From 298b0bac42cb187bc4a72c7e2cc58bd4b4e9586b Mon Sep 17 00:00:00 2001
From: Ewoud Kohl van Wijngaarden <ewoud@kohlvanwijngaarden.nl>
Date: Thu, 13 Oct 2022 19:26:22 +0200
Subject: [PATCH] Update Debian SSL protocols and ciphers to match defaults

Debian 10 and Ubuntu 18.04 (oldest of supported Debian-based distros)
default to these values. This gives a safer out-of-the-box experience.
---
 manifests/params.pp                | 4 ++++
 spec/acceptance/apache_ssl_spec.rb | 2 ++
 spec/classes/mod/ssl_spec.rb       | 2 +-
 3 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/manifests/params.pp b/manifests/params.pp
index 47599b9020..7d6bcea08e 100644
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -727,6 +727,10 @@
     $ssl_protocol = []
     $ssl_cipher = 'PROFILE=system'
     $ssl_proxy_cipher_suite = 'PROFILE=system'
+  } elsif $facts['os']['family'] == 'Debian' {
+    $ssl_protocol = ['all', '-SSLv3']
+    $ssl_cipher = 'HIGH:!aNULL'
+    $ssl_proxy_cipher_suite = undef
   } else {
     $ssl_protocol = ['all', '-SSLv2', '-SSLv3']
     $ssl_cipher = 'HIGH:MEDIUM:!aNULL:!MD5:!RC4:!3DES'
diff --git a/spec/acceptance/apache_ssl_spec.rb b/spec/acceptance/apache_ssl_spec.rb
index ff2507e25c..5e1c5909b6 100644
--- a/spec/acceptance/apache_ssl_spec.rb
+++ b/spec/acceptance/apache_ssl_spec.rb
@@ -25,6 +25,8 @@ class { 'apache':
       it { is_expected.to be_file }
       if os[:family].include?('redhat') && os[:release].to_i >= 8
         it { is_expected.not_to contain 'SSLProtocol' }
+      elsif ['debian', 'ubuntu'].include?(os[:family])
+        it { is_expected.to contain 'SSLProtocol all -SSLv3' }
       else
         it { is_expected.to contain 'SSLProtocol all -SSLv2 -SSLv3' }
       end
diff --git a/spec/classes/mod/ssl_spec.rb b/spec/classes/mod/ssl_spec.rb
index 8019abac06..3a9ff6ab25 100644
--- a/spec/classes/mod/ssl_spec.rb
+++ b/spec/classes/mod/ssl_spec.rb
@@ -69,7 +69,7 @@
     it { is_expected.to contain_class('apache::params') }
     it { is_expected.to contain_apache__mod('ssl') }
     it { is_expected.not_to contain_package('libapache2-mod-ssl') }
-    it { is_expected.to contain_file('ssl.conf').with_content(%r{SSLProtocol all -SSLv2 -SSLv3}) }
+    it { is_expected.to contain_file('ssl.conf').with_content(%r{SSLProtocol all -SSLv3}) }
   end
   context 'on a FreeBSD OS' do
     include_examples 'FreeBSD 9'