From 32e332b32949c738c98466e5cc64c78b6efbfe52 Mon Sep 17 00:00:00 2001
From: Andrew Bonney <andrew.bonney@bbc.co.uk>
Date: Mon, 10 Jan 2022 09:06:49 +0000
Subject: [PATCH] Adjust default configuration to support TLS v1.3

This adds a new variable to manage TLS v1.3 cipher suites.

The old variable for TLS v1.2 and below ciphers is renamed for
consistency, but is still supported as a default where overridden
by deployments.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/823943
Change-Id: Ib43d465c8fa24ec7d14174ecc17bce0b3e8bd7a4
---
 defaults/main.yml                                      | 7 +++++--
 releasenotes/notes/tls_variables-ab6684a5a5505068.yaml | 6 ++++++
 templates/openstack_dashboard.conf.j2                  | 7 ++++++-
 3 files changed, 17 insertions(+), 3 deletions(-)
 create mode 100644 releasenotes/notes/tls_variables-ab6684a5a5505068.yaml

diff --git a/defaults/main.yml b/defaults/main.yml
index 2d874381..d2d9dd86 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -211,8 +211,11 @@ horizon_wsgi_threads: "{{ [[ansible_facts['processor_vcpus']|default(2) // 2, 1]
 horizon_ssl_cert: /etc/ssl/certs/horizon.pem
 horizon_ssl_key: /etc/ssl/private/horizon.key
 horizon_ssl_ca_cert: /etc/ssl/certs/horizon-ca.pem
-horizon_ssl_protocol: "{{ ssl_protocol | default('ALL -SSLv2 -SSLv3 -TLSv1.1') }}"
-horizon_ssl_cipher_suite: "{{ ssl_cipher_suite | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS') }}"
+horizon_ssl_protocol: "{{ ssl_protocol | default('ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1') }}"
+# TLS v1.2 and below
+horizon_ssl_cipher_suite_tls12: "{{ horizon_ssl_cipher_suite | default(ssl_cipher_suite | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS')) }}"
+# TLS v1.3
+horizon_ssl_cipher_suite_tls13: "{{ ssl_cipher_suite_tls13 | default('TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256') }}"
 # if using a self-signed certificate, set this to true to regenerate it
 horizon_ssl_self_signed_regen: false
 horizon_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ horizon_server_name }}/subjectAltName=IP.1={{ external_lb_vip_address }}"
diff --git a/releasenotes/notes/tls_variables-ab6684a5a5505068.yaml b/releasenotes/notes/tls_variables-ab6684a5a5505068.yaml
new file mode 100644
index 00000000..1a42d71e
--- /dev/null
+++ b/releasenotes/notes/tls_variables-ab6684a5a5505068.yaml
@@ -0,0 +1,6 @@
+---
+deprecations:
+  - |
+    The variable 'horizon_ssl_cipher_suite' is deprecated in favour of
+    'horizon_ssl_cipher_suite_tls12' which will continue to manage
+    configuration of ciphers for TLS v1.2 and earlier.
diff --git a/templates/openstack_dashboard.conf.j2 b/templates/openstack_dashboard.conf.j2
index ca20eeab..194de591 100644
--- a/templates/openstack_dashboard.conf.j2
+++ b/templates/openstack_dashboard.conf.j2
@@ -30,7 +30,12 @@
     SSLCompression Off
     SSLProtocol {{ horizon_ssl_protocol }}
     SSLHonorCipherOrder On
-    SSLCipherSuite {{ horizon_ssl_cipher_suite }}
+    {% if horizon_ssl_cipher_suite_tls12 != "" -%}
+    SSLCipherSuite {{ horizon_ssl_cipher_suite_tls12 }}
+    {% endif -%}
+    {% if horizon_ssl_cipher_suite_tls13 != "" -%}
+    SSLCipherSuite TLSv1.3 {{ horizon_ssl_cipher_suite_tls13 }}
+    {% endif -%}
     SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
 {% endif %}
 {% if (horizon_enable_ssl | bool) and (horizon_external_ssl | bool) %}