(PUP-3467) Reject SSLv3 when initiating SSL connections
Previously, when puppet initiated SSL connections, e.g. puppet agent,
puppet module, etc, it could downgrade to SSLv3.
This commit ensures puppet will not downgrade to SSLv3 by setting the
OpenSSL::SSL::OP_NO_SSLv3 bit. However, unlike SSLv2, we cannot remove
SSLv3 ciphersuites, since they are the same ones used in TLSv1. From the
openssl ciphers man page, "The TLSv1.0 ciphers are flagged with SSLv3".
[1] https://www.openssl.org/docs/ssl/SSL_CIPHER_get_name.html