TLS versions

tasks/checks.yml

@@ -2,8 +2,6 @@
 # TODO Check that the supplied variables are sane, for example we can't have no
 # mpm or we can't have mpm_event and mpm_prefork
 
-  
-
 - name: Check the Apache version, modules and conf, loaded and enabled
   block:
 
@@ -24,7 +22,7 @@
 
     - name: Debug Apache version
       debug:
-        var: apache_version 
+        var: apache_version
         verbosity: 1
 
     - name: TLS versions
@@ -32,7 +30,7 @@
 
         - name: Set facts for TLS versions
           set_fact:
-            apache_tls1_3: True
+            apache_tls1_3: true
           when: apache_version is version('2.4.41', '>=')
 
         - name: Debug TLS 1.3 variable

templates/ssl.conf.j2

@@ -59,7 +59,7 @@
 	#   options.
 	#   Enable only secure ciphers:
 	# https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
-	SSLCipherSuite {{ apache_ssl_cipher_suite }}
+	SSLCipherSuite {% if apache_tls1_3 == True %}{{ apache_tls1_3_cipher_suites }}:{% endif %}{{ apache_tls1_2_cipher_suites }}
 
 	# SSL server cipher order preference:
 	# Use server priorities for cipher algorithm choice.
@@ -73,7 +73,7 @@
 	#   The protocols to enable.
 	#   Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
 	#   SSL v2  is no longer supported
-	SSLProtocol {{ apache_ssl_protocol }}
+	SSLProtocol TLSv1.2 {% if apache_tls1_3 == True %}TLSv1.3{% endif %}
 
 	#   Allow insecure renegotiation with clients which do not yet support the
 	#   secure renegotiation protocol. Default: Off