From d3110f93f63f43eed4e4bda27bec478b79a87213 Mon Sep 17 00:00:00 2001
From: Alexander Weidinger <aw@sz9i.net>
Date: Wed, 10 Jan 2018 01:24:17 +0100
Subject: [PATCH] Manage TLS defaults

---
 apache/files/FreeBSD/apache-2.4.config.jinja |  4 +++
 apache/files/Suse/apache-2.4.config.jinja    |  4 +++
 apache/files/tls-defaults.conf.jinja         | 18 +++++++++++
 apache/mod_ssl.sls                           | 32 ++++++++++++++++++++
 pillar.example                               | 17 ++++++++++-
 5 files changed, 74 insertions(+), 1 deletion(-)
 create mode 100644 apache/files/tls-defaults.conf.jinja

diff --git a/apache/files/FreeBSD/apache-2.4.config.jinja b/apache/files/FreeBSD/apache-2.4.config.jinja
index d9e1639..0d9d19a 100644
--- a/apache/files/FreeBSD/apache-2.4.config.jinja
+++ b/apache/files/FreeBSD/apache-2.4.config.jinja
@@ -526,5 +526,9 @@ TraceEnable Off
 # Well, IncludeOptional behaved lile Include
 IncludeOptional etc/apache24/extra/security.con[f]
 
+{% if salt['pillar.get']('apache:mod_ssl:manage_tls_defaults', False) -%}
+Include etc/apache24/extra/tls-defaults.conf
+{%- endif %}
+
 Include etc/apache24/Includes/*.conf
 
diff --git a/apache/files/Suse/apache-2.4.config.jinja b/apache/files/Suse/apache-2.4.config.jinja
index 4b2c40d..310ba7f 100644
--- a/apache/files/Suse/apache-2.4.config.jinja
+++ b/apache/files/Suse/apache-2.4.config.jinja
@@ -163,6 +163,10 @@ Include /etc/apache2/errors.conf
 # any virtual host
 Include /etc/apache2/ssl-global.conf
 
+{% if salt['pillar.get']('apache:mod_ssl:manage_tls_defaults', False) -%}
+Include /etc/apache24/conf.d/tls-defaults.conf
+{%- %}
+
 # global (server-wide) protocol configuration, that is not specific
 # to any virtual host
 Include /etc/apache2/protocols.conf
diff --git a/apache/files/tls-defaults.conf.jinja b/apache/files/tls-defaults.conf.jinja
new file mode 100644
index 0000000..9ee0a67
--- /dev/null
+++ b/apache/files/tls-defaults.conf.jinja
@@ -0,0 +1,18 @@
+# Managed by saltstack
+
+{% set data = {
+  'SSLCipherSuite': 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA',
+  'SSLCompression': 'Off',
+  'SSLProtocol': 'all -SSLv2 -SSLv3 -TLSv1',
+  'SSLHonorCipherOrder': 'On',
+  'SSLOptions': '+StrictRequire',
+} -%}
+{%- do data.update(salt['pillar.get']('apache:mod_ssl', {})) %}
+
+<IfModule mod_ssl.c>
+{%- for key, value in data.items() %}
+{%-   if not key == 'manage_tls_defaults' %}
+{{ key }} {{ value }}
+{%-   endif %}
+{%- endfor %}
+</IfModule>
diff --git a/apache/mod_ssl.sls b/apache/mod_ssl.sls
index 744115b..e11557d 100644
--- a/apache/mod_ssl.sls
+++ b/apache/mod_ssl.sls
@@ -42,3 +42,35 @@ include:
       - module: apache-restart
 
 {% endif %}
+
+{{ apache.confdir }}/tls-defaults.conf:
+{% if salt['pillar.get']('apache:mod_ssl:manage_tls_defaults', False) %}
+  file.managed:
+    - source: salt://apache/files/tls-defaults.conf.jinja
+    - mode: 644
+    - template: jinja
+{% else %}
+  file.absent:
+{% endif %}
+    - require:
+      - pkg: apache
+    - watch_in:
+      - module: apache-restart
+
+{% if grains['os_family']=="Debian" %}
+a2endisconf tls-defaults:
+  cmd.run:
+{%   if salt['pillar.get']('apache:mod_ssl:manage_tls_defaults', False) %}
+    - name: a2enconf tls-defaults
+    - unless: test -L /etc/apache2/conf-enabled/tls-defaults.conf
+{%   else %}
+    - name: a2disconf tls-defaults
+    - onlyif: test -L /etc/apache2/conf-enabled/tls-defaults.conf
+{%   endif %}
+    - order: 225
+    - require:
+      - pkg: apache
+      - file: {{ apache.confdir }}/tls-defaults.conf
+    - watch_in:
+      - module: apache-restart
+{% endif %}
diff --git a/pillar.example b/pillar.example
index 845a131..185a535 100644
--- a/pillar.example
+++ b/pillar.example
@@ -313,4 +313,19 @@ apache:
         file: 'my name'
         path: 'salt://path/to/modsecurity/custom/file'
         enabled: True
-  
+
+  mod_ssl:
+    # set this to True if you want to override your distributions default TLS configuration
+    manage_tls_defaults: False
+    # This stuff is deliberately not configured via map.jinja resp. apache:lookup.
+    # We're unable to know sane defaults for each release of every distribution.
+    # See https://github.com/saltstack-formulas/openssh-formula/issues/102 for a related discussion
+    # Have a look at bettercrypto.org for up-to-date settings.
+    # These are default values:
+    SSLCipherSuite: EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
+    # Mitigate the CRIME attack
+    SSLCompression: Off
+    SSLProtocol: all -SSLv2 -SSLv3 -TLSv1
+    SSLHonorCipherOrder: On
+    SSLOptions: "+StrictRequire"
+