apache: Use only TLS1.3 where available

2021-09-03 14:56:15 +00:00 · 2021-09-03 14:56:15 +00:00 · e571d171da
commit e571d171da
parent baf0b53d97
2 changed files with 7 additions and 3 deletions
--- a/roles/apache/tasks/main.yml
+++ b/roles/apache/tasks/main.yml
@ -50,8 +50,8 @@
    - "/etc/httpd/conf.local.d"
 - name: create ssl config
-  copy:
+  template:
-    src: ssl.conf
+    src: ssl.conf.j2
    dest: /etc/httpd/conf.local.d/ssl.conf
    mode: 0644
    owner: root
--- a/roles/apache/templates/ssl.conf.j2
+++ b/roles/apache/templates/ssl.conf.j2
@ -7,9 +7,13 @@
 Listen 443
-# Use Mozilla recommended intermediate settings
+# Use Mozilla recommended settings
 {% if ansible_os_family == "RedHat" and ansible_distribution_major_version|int >= 8 %}
 SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2
 {% else %}
 SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
 SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
 {% endif %}
 SSLHonorCipherOrder off
 SSLSessionTickets off