Harden Keystone's Apache config

Previously the keystone-httpd.conf was only blacklisting SSLv2 and was
allowing suboptimal (and in some cases, prohibited) cipher suites (e.g.,
RC4).

Change-Id: I4456bc1a0056da051947977a26dd6d57c549e421
Closes-bug: 1437481

playbooks/roles/os_keystone/defaults/main.yml

@@ -111,6 +111,9 @@ keystone_ssl_enabled: false
 keystone_ssl_cert: /etc/ssl/certs/apache.cert
 keystone_ssl_key: /etc/ssl/private/apache.key
 keystone_ssl_cert_path: /etc/ssl/certs
+keystone_ssl_protocol: "ALL -SSLv2 -SSLv3"
+# Cipher suite string from https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
+keystone_ssl_cipher_suite: "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS"
 
 ## Caching
 # If set this will enable dog pile cache for keystone.

playbooks/roles/os_keystone/templates/keystone-httpd.conf.j2

@@ -18,8 +18,9 @@ WSGIDaemonProcess keystone user={{ keystone_system_user_name }} group=nogroup pr
     SSLCARevocationPath   {{ keystone_ssl_cert_path }}
     SSLVerifyClient optional
     SSLVerifyDepth 10
-    SSLProtocol all -SSLv2
-    SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
+    SSLProtocol {{ keystone_ssl_protocol }}
+    SSLHonorCipherOrder On
+    SSLCipherSuite {{ keystone_ssl_cipher_suite }}
     SSLOptions +StdEnvVars +ExportCertData
     {% endif %}
 
@@ -41,8 +42,9 @@ WSGIDaemonProcess keystone user={{ keystone_system_user_name }} group=nogroup pr
     SSLCARevocationPath   {{ keystone_ssl_cert_path }}
     SSLVerifyClient optional
     SSLVerifyDepth 10
-    SSLProtocol all -SSLv2
-    SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
+    SSLProtocol {{ keystone_ssl_protocol }}
+    SSLHonorCipherOrder On
+    SSLCipherSuite {{ keystone_ssl_cipher_suite }}
     SSLOptions +StdEnvVars +ExportCertData
     {% endif %}