From 17be56bc19014e579418a52fa9aee38a39c17c33 Mon Sep 17 00:00:00 2001
From: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Date: Thu, 19 Apr 2018 09:51:20 +0300
Subject: [PATCH] Disallow SSLv2, SSLv3 and TLS1.0 in httpd for FedRAMP
 compliance.

We now enforce TLS1.1 or higher for httpd connections, to meet the
requirements for FedRAMP.

Change-Id: If875822f1cb705d17405621e64fea2536edc142a
Related-Bug: #1754368
(cherry picked from commit 1b54e4b5a72446cd92042485a48cb82cc451a475)
---
 puppet/services/apache.j2.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/puppet/services/apache.j2.yaml b/puppet/services/apache.j2.yaml
index b8c04e71f8..24287ae128 100644
--- a/puppet/services/apache.j2.yaml
+++ b/puppet/services/apache.j2.yaml
@@ -98,6 +98,7 @@ outputs:
             -
               generate_service_certificates: true
               apache::mod::ssl::ssl_ca: {get_param: InternalTLSCAFile}
+              apache::mod::ssl::ssl_protocol: ['all', '-SSLv2', '-SSLv3', '-TLSv1']
               tripleo::certmonger::apache_dirs::certificate_dir: '/etc/pki/tls/certs/httpd'
               tripleo::certmonger::apache_dirs::key_dir: '/etc/pki/tls/private/httpd'
               apache_certificates_specs: