From df9c165383ade036946b769ae9314e8bea6dd8b1 Mon Sep 17 00:00:00 2001
From: Matt Martz <matt@sivel.net>
Date: Mon, 20 May 2024 14:52:25 -0500
Subject: [PATCH 1/3] Add new endpoint for cipher testing

---
 create_certs.sh  |  1 +
 nginx.sites.conf | 21 +++++++++++++++++++++
 2 files changed, 22 insertions(+)

diff --git a/create_certs.sh b/create_certs.sh
index 739b1e7..622ec93 100755
--- a/create_certs.sh
+++ b/create_certs.sh
@@ -36,3 +36,4 @@ create_cert "${ca1}" "sni1.ansible.http.tests"
 create_cert "${ca1}" "sni2.ansible.http.tests"
 create_cert "${ca1}" "client.ansible.http.tests"
 create_cert "${ca2}" "self-signed.ansible.http.tests"
+create_cert "${ca1}" "insecure.ansible.http.tests"
diff --git a/nginx.sites.conf b/nginx.sites.conf
index 1543764..78014b8 100644
--- a/nginx.sites.conf
+++ b/nginx.sites.conf
@@ -74,6 +74,27 @@ server {
     }
 }
 
+server {
+    listen 80;
+    listen 445 ssl;
+
+    server_name insecure.ansible.http.tests;
+
+    ssl_certificate /root/ca/insecure.ansible.http.tests-cert.pem;
+    ssl_certificate_key /root/ca/private/insecure.ansible.http.tests-key.pem;
+
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    ssl_ciphers ECDHE-RSA-AES128-SHA256:!ECDHE-ECDSA-AES128-SHA;
+
+    location / {
+        return 200 "insecure.ansible.http.tests";
+    }
+
+    location /redir {
+        rewrite .* https://insecure.ansible.http.tests:445/ permanent;
+    }
+}
+
 server {
     listen 80;
     listen 444 ssl;

From 3abb7094f362783b2a58080ab82efd8ef8c05a16 Mon Sep 17 00:00:00 2001
From: Matt Martz <matt@sivel.net>
Date: Tue, 21 May 2024 11:25:11 -0500
Subject: [PATCH 2/3] add 2 endpoints without tls1.3, one weak, the other
 strong

---
 create_certs.sh  |  3 ++-
 nginx.sites.conf | 33 +++++++++++++++++++++++++++------
 2 files changed, 29 insertions(+), 7 deletions(-)

diff --git a/create_certs.sh b/create_certs.sh
index 622ec93..fa61541 100755
--- a/create_certs.sh
+++ b/create_certs.sh
@@ -35,5 +35,6 @@ create_cert "${ca1}" "ansible.http.tests"
 create_cert "${ca1}" "sni1.ansible.http.tests"
 create_cert "${ca1}" "sni2.ansible.http.tests"
 create_cert "${ca1}" "client.ansible.http.tests"
+create_cert "${ca1}" "no-tls13.ansible.http.tests"
+create_cert "${ca1}" "no-tls13-weak.ansible.http.tests"
 create_cert "${ca2}" "self-signed.ansible.http.tests"
-create_cert "${ca1}" "insecure.ansible.http.tests"
diff --git a/nginx.sites.conf b/nginx.sites.conf
index 78014b8..0320b27 100644
--- a/nginx.sites.conf
+++ b/nginx.sites.conf
@@ -78,20 +78,41 @@ server {
     listen 80;
     listen 445 ssl;
 
-    server_name insecure.ansible.http.tests;
+    server_name no-tls13.ansible.http.tests;
 
-    ssl_certificate /root/ca/insecure.ansible.http.tests-cert.pem;
-    ssl_certificate_key /root/ca/private/insecure.ansible.http.tests-key.pem;
+    ssl_certificate /root/ca/no-tls13.ansible.http.tests-cert.pem;
+    ssl_certificate_key /root/ca/private/no-tls13.ansible.http.tests-key.pem;
 
     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-    ssl_ciphers ECDHE-RSA-AES128-SHA256:!ECDHE-ECDSA-AES128-SHA;
+    ssl_ciphers @SECLEVEL=2:ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES:DHE+AES:!aNULL:!eNULL:!aDSS:!SHA1:!AESCCM;
 
     location / {
-        return 200 "insecure.ansible.http.tests";
+        return 200 "no-tls13.ansible.http.tests";
     }
 
     location /redir {
-        rewrite .* https://insecure.ansible.http.tests:445/ permanent;
+        rewrite .* https://no-tls13.ansible.http.tests:445/ permanent;
+    }
+}
+
+server {
+    listen 80;
+    listen 445 ssl;
+
+    server_name no-tls13-weak.ansible.http.tests;
+
+    ssl_certificate /root/ca/no-tls13-weak.ansible.http.tests-cert.pem;
+    ssl_certificate_key /root/ca/private/no-tls13-weak.ansible.http.tests-key.pem;
+
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    ssl_ciphers AES128-SHA;
+
+    location / {
+        return 200 "no-tls13-weak.ansible.http.tests";
+    }
+
+    location /redir {
+        rewrite .* https://no-tls13-weak.ansible.http.tests:445/ permanent;
     }
 }
 

From 15fde509ea0e81b39855db7da891bf24d8f6bd01 Mon Sep 17 00:00:00 2001
From: Matt Martz <matt@sivel.net>
Date: Tue, 21 May 2024 15:20:38 -0500
Subject: [PATCH 3/3] Pick a different weak cipher, move weak endpoint to it's
 own port

---
 nginx.sites.conf | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/nginx.sites.conf b/nginx.sites.conf
index 0320b27..d091be6 100644
--- a/nginx.sites.conf
+++ b/nginx.sites.conf
@@ -97,7 +97,7 @@ server {
 
 server {
     listen 80;
-    listen 445 ssl;
+    listen 446 ssl;
 
     server_name no-tls13-weak.ansible.http.tests;
 
@@ -105,14 +105,14 @@ server {
     ssl_certificate_key /root/ca/private/no-tls13-weak.ansible.http.tests-key.pem;
 
     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-    ssl_ciphers AES128-SHA;
+    ssl_ciphers AES128-CCM8;
 
     location / {
         return 200 "no-tls13-weak.ansible.http.tests";
     }
 
     location /redir {
-        rewrite .* https://no-tls13-weak.ansible.http.tests:445/ permanent;
+        rewrite .* https://no-tls13-weak.ansible.http.tests:446/ permanent;
     }
 }