From 688348a5fd991fcbe1a535e51056c420a81c9ae7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?L=C3=A9o=20Colombaro?= <git@colombaro.fr>
Date: Mon, 14 Jun 2021 12:43:22 +0200
Subject: [PATCH] Modernize TLS configuration

---
 conf.d/.default.conf                          |  6 ++--
 conf.d/templates/example.com.conf             | 12 ++++----
 h5bp/ssl/policy_deprecated.conf               | 30 -------------------
 h5bp/{ssl => tls}/certificate_files.conf      |  0
 h5bp/{ssl => tls}/ocsp_stapling.conf          |  0
 .../policy_balanced.conf}                     | 10 ++-----
 .../policy_strict.conf}                       | 10 +++++--
 h5bp/{ssl => tls}/ssl_engine.conf             |  0
 test/vhosts/default.conf                      |  6 ++--
 test/vhosts/secure.server.localhost.conf      | 12 ++++----
 10 files changed, 28 insertions(+), 58 deletions(-)
 delete mode 100644 h5bp/ssl/policy_deprecated.conf
 rename h5bp/{ssl => tls}/certificate_files.conf (100%)
 rename h5bp/{ssl => tls}/ocsp_stapling.conf (100%)
 rename h5bp/{ssl/policy_intermediate.conf => tls/policy_balanced.conf} (63%)
 rename h5bp/{ssl/policy_modern.conf => tls/policy_strict.conf} (79%)
 rename h5bp/{ssl => tls}/ssl_engine.conf (100%)

diff --git a/conf.d/.default.conf b/conf.d/.default.conf
index 2059bbd..9c50994 100644
--- a/conf.d/.default.conf
+++ b/conf.d/.default.conf
@@ -15,9 +15,9 @@ server {
 
   server_name _;
 
-  include h5bp/ssl/ssl_engine.conf;
-  include h5bp/ssl/certificate_files.conf;
-  include h5bp/ssl/policy_intermediate.conf;
+  include h5bp/tls/ssl_engine.conf;
+  include h5bp/tls/certificate_files.conf;
+  include h5bp/tls/policy_balanced.conf;
 
   return 444;
 }
diff --git a/conf.d/templates/example.com.conf b/conf.d/templates/example.com.conf
index fe987d3..1b55bab 100644
--- a/conf.d/templates/example.com.conf
+++ b/conf.d/templates/example.com.conf
@@ -15,9 +15,9 @@ server {
 
   server_name www.example.com;
 
-  include h5bp/ssl/ssl_engine.conf;
-  include h5bp/ssl/certificate_files.conf;
-  include h5bp/ssl/policy_intermediate.conf;
+  include h5bp/tls/ssl_engine.conf;
+  include h5bp/tls/certificate_files.conf;
+  include h5bp/tls/policy_balanced.conf;
 
   return 301 $scheme://example.com$request_uri;
 }
@@ -32,9 +32,9 @@ server {
   # The host name to respond to
   server_name example.com;
 
-  include h5bp/ssl/ssl_engine.conf;
-  include h5bp/ssl/certificate_files.conf;
-  include h5bp/ssl/policy_intermediate.conf;
+  include h5bp/tls/ssl_engine.conf;
+  include h5bp/tls/certificate_files.conf;
+  include h5bp/tls/policy_balanced.conf;
 
   # Path for static files
   root /var/www/example.com/public;
diff --git a/h5bp/ssl/policy_deprecated.conf b/h5bp/ssl/policy_deprecated.conf
deleted file mode 100644
index 2155c34..0000000
--- a/h5bp/ssl/policy_deprecated.conf
+++ /dev/null
@@ -1,30 +0,0 @@
-# ----------------------------------------------------------------------
-# | SSL policy - Deprecated                                            |
-# ----------------------------------------------------------------------
-
-# For services that don't need compatibility with legacy clients (mostly WinXP),
-# but still need to support a wide range of clients, this configuration is
-# recommended.
-#
-# Protect against the BEAST and POODLE attacks by not using SSLv3 at all.
-# If you need to support older browsers (IE6) you may need to add SSLv3 to the
-# list of protocols.
-#
-# Based on intermediate profile recommended by Mozilla.
-# https://mozilla.github.io/server-side-tls/ssl-config-generator/
-#
-# (1) Diffie-Hellman parameter for DHE cipher suites
-#     A 4096 bits or more DH parameter is recommended.
-#     (!) A DH parameter generation is required to enable this directive.
-#         openssl dhparam -out /etc/nginx/dhparam.pem 4096
-#     https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam
-#
-# https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
-# https://nginx.org/en/docs/http/ngx_http_ssl_module.html
-
-ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES128-SHA256:AES256-SHA256:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:DES-CBC3-SHA;
-ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1;
-
-# (1)
-# ssl_dhparam /etc/nginx/dhparam.pem;
diff --git a/h5bp/ssl/certificate_files.conf b/h5bp/tls/certificate_files.conf
similarity index 100%
rename from h5bp/ssl/certificate_files.conf
rename to h5bp/tls/certificate_files.conf
diff --git a/h5bp/ssl/ocsp_stapling.conf b/h5bp/tls/ocsp_stapling.conf
similarity index 100%
rename from h5bp/ssl/ocsp_stapling.conf
rename to h5bp/tls/ocsp_stapling.conf
diff --git a/h5bp/ssl/policy_intermediate.conf b/h5bp/tls/policy_balanced.conf
similarity index 63%
rename from h5bp/ssl/policy_intermediate.conf
rename to h5bp/tls/policy_balanced.conf
index af3ca46..0b89a5a 100644
--- a/h5bp/ssl/policy_intermediate.conf
+++ b/h5bp/tls/policy_balanced.conf
@@ -1,13 +1,9 @@
 # ----------------------------------------------------------------------
-# | SSL policy - Intermediate                                          |
+# | SSL policy - Balanced                                              |
 # ----------------------------------------------------------------------
 
-# For services that don't need backward compatibility, the parameters below
-# provide a higher level of security.
-#
-# (!) This policy enforces a mildly strong SSL configuration, which may raise
-#     errors with old clients.
-#     If a more compatible profile is required, use the "deprecated" policy.
+# For services that need to support a wide range of clients, this configuration
+# is raisonnably balanced.
 #
 # (1) The NIST curves (prime256v1, secp384r1, secp521r1) are known to be weak
 #     and potentially vulnerable but are required to support Microsoft Edge
diff --git a/h5bp/ssl/policy_modern.conf b/h5bp/tls/policy_strict.conf
similarity index 79%
rename from h5bp/ssl/policy_modern.conf
rename to h5bp/tls/policy_strict.conf
index 399fa83..8d0a70b 100644
--- a/h5bp/ssl/policy_modern.conf
+++ b/h5bp/tls/policy_strict.conf
@@ -1,9 +1,13 @@
 # ----------------------------------------------------------------------
-# | SSL policy - Modern                                                |
+# | SSL policy - Strict                                                |
 # ----------------------------------------------------------------------
 
-# For services that want to be on the bleeding edge, the parameters below
-# sacrifice compatibility for the highest level of security and performance.
+# For services that don't need backward compatibility, the parameters below
+# provide the highest level of security and performance.
+#
+# (!) This policy enforces a strong TLS configuration, which may raise
+#     errors with old clients.
+#     If a more compatible profile is required, use the "balanced" policy.
 #
 # (!) TLSv1.3 and its 0-RTT feature require NGINX >=1.15.4 and OpenSSL >=1.1.1
 #     to be installed.
diff --git a/h5bp/ssl/ssl_engine.conf b/h5bp/tls/ssl_engine.conf
similarity index 100%
rename from h5bp/ssl/ssl_engine.conf
rename to h5bp/tls/ssl_engine.conf
diff --git a/test/vhosts/default.conf b/test/vhosts/default.conf
index 3aabb07..782c88e 100644
--- a/test/vhosts/default.conf
+++ b/test/vhosts/default.conf
@@ -14,9 +14,9 @@ server {
 
   server_name _;
 
-  include h5bp/ssl/ssl_engine.conf;
-  include h5bp/ssl/certificate_files.conf;
-  include h5bp/ssl/policy_intermediate.conf;
+  include h5bp/tls/ssl_engine.conf;
+  include h5bp/tls/certificate_files.conf;
+  include h5bp/tls/policy_balanced.conf;
 
   return 444;
 }
diff --git a/test/vhosts/secure.server.localhost.conf b/test/vhosts/secure.server.localhost.conf
index c14058f..9faa833 100644
--- a/test/vhosts/secure.server.localhost.conf
+++ b/test/vhosts/secure.server.localhost.conf
@@ -4,9 +4,9 @@ server {
 
   server_name www.secure.server.localhost;
 
-  include h5bp/ssl/ssl_engine.conf;
-  include h5bp/ssl/certificate_files.conf;
-  include h5bp/ssl/policy_intermediate.conf;
+  include h5bp/tls/ssl_engine.conf;
+  include h5bp/tls/certificate_files.conf;
+  include h5bp/tls/policy_balanced.conf;
 
   return 301 $scheme://secure.server.localhost$request_uri;
 }
@@ -17,9 +17,9 @@ server {
 
   server_name secure.server.localhost;
 
-  include h5bp/ssl/ssl_engine.conf;
-  include h5bp/ssl/certificate_files.conf;
-  include h5bp/ssl/policy_intermediate.conf;
+  include h5bp/tls/ssl_engine.conf;
+  include h5bp/tls/certificate_files.conf;
+  include h5bp/tls/policy_balanced.conf;
 
   root /var/www/server.localhost;