review our ssl ciphers suite
We currently use magic incantation from the Mozilla SSL observatory in our Apache (and now nginx, see legacy/trac#32239 (moved)) installations. We should review it and see if it's still relevant. It seems we're using the suites as per the Mozilla observatory, but since we're upgrading to buster, it might be worth upgrading our suite a little.
The documentation in the file mentions those URLs:
https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=apache-2.4.25&openssl=1.0.2l&hsts=yes&profile=intermediate https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=apache-2.4.25&openssl=1.1.0&hsts=no&profile=intermediate
But that's two lists... maybe what we have is the merged one?
In any case, this probably needs a kick. The list was created in 2014 and last touched in 2018, according to the comments in the apache config.
Unless we have per openssl-version configs, this will have to wait until legacy/trac#29399 (moved) is done at least.
List of places we need to fix this:
-
apache (watch out for WKD and GnuPG on windows, see #33751 (closed)) -
nginx ( modules/profile/manifests/nginx.pp
,modules/profile/files/gitlab/gitlab.torproject.org.conf
, see #40481 (closed)) -
postfix (watch out for #33413) -
haproxy (configured in modules/roles/templates/onionoo/haproxy.cfg.erb
but maybe other places) -
ipsec?
Todo list:
-
review https://cipherli.st/ -
test with https://www.ssllabs.com/ssltest/ -
test mail servers with swaks -
set a baseline of supported clients -
update https://help.torproject.org/tsa/howto/tls/ with changes -
compliance monitoring, maybe with zlint