Improve SSL protocol and ciphersuite configuration (security).

As recommended my Mozilla security team as described on
https://wiki.mozilla.org/Security/Server_Side_TLS

Choosing options in "Non-Backward Compatible Ciphersuite":

* Disable both SSLv2 and SSLv3 protocols (leaving TLSv1 and up).
* Set stronger ciphersuites.
* Prefer server advertised ciphersuites over client.

Author: gertvdijk

manifests/passenger.pp

@@ -110,8 +110,9 @@
     ssl_chain         => "${puppet_ssldir}/ca/ca_crt.pem",
     ssl_ca            => "${puppet_ssldir}/ca/ca_crt.pem",
     ssl_crl           => "${puppet_ssldir}/ca/ca_crl.pem",
-    ssl_protocol      => '-ALL +SSLv3 +TLSv1',
-    ssl_cipher        => 'ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP',
+    ssl_protocol      => 'ALL -SSLv2 -SSLv3',
+    ssl_cipher        => 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK',
+    ssl_honorcipherorder => 'On',
     ssl_verify_client => 'optional',
     ssl_verify_depth  => '1',
     ssl_options       => ['+StdEnvVars', '+ExportCertData'],