Goal:

The Satellite stack has been migrating to have all configuration done through system-wide cryptographic policies. See https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening. Today the foreman-proxy process doesn't use those while it is exposed to client systems.

Acceptance Criteria:

• Users can use RHEL's crypto-policies to change the security profile for the foreman-proxy process

Context:

Currently a hardcoded list of ciphers is used (https://github.com/theforeman/smart-proxy/blob/5a2e3da93dbb924ac9cf2ae60c1e4b3ba9f937db/lib/launcher.rb#L7-L9). In addition, it disables some SSL/TLS versions (anything lower than 1.2, see https://github.com/theforeman/smart-proxy/blob/5a2e3da93dbb924ac9cf2ae60c1e4b3ba9f937db/lib/launcher.rb#L72-L75). Users have the option to disable some of those (https://github.com/theforeman/smart-proxy/blob/5a2e3da93dbb924ac9cf2ae60c1e4b3ba9f937db/config/settings.yml.example#L10-L19), but they can't add anything or override it.

On Red Hat's OpenSSL build it is possible to set the TLS protocols and ciphers to PROFILE=SYSTEM to use the system-wide policy. Those are Red Hat patches and not upstream so care must be taken to maintain compatibility with other systems.