Merge pull request #2336 from ekohl/update-ssl-defaults

Update EL8+ and Debian SSL defaults

Author: david22swan

manifests/mod/ssl.pp

@@ -98,11 +98,11 @@
   Optional[Stdlib::Absolutepath] $ssl_cert                  = undef,
   Optional[Stdlib::Absolutepath] $ssl_key                   = undef,
   Optional[Stdlib::Absolutepath] $ssl_ca                    = undef,
-  String $ssl_cipher                                        = 'HIGH:MEDIUM:!aNULL:!MD5:!RC4:!3DES',
+  String $ssl_cipher                                        = $apache::params::ssl_cipher,
   Variant[Boolean, Enum['on', 'off']] $ssl_honorcipherorder = true,
   Array[String] $ssl_protocol                               = $apache::params::ssl_protocol,
   Array $ssl_proxy_protocol                                 = [],
-  Optional[String[1]] $ssl_proxy_cipher_suite               = undef,
+  Optional[String[1]] $ssl_proxy_cipher_suite               = $apache::params::ssl_proxy_cipher_suite,
   String $ssl_pass_phrase_dialog                            = 'builtin',
   Integer $ssl_random_seed_bytes                            = 512,
   String $ssl_sessioncache                                  = $apache::params::ssl_sessioncache,

manifests/params.pp

@@ -723,8 +723,17 @@
   }
 
   if $facts['os']['family'] == 'RedHat' and versioncmp($facts['os']['release']['major'], '8') >= 0 {
-    $ssl_protocol = ['all'] # Implementations of the SSLv2 and SSLv3 protocol versions have been removed from OpenSSL (and hence mod_ssl) because these are no longer considered secure. For additional documentation https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/deploying_different_types_of_servers/setting-apache-web-server_deploying-different-types-of-servers
+    # Use OpenSSL system profile. See update-crypto-policies(8) for more details
+    $ssl_protocol = []
+    $ssl_cipher = 'PROFILE=SYSTEM'
+    $ssl_proxy_cipher_suite = 'PROFILE=SYSTEM'
+  } elsif $facts['os']['family'] == 'Debian' {
+    $ssl_protocol = ['all', '-SSLv3']
+    $ssl_cipher = 'HIGH:!aNULL'
+    $ssl_proxy_cipher_suite = undef
   } else {
     $ssl_protocol = ['all', '-SSLv2', '-SSLv3']
+    $ssl_cipher = 'HIGH:MEDIUM:!aNULL:!MD5:!RC4:!3DES'
+    $ssl_proxy_cipher_suite = undef
   }
 }

spec/acceptance/apache_ssl_spec.rb

@@ -24,7 +24,9 @@ class { 'apache':
     describe file("#{apache_hash['mod_ssl_dir']}/ssl.conf") do
       it { is_expected.to be_file }
       if os[:family].include?('redhat') && os[:release].to_i >= 8
-        it { is_expected.to contain 'SSLProtocol all' }
+        it { is_expected.not_to contain 'SSLProtocol' }
+      elsif ['debian', 'ubuntu'].include?(os[:family])
+        it { is_expected.to contain 'SSLProtocol all -SSLv3' }
       else
         it { is_expected.to contain 'SSLProtocol all -SSLv2 -SSLv3' }
       end

spec/classes/mod/ssl_spec.rb

@@ -20,18 +20,29 @@
       it {
         is_expected.to contain_file('ssl.conf')
           .with_path('/etc/httpd/conf.modules.d/ssl.conf')
-          .with_content(%r{SSLProtocol all})
-          .without_content(%r{SSLProxyCipherSuite})
+          .without_content(%r{SSLProtocol})
+          .with_content(%r{^  SSLCipherSuite PROFILE=SYSTEM$})
+          .with_content(%r{^  SSLProxyCipherSuite PROFILE=SYSTEM$})
       }
 
       context 'with ssl_proxy_cipher_suite' do
         let(:params) do
           {
-            ssl_proxy_cipher_suite: 'PROFILE=system',
+            ssl_proxy_cipher_suite: 'HIGH',
           }
         end
 
-        it { is_expected.to contain_file('ssl.conf').with_content(%r{SSLProxyCipherSuite PROFILE=system}) }
+        it { is_expected.to contain_file('ssl.conf').with_content(%r{SSLProxyCipherSuite HIGH}) }
+      end
+
+      context 'with empty ssl_protocol' do
+        let(:params) do
+          {
+            ssl_protocol: [],
+          }
+        end
+
+        it { is_expected.to contain_file('ssl.conf').without_content(%r{SSLProtocol}) }
       end
     end
 
@@ -58,7 +69,7 @@
     it { is_expected.to contain_class('apache::params') }
     it { is_expected.to contain_apache__mod('ssl') }
     it { is_expected.not_to contain_package('libapache2-mod-ssl') }
-    it { is_expected.to contain_file('ssl.conf').with_content(%r{SSLProtocol all -SSLv2 -SSLv3}) }
+    it { is_expected.to contain_file('ssl.conf').with_content(%r{SSLProtocol all -SSLv3}) }
   end
   context 'on a FreeBSD OS' do
     include_examples 'FreeBSD 9'

templates/mod/ssl.conf.erb

@@ -40,7 +40,9 @@
   SSLStaplingCache "shmcb:<%= @_stapling_cache %>"
 <% end -%>
   SSLCipherSuite <%= @ssl_cipher %>
+<% if not @ssl_protocol.empty? -%>
   SSLProtocol <%= @ssl_protocol.compact.join(' ') %>
+<% end -%>
 <% if not @ssl_proxy_protocol.empty? -%>
   SSLProxyProtocol <%= @ssl_proxy_protocol.compact.join(' ') %>
 <% end -%>