Match EL8 crypto defaults

On EL8+ OpenSSL is patched to support a unified crypto policy. This is
also the default when installing mod_ssl. Users of RHEL Insights will
also receive warnings when the defaults differ.

Author: ekohl

manifests/mod/ssl.pp

@@ -98,11 +98,11 @@
   Optional[Stdlib::Absolutepath] $ssl_cert                  = undef,
   Optional[Stdlib::Absolutepath] $ssl_key                   = undef,
   Optional[Stdlib::Absolutepath] $ssl_ca                    = undef,
-  String $ssl_cipher                                        = 'HIGH:MEDIUM:!aNULL:!MD5:!RC4:!3DES',
+  String $ssl_cipher                                        = $apache::params::ssl_cipher,
   Variant[Boolean, Enum['on', 'off']] $ssl_honorcipherorder = true,
   Array[String] $ssl_protocol                               = $apache::params::ssl_protocol,
   Array $ssl_proxy_protocol                                 = [],
-  Optional[String[1]] $ssl_proxy_cipher_suite               = undef,
+  Optional[String[1]] $ssl_proxy_cipher_suite               = $apache::params::ssl_proxy_cipher_suite,
   String $ssl_pass_phrase_dialog                            = 'builtin',
   Integer $ssl_random_seed_bytes                            = 512,
   String $ssl_sessioncache                                  = $apache::params::ssl_sessioncache,

manifests/params.pp

@@ -723,8 +723,13 @@
   }
 
   if $facts['os']['family'] == 'RedHat' and versioncmp($facts['os']['release']['major'], '8') >= 0 {
-    $ssl_protocol = ['all'] # Implementations of the SSLv2 and SSLv3 protocol versions have been removed from OpenSSL (and hence mod_ssl) because these are no longer considered secure. For additional documentation https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/deploying_different_types_of_servers/setting-apache-web-server_deploying-different-types-of-servers
+    # Use OpenSSL system profile. See update-crypto-policies(8) for more details
+    $ssl_protocol = []
+    $ssl_cipher = 'PROFILE=SYSTEM'
+    $ssl_proxy_cipher_suite = 'PROFILE=SYSTEM'
   } else {
     $ssl_protocol = ['all', '-SSLv2', '-SSLv3']
+    $ssl_cipher = 'HIGH:MEDIUM:!aNULL:!MD5:!RC4:!3DES'
+    $ssl_proxy_cipher_suite = undef
   }
 }

spec/acceptance/apache_ssl_spec.rb

@@ -24,7 +24,7 @@ class { 'apache':
     describe file("#{apache_hash['mod_ssl_dir']}/ssl.conf") do
       it { is_expected.to be_file }
       if os[:family].include?('redhat') && os[:release].to_i >= 8
-        it { is_expected.to contain 'SSLProtocol all' }
+        it { is_expected.not_to contain 'SSLProtocol' }
       else
         it { is_expected.to contain 'SSLProtocol all -SSLv2 -SSLv3' }
       end

spec/classes/mod/ssl_spec.rb

@@ -20,18 +20,19 @@
       it {
         is_expected.to contain_file('ssl.conf')
           .with_path('/etc/httpd/conf.modules.d/ssl.conf')
-          .with_content(%r{SSLProtocol all})
-          .without_content(%r{SSLProxyCipherSuite})
+          .without_content(%r{SSLProtocol})
+          .with_content(%r{^  SSLCipherSuite PROFILE=SYSTEM$})
+          .with_content(%r{^  SSLProxyCipherSuite PROFILE=SYSTEM$})
       }
 
       context 'with ssl_proxy_cipher_suite' do
         let(:params) do
           {
-            ssl_proxy_cipher_suite: 'PROFILE=system',
+            ssl_proxy_cipher_suite: 'HIGH',
           }
         end
 
-        it { is_expected.to contain_file('ssl.conf').with_content(%r{SSLProxyCipherSuite PROFILE=system}) }
+        it { is_expected.to contain_file('ssl.conf').with_content(%r{SSLProxyCipherSuite HIGH}) }
       end
 
       context 'with empty ssl_protocol' do