From e9989ed74bcde95bfadfb423c6a729c65b2ed297 Mon Sep 17 00:00:00 2001
From: Andrew Bonney <andrew.bonney@bbc.co.uk>
Date: Fri, 5 Aug 2022 10:42:59 +0100
Subject: [PATCH] tls1.2: update ciphers to latest recommendations

Based upon usual recommendations from:
https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/

Change-Id: Ia17660eb19cb2ad15f8d511cad2fce95f39b706b
---
 inventory/group_vars/all/ssl.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/inventory/group_vars/all/ssl.yml b/inventory/group_vars/all/ssl.yml
index 4b6952ea14..584b143c83 100644
--- a/inventory/group_vars/all/ssl.yml
+++ b/inventory/group_vars/all/ssl.yml
@@ -18,7 +18,7 @@
 # services running behind Apache (currently, Horizon and Keystone).
 ssl_protocol: "ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1"
 # Cipher suite string from https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
-ssl_cipher_suite_tls12: "{{ ssl_cipher_suite | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS') }}"
+ssl_cipher_suite_tls12: "{{ ssl_cipher_suite | default('ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES256:ECDH+AES128:!aNULL:!SHA1:!AESCCM') }}"
 ssl_cipher_suite_tls13: "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
 
 #variables used in OSA roles which call the PKI role