From e4568fb3c993ce0d169f69a4f7378044d7af76ef Mon Sep 17 00:00:00 2001
From: Evgeni Golov <evgeni@golov.de>
Date: Fri, 14 Jun 2024 16:47:34 +0200
Subject: [PATCH] enable TLSv1.3 by default

We have new enough Tomcat by now ;)
---
 manifests/init.pp                       | 2 +-
 spec/acceptance/basic_candlepin_spec.rb | 7 +++----
 spec/classes/candlepin_spec.rb          | 6 +++---
 3 files changed, 7 insertions(+), 8 deletions(-)

diff --git a/manifests/init.pp b/manifests/init.pp
index d59efba..2819401 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -209,7 +209,7 @@
   Stdlib::Absolutepath $ca_cert = '/etc/candlepin/certs/candlepin-ca.crt',
   Optional[Variant[Sensitive[String], String]] $ca_key_password = undef,
   Array[String] $ciphers = $candlepin::params::ciphers,
-  Array[String] $tls_versions = ['1.2'],
+  Array[String] $tls_versions = ['1.2', '1.3'],
   Optional[String[1]] $java_package = undef,
   String $version = 'present',
   Optional[String] $adapter_module = undef,
diff --git a/spec/acceptance/basic_candlepin_spec.rb b/spec/acceptance/basic_candlepin_spec.rb
index 329e3eb..a1b849d 100644
--- a/spec/acceptance/basic_candlepin_spec.rb
+++ b/spec/acceptance/basic_candlepin_spec.rb
@@ -14,13 +14,12 @@
   end
 
   describe command('nmap --script +ssl-enum-ciphers localhost -p 8443') do
-    # We don't enable TLSv1.3 by default yet. TLSv1.3 support was added in tomcat 7.0.92
-    # But tomcat 7.0.76 is the latest version available on EL7
-    its(:stdout) { should_not match(/TLSv1\.3/) }
-
     # Test that TLSv1.2 is enabled
     its(:stdout) { should match(/TLSv1\.2/) }
 
+    # Test that TLSv1.3 is enabled
+    its(:stdout) { should match(/TLSv1\.3/) }
+
     # Test that older TLS versions are disabled
     its(:stdout) { should_not match(/TLSv1\.1/) }
     its(:stdout) { should_not match(/TLSv1\.0/) }
diff --git a/spec/classes/candlepin_spec.rb b/spec/classes/candlepin_spec.rb
index 52b45b0..cfab38a 100644
--- a/spec/classes/candlepin_spec.rb
+++ b/spec/classes/candlepin_spec.rb
@@ -313,14 +313,14 @@
 
       describe 'with tls_versions' do
         let :params do
-          {tls_versions: ['1.2', '1.3']}
+          {tls_versions: ['1.3']}
         end
 
         it { is_expected.to compile.with_all_deps }
         it do
           is_expected.to contain_file("/etc/tomcat/server.xml").
-            with_content(/sslProtocol="TLSv1.2,TLSv1.3"/).
-            with_content(/sslEnabledProtocols="TLSv1.2,TLSv1.3"/)
+            with_content(/sslProtocol="TLSv1.3"/).
+            with_content(/sslEnabledProtocols="TLSv1.3"/)
         end
       end