ncm-metaconfig: Update tests with new SSL defaults

Author: gregcorbett

ncm-metaconfig/src/main/metaconfig/httpd/2.2/tests/profiles/struct/basic_ssl.pan

@@ -2,7 +2,17 @@ structure template struct/basic_ssl;
 
 "options" = list("-OptRenegotiate", "+StrictRequire", "+StdEnvVars");
 "engine" = true;
-"ciphersuite" = list("TLSv1");
+"ciphersuite" = list(
+    "ECDHE-ECDSA-AES128-GCM-SHA256",
+    "ECDHE-RSA-AES128-GCM-SHA256",
+    "ECDHE-ECDSA-AES256-GCM-SHA384",
+    "ECDHE-RSA-AES256-GCM-SHA384",
+    "ECDHE-ECDSA-CHACHA20-POLY1305",
+    "ECDHE-RSA-CHACHA20-POLY1305",
+    "DHE-RSA-AES128-GCM-SHA256",
+    "DHE-RSA-AES256-GCM-SHA384",
+    "DHE-RSA-CHACHA20-POLY1305"
+);
 "certificatefile" = "/etc/cert_file";
 "certificatekeyfile" = "/etc/key_file";
 "cacertificatefile" = "/etc/ca_file";

ncm-metaconfig/src/main/metaconfig/httpd/2.2/tests/profiles/struct/ssl_conf_el6.pan

@@ -41,9 +41,19 @@ structure template struct/ssl_conf_el6;
 
 "vhosts/base/ssl/engine" = true;
 # list("all", "-SSLv2") not allowed
-"vhosts/base/ssl/protocol" =  list("TLSv1");
+"vhosts/base/ssl/protocol" =  list("-all", "+TLSv1.2", "+TLSv1.3");
 # list("ALL", "!ADH", "!EXPORT", "!SSLv2", "RC4", "RSA", "+HIGH", "+MEDIUM", "+LOW")
-"vhosts/base/ssl/ciphersuite" = list("TLSv1");
+"vhosts/base/ssl/ciphersuite" = list(
+    "ECDHE-ECDSA-AES128-GCM-SHA256",
+    "ECDHE-RSA-AES128-GCM-SHA256",
+    "ECDHE-ECDSA-AES256-GCM-SHA384",
+    "ECDHE-RSA-AES256-GCM-SHA384",
+    "ECDHE-ECDSA-CHACHA20-POLY1305",
+    "ECDHE-RSA-CHACHA20-POLY1305",
+    "DHE-RSA-AES128-GCM-SHA256",
+    "DHE-RSA-AES256-GCM-SHA384",
+    "DHE-RSA-CHACHA20-POLY1305"
+);
 "vhosts/base/ssl/certificatefile" = "/etc/pki/tls/certs/localhost.crt";
 "vhosts/base/ssl/certificatekeyfile" = "/etc/pki/tls/private/localhost.key";
 

ncm-metaconfig/src/main/metaconfig/httpd/2.2/tests/regexps/graphite-web/base

@@ -11,10 +11,10 @@ multiline
 ^\s{4}sslcacertificatefile /etc/pki/CA/certs/cachain.pem$
 ^\s{4}sslcertificatefile /etc/pki/tls/certs/cert.pem$
 ^\s{4}sslcertificatekeyfile /etc/pki/tls/private/key.pem$
-^\s{4}sslciphersuite TLSv1$
+^\s{4}sslciphersuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305$
 ^\s{4}sslengine on$
 ^\s{4}ssloptions -OptRenegotiate \+StrictRequire \+StdEnvVars$
-^\s{4}sslprotocol TLSv1$
+^\s{4}sslprotocol -all \+TLSv1\.2 \+TLSv1\.3$
 ^\s{4}setenvif User-Agent ".\*MSIE.\*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0$
 ^\s{4}alias /media/ /usr/lib/python2.6/site-packages/django/contrib/admin/media/$
 ^\s{4}wsgiscriptalias / /usr/share/graphite/graphite-web.wsgi$

ncm-metaconfig/src/main/metaconfig/httpd/2.2/tests/regexps/ssl/value

@@ -1,4 +1,4 @@
-Base test for ssl.conf EL6 config 
+Base test for ssl.conf EL6 config
 ---
 multiline
 /etc/httpd/conf.d/ssl.conf
@@ -19,10 +19,10 @@ multiline
 ^\s{4}sslcacertificatefile /etc/ca_file$
 ^\s{4}sslcertificatefile /etc/pki/tls/certs/localhost.crt$
 ^\s{4}sslcertificatekeyfile /etc/pki/tls/private/localhost.key$
-^\s{4}sslciphersuite TLSv1$
+^\s{4}sslciphersuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305$
 ^\s{4}sslengine on$
 ^\s{4}ssloptions \-OptRenegotiate \+StrictRequire \+StdEnvVars$
-^\s{4}sslprotocol TLSv1$
+^\s{4}sslprotocol -all \+TLSv1\.2 \+TLSv1\.3$
 ^\s{4}setenvif User-Agent "\.\*MSIE\.\*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0$
 ^\s{4}loglevel warn$
 ^\s{4}errorlog logs/ssl_error_log$

ncm-metaconfig/src/main/metaconfig/httpd/2.2/tests/regexps/wsgi_conf/base

@@ -12,10 +12,10 @@ multiline
 ^\s{4}sslcacertificatefile /etc/ca_file$
 ^\s{4}sslcertificatefile /etc/cert_file$
 ^\s{4}sslcertificatekeyfile /etc/key_file$
-^\s{4}sslciphersuite TLSv1$
+^\s{4}sslciphersuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305$
 ^\s{4}sslengine on$
 ^\s{4}ssloptions -OptRenegotiate \+StrictRequire \+StdEnvVars$
-^\s{4}sslprotocol TLSv1$
+^\s{4}sslprotocol -all \+TLSv1\.2 \+TLSv1\.3$
 ^\s{4}alias /django/static/ /var/www/django/static/$
 ^\s{4}wsgiscriptalias /django /var/www/django/wsgi.py$
 ^\s{4}wsgipassauthorization on$

ncm-metaconfig/src/main/metaconfig/httpd/2.4/tests/profiles/struct/basic_ssl.pan

@@ -2,7 +2,17 @@ structure template struct/basic_ssl;
 
 "options" = list("-OptRenegotiate", "+StrictRequire", "+StdEnvVars");
 "engine" = true;
-"ciphersuite" = list("TLSv1");
+"ciphersuite" = list(
+    "ECDHE-ECDSA-AES128-GCM-SHA256",
+    "ECDHE-RSA-AES128-GCM-SHA256",
+    "ECDHE-ECDSA-AES256-GCM-SHA384",
+    "ECDHE-RSA-AES256-GCM-SHA384",
+    "ECDHE-ECDSA-CHACHA20-POLY1305",
+    "ECDHE-RSA-CHACHA20-POLY1305",
+    "DHE-RSA-AES128-GCM-SHA256",
+    "DHE-RSA-AES256-GCM-SHA384",
+    "DHE-RSA-CHACHA20-POLY1305"
+);
 "certificatefile" = "/etc/cert_file";
 "certificatekeyfile" = "/etc/key_file";
 "cacertificatefile" = "/etc/ca_file";

ncm-metaconfig/src/main/metaconfig/httpd/2.4/tests/profiles/struct/ssl_conf_el7.pan

@@ -36,9 +36,19 @@ structure template struct/ssl_conf_el7;
 
 "vhosts/base/ssl/engine" = true;
 # list("all", "-SSLv2") not allowed
-"vhosts/base/ssl/protocol" =  list("TLSv1");
+"vhosts/base/ssl/protocol" =  list("-all", "+TLSv1.2", "+TLSv1.3");
 # list("ALL", "!ADH", "!EXPORT", "!SSLv2", "RC4", "RSA", "+HIGH", "+MEDIUM", "+LOW")
-"vhosts/base/ssl/ciphersuite" = list("TLSv1");
+"vhosts/base/ssl/ciphersuite" = list(
+    "ECDHE-ECDSA-AES128-GCM-SHA256",
+    "ECDHE-RSA-AES128-GCM-SHA256",
+    "ECDHE-ECDSA-AES256-GCM-SHA384",
+    "ECDHE-RSA-AES256-GCM-SHA384",
+    "ECDHE-ECDSA-CHACHA20-POLY1305",
+    "ECDHE-RSA-CHACHA20-POLY1305",
+    "DHE-RSA-AES128-GCM-SHA256",
+    "DHE-RSA-AES256-GCM-SHA384",
+    "DHE-RSA-CHACHA20-POLY1305"
+);
 "vhosts/base/ssl/certificatefile" = "/etc/pki/tls/certs/localhost.crt";
 "vhosts/base/ssl/certificatekeyfile" = "/etc/pki/tls/private/localhost.key";
 

ncm-metaconfig/src/main/metaconfig/httpd/2.4/tests/regexps/davrods/base

@@ -8,10 +8,10 @@ Base test for davrods.conf config
 ^\s{4}sslcacertificatefile /etc/pki/CA/certs/cachain.pem$
 ^\s{4}sslcertificatefile /etc/pki/tls/certs/cert.pem$
 ^\s{4}sslcertificatekeyfile /etc/pki/tls/private/key.pem$
-^\s{4}sslciphersuite TLSv1$
+^\s{4}sslciphersuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305$
 ^\s{4}sslengine on$
 ^\s{4}ssloptions -OptRenegotiate \+StrictRequire \+StdEnvVars$
-^\s{4}sslprotocol TLSv1$
+^\s{4}sslprotocol -all \+TLSv1\.2 \+TLSv1\.3$
 ^\s{4}loglevel warn$
 ^\s{4}errorlog logs/ssl_error_log$
 ^\s{4}transferlog logs/ssl_access_log$
@@ -32,4 +32,3 @@ Base test for davrods.conf config
 ^\s{8}directoryindex disabled$
 ^\s{4}</location>$
 ^</virtualhost>$
-

ncm-metaconfig/src/main/metaconfig/httpd/2.4/tests/regexps/graphite-web/base

@@ -11,10 +11,10 @@ multiline
 ^\s{4}sslcacertificatefile /etc/pki/CA/certs/cachain.pem$
 ^\s{4}sslcertificatefile /etc/pki/tls/certs/cert.pem$
 ^\s{4}sslcertificatekeyfile /etc/pki/tls/private/key.pem$
-^\s{4}sslciphersuite TLSv1$
+^\s{4}sslciphersuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305$
 ^\s{4}sslengine on$
 ^\s{4}ssloptions -OptRenegotiate \+StrictRequire \+StdEnvVars$
-^\s{4}sslprotocol TLSv1$
+^\s{4}sslprotocol -all \+TLSv1\.2 \+TLSv1\.3$
 ^\s{4}alias /media/ /usr/lib/python2.6/site-packages/django/contrib/admin/media/$
 ^\s{4}wsgiscriptalias / /usr/share/graphite/graphite-web.wsgi$
 ^\s{4}wsgiimportscript /usr/share/graphite/graphite-web.wsgi process-group=%\{GLOBAL\} application-group=%\{GLOBAL\}$

ncm-metaconfig/src/main/metaconfig/httpd/2.4/tests/regexps/ssl/value

@@ -1,4 +1,4 @@
-Base test for ssl.conf EL6 config 
+Base test for ssl.conf EL6 config
 ---
 multiline
 /etc/httpd/conf.d/ssl.conf
@@ -19,10 +19,10 @@ multiline
 ^\s{4}sslcacertificatefile /etc/ca_file$
 ^\s{4}sslcertificatefile /etc/pki/tls/certs/localhost.crt$
 ^\s{4}sslcertificatekeyfile /etc/pki/tls/private/localhost.key$
-^\s{4}sslciphersuite TLSv1$
+^\s{4}sslciphersuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305$
 ^\s{4}sslengine on$
 ^\s{4}ssloptions \-OptRenegotiate \+StrictRequire \+StdEnvVars$
-^\s{4}sslprotocol TLSv1$
+^\s{4}sslprotocol -all \+TLSv1\.2 \+TLSv1\.3$
 ^\s{4}loglevel warn$
 ^\s{4}errorlog logs/ssl_error_log$
 ^\s{4}transferlog logs/ssl_access_log$