From 81a98596e339e1a8f036c5312e1ffac54ceea046 Mon Sep 17 00:00:00 2001
From: Alan Orth <alan.orth@gmail.com>
Date: Thu, 9 Oct 2014 21:09:18 +0300
Subject: [PATCH] Downgrade TLS configuration to Mozilla's "intermediate" spec

From looking at the list of clients who would be allowed to connect
when using the "modern" spec, I think I'd be doing more harm than
good to use that config right now...

https://www.ssllabs.com/ssltest/analyze.html?d=alaninkenya.org
https://wiki.mozilla.org/Security/Server_Side_TLS

Signed-off-by: Alan Orth <alan.orth@gmail.com>
---
 group_vars/all                | 2 +-
 roles/nginx/defaults/main.yml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/group_vars/all b/group_vars/all
index c049a97..d811f0a 100644
--- a/group_vars/all
+++ b/group_vars/all
@@ -1,6 +1,6 @@
 ---
 # file: group_vars/all
 
-tls_cipher_suite: "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK"
+tls_cipher_suite: "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
 
 # vim: set ts=2 sw=2:
diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml
index 64b9732..1104f14 100644
--- a/roles/nginx/defaults/main.yml
+++ b/roles/nginx/defaults/main.yml
@@ -8,7 +8,7 @@ nginx_confd_path: /etc/nginx/conf.d
 nginx_root_prefix: /var/www
 
 # TLS protocol versions to support
-nginx_tls_protocols: TLSv1.1 TLSv1.2
+nginx_tls_protocols: TLSv1 TLSv1.1 TLSv1.2
 
 # TLS key directory
 tls_key_dir: /etc/ssl/private