Add config option to set ciphers for TLS 1.3 (#14)

openssl has a different way to set ciphers for TLS 1.3. If you use ssl_ciphers while only having the TLS 1.3 protocol enabled, nginx will fail to start. This commit uses the "ssl_conf_command Ciphersuites" command in nginx instead. References: - https://forum.nginx.org/read.php?11,287698 - mozilla/ssl-config-generator#124 - https://wiki.openssl.org/index.php/TLS1.3
chr4 · Jan 31, 2023 · a32bcfe · a32bcfe
1 parent 5a60749
commit a32bcfe
Show file tree

Hide file tree

Showing 4 changed files with 11 additions and 0 deletions.
diff --git a/init.sls b/init.sls
@@ -5,6 +5,7 @@
 # See: https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29
 {% set ssl_protocols = salt['pillar.get']('nginx:ssl_protocols', 'TLSv1.2 TLSv1.3') %}
 {% set ssl_ciphers = salt['pillar.get']('nginx:ssl_ciphers', 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256' ) %} # noqa: 204
+{% set ssl_conf_command = salt['pillar.get']('nginx:ssl_conf_command', []) %}
 {% set ssl_session_cache = salt['pillar.get']('nginx:ssl_session_cache', 'shared:SSL:10m' ) %}
 {% set ssl_prefer_server_ciphers = salt['pillar.get']('nginx:ssl_prefer_server_ciphers', 'on') %}
 {% set ssl_stapling = salt['pillar.get']('nginx:ssl_stapling', 'off') %}
@@ -49,6 +50,7 @@ validate-nginx-config:
     - defaults:
         ssl_protocols: {{ ssl_protocols }}
         ssl_ciphers: {{ ssl_ciphers }}
+        ssl_conf_command: {{ ssl_conf_command }}
         ssl_session_cache: {{ ssl_session_cache }}
         # Quotes are needed, as YAML will interpret on/off as boolean
         ssl_prefer_server_ciphers: '{{ ssl_prefer_server_ciphers }}'

diff --git a/nginx.conf.jinja b/nginx.conf.jinja
@@ -27,6 +27,9 @@ http {
     # Global TLS settings
     ssl_protocols {{ ssl_protocols }};
     ssl_ciphers {{ ssl_ciphers }};
+    {% for item in ssl_conf_command|sort -%}
+    ssl_conf_command {{ item }};
+    {% endfor -%}
     ssl_session_cache {{ ssl_session_cache }};
     ssl_prefer_server_ciphers {{ ssl_prefer_server_ciphers }};
     ssl_stapling {{ ssl_stapling }};

diff --git a/pillar.example b/pillar.example
@@ -7,6 +7,10 @@ nginx:
   ssl_protocols: 'TLSv1.2 TLSv1.3'
   ssl_ciphers: 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256' # noqa: 204
 
+  # ssl_conf_command can be specified multiple times, therefore it needs to be a list.
+  # Each string needs to hold all arguments for ssl_conf_command, like in the example below.
+  # An empty list ([], the default) results in no entries added to nginx.conf
+  ssl_conf_command: [ 'Options PrioritizeChaCha', 'Ciphersuites TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384']
   ssl_session_cache: 'shared:SSL:10m'
   ssl_prefer_server_ciphers: 'on'
 

diff --git a/tests/integration/nginx/nginx_spec.rb b/tests/integration/nginx/nginx_spec.rb
@@ -14,6 +14,8 @@
     its('mode') { should cmp '0644' }
     its('content') { should match /^\s*worker_processes/ }
     its('content') { should match /^\s*ssl_prefer_server_ciphers\s*on;$/ }
+    its('content') { should match /^\s*ssl_conf_command Ciphersuites TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384;$/ }
+    its('content') { should match /^\s*ssl_conf_command Options PrioritizeChaCha;$/ }
   end
 
   describe file('/etc/nginx/conf.d/default.conf') do