ipatests: add test to check that only TLS 1.2 is enabled in Apache

Related to: https://pagure.io/freeipa/issue/7995

Reviewed-By: Rob Crittenden <rcritten@redhat.com>

ipatests/test_integration/test_commands.py

@@ -679,3 +679,23 @@ class TestIPACommand(IntegrationTest):
         assert 'Modified user "%s"' % (ipauser) in cmd.stdout_text
         assert 'First name: %s' % (modfirst) in cmd.stdout_text
         assert 'Last name: %s' % (modlast) in cmd.stdout_text
+
+    def test_enabled_tls_protocols(self):
+        """Check that only TLS 1.2 is enabled in Apache.
+
+        This is the regression test for issue
+        https://pagure.io/freeipa/issue/7995.
+        """
+        def is_tls_version_enabled(tls_version):
+            res = self.master.run_command(
+                ['openssl', 's_client',
+                 '-connect', '{}:443'.format(self.master.hostname),
+                 '-{}'.format(tls_version)],
+                stdin_text='\n',
+                ok_returncode=[0, 1]
+            )
+            return res.returncode == 0
+
+        assert not is_tls_version_enabled('tls1')
+        assert not is_tls_version_enabled('tls1_1')
+        assert is_tls_version_enabled('tls1_2')