Configure Mozilla's Intermediate TLS profile for postfix, dovecot, nginx and ejabberd servers.
Use standard Diffie-Hellman parameters from RFC7919. Remove the possibility to configure DH parameters size less than 2048.
Adapt the isync IMAP client configuration for TLS.
Factor the TLS parameters (ciphers, TLS versions, OCSP stapling, server preferred order) in a security.tls object in the default configuration.
The parameter for the DH parameters size could be moved to the security.tls object, but it might be nice to have a task linked to the load_defaults role to warn (fail) when someone is not using the new way of configuring it. Kept for later.
The Mozilla's Intermediate profile recommends server_preferred_order: false. It is what is configured here. This is open for discussion.
Address the base part of #253.
Configure Mozilla's Intermediate TLS profile for postfix, dovecot, nginx and ejabberd servers.
Use standard Diffie-Hellman parameters from RFC7919. Remove the possibility to configure DH parameters size less than 2048.
Adapt the isync IMAP client configuration for TLS.
Factor the TLS parameters (ciphers, TLS versions, OCSP stapling, server preferred order) in a
security.tls
object in the default configuration.The parameter for the DH parameters size could be moved to the
security.tls
object, but it might be nice to have a task linked to theload_defaults
role to warn (fail) when someone is not using the new way of configuring it. Kept for later.The Mozilla's Intermediate profile recommends
server_preferred_order: false
. It is what is configured here. This is open for discussion.Not tested on buster yet.
More details in each commit description.