will be able to
 # connect.  Disable SSLv2 access by default:
-SSLProtocol all -SSLv2
+SSLProtocol {{ ssl_protocols }}
 
 #   SSL Cipher Suite:
 #   List the ciphers that the client is permitted to negotiate.
 #   See the mod_ssl documentation for a complete list.
-SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
+SSLCipherSuite {{ ssl_ciphers }}
 
 #   Speed-optimized SSL Cipher configuration:
 #   If speed is your main concern (on busy HTTPS servers e.g.),

roles/koji_hub/templates/koji-ssl.conf.s390

@@ -72,12 +72,12 @@ SSLEngine on
 #   SSL Protocol support:
 # List the enable protocol levels with which clients will be able to
 # connect.  Disable SSLv2 access by default:
-SSLProtocol all -SSLv2
+SSLProtocol {{ ssl_protocols }}
 
 #   SSL Cipher Suite:
 #   List the ciphers that the client is permitted to negotiate.
 #   See the mod_ssl documentation for a complete list.
-SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
+SSLCipherSuite {{ ssl_ciphers }}
 
 #   Speed-optimized SSL Cipher configuration:
 #   If speed is your main concern (on busy HTTPS servers e.g.),

roles/koji_hub/templates/koji-ssl.conf.stg

@@ -72,12 +72,12 @@ SSLEngine on
 #   SSL Protocol support:
 # List the enable protocol levels with which clients will be able to
 # connect.  Disable SSLv2 access by default:
-SSLProtocol all -SSLv2
+SSLProtocol {{ ssl_protocols }}
 
 #   SSL Cipher Suite:
 #   List the ciphers that the client is permitted to negotiate.
 #   See the mod_ssl documentation for a complete list.
-SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
+SSLCipherSuite {{ ssl_ciphers }}
 
 #   Speed-optimized SSL Cipher configuration:
 #   If speed is your main concern (on busy HTTPS servers e.g.),
@@ -89,8 +89,7 @@ SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
 #   have perfect forward secrecy - if the server's key is
 #   compromised, captures of past or future traffic must be
 #   considered compromised, too.
-#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
+SSLHonorCipherOrder on 
-#SSLHonorCipherOrder on 
 
 #   Server Certificate:
 # Point SSLCertificateFile at a PEM encoded certificate.  If

roles/people/tasks/main.yml

@@ -20,11 +20,15 @@
   - packages
   - people
 
+- name: install main httpd config
+  template: src=people.conf dest=/etc/httpd/conf.d/people.conf
+  tags:
+  - people
+
 - name: install httpd config
   copy: src={{item}} dest=/etc/httpd/conf.d/{{item}}
   with_items:
   - cgit.conf
-  - people.conf
   - ssl.conf
   - userdir.conf
   tags:

roles/people/templates/people.conf

@@ -31,8 +31,8 @@ NameVirtualHost *:80
   SSLCertificateKeyFile /etc/pki/tls/private/wildcard-2014.fedorapeople.org.key
   SSLCertificateChainFile /etc/pki/tls/certs/wildcard-2014.fedorapeople.org.intermediate.cert
   SSLHonorCipherOrder On
-  SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
+  SSLCipherSuite {{ ssl_ciphers }}
-  SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
+  SSLProtocol {{ ssl_protocols }}
 
   Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
 

roles/phabricator/templates/phabricator.conf.j2

@@ -16,13 +16,12 @@
   #   SSL Protocol support:
   # List the enable protocol levels with which clients will be able to
   # connect.  Disable SSLv2 access by default:
-  SSLProtocol all -SSLv2
+  SSLProtocol {{ ssl_protocols }}
 
   #   SSL Cipher Suite:
   # List the ciphers that the client is permitted to negotiate.
   # See the mod_ssl documentation for a complete list.
-  #SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
+  SSLCipherSuite {{ ssl_ciphers }}
-  SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
 
   #   Server Certificate:
   # Point SSLCertificateFile at a PEM encoded certificate.  If

roles/planet/tasks/main.yml

@@ -30,7 +30,7 @@
     - planet_server
 
 - name: copy the planet http config file
-  copy: src=planet.conf dest=/etc/httpd/conf.d/planet.conf
+  template: src=planet.conf dest=/etc/httpd/conf.d/planet.conf
   tags:
     - planet_server
 

roles/planet/templates/planet.conf

@@ -65,8 +65,8 @@
     SSLCertificateKeyFile /etc/pki/tls/private/planet.fedoraproject.org.key
     SSLCertificateChainFile /etc/pki/tls/certs/wildcard-2014.fedorapeople.org.intermediate.cert
     SSLHonorCipherOrder On
-    SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
+    SSLProtocol {{ ssl_protocols }}
-    SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
+    SSLCipherSuite {{ ssl_ciphers }}
 
     DocumentRoot "/srv/planet/site/"
 

roles/taskotron/ssl-taskotron/templates/ssl.conf.j2

@@ -76,12 +76,12 @@ SSLEngine on
 #   SSL Protocol support:
 # List the enable protocol levels with which clients will be able to
 # connect.  Disable SSLv2 access by default:
-SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
+SSLProtocol {{ ssl_protocols }}
 
 #   SSL Cipher Suite:
 #   List the ciphers that the client is permitted to negotiate.
 #   See the mod_ssl documentation for a complete list.
-SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
+SSLCipherSuite {{ ssl_ciphers }}
 
 #   Speed-optimized SSL Cipher configuration:
 #   If speed is your main concern (on busy HTTPS servers e.g.),

roles/taskotron/ssl-taskotron/templates/ssl.conf.rhel.j2

@@ -92,12 +92,12 @@ SSLEngine on
 #   SSL Protocol support:
 # List the enable protocol levels with which clients will be able to
 # connect.  Disable SSLv2 access by default:
-SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
+SSLProtocol {{ ssl_protocols }}
 
 #   SSL Cipher Suite:
 # List the ciphers that the client is permitted to negotiate.
 # See the mod_ssl documentation for a complete list.
-SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
+SSLCipherSuite {{ ssl_ciphers }}
 
 #   Server Certificate:
 # Point SSLCertificateFile at a PEM encoded certificate.  If

vars/global.yml

@@ -46,6 +46,9 @@ centos66_x86_64: CentOS-6-x86_64-GenericCloud-20141129_01
 rhel70_x86_64: rhel-guest-image-7.0-20140930.0.x86_64
 rhel66_x86_64: rhel-guest-image-6.6-20141222.0.x86_64
 
+ssl_protocols: "-All +TLSv1 +TLSv1.1 +TLSv1.2"
+ssl_ciphers: "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK"
+
 # Set a default hostname base to transient. Override in host vars or command line.
 hostbase: transient
 global_pkgs_inst: ['bind-utils', 'mailx', 'nc', 'openssh-clients',