Skip to content

Commit

Permalink
Merge pull request voxpupuli#930 from ekohl/mail-ssl-ciphers
Browse files Browse the repository at this point in the history
Use default ssl_protocols for ssl mailhosts
  • Loading branch information
jyaworski authored Oct 17, 2016
2 parents 7a8a412 + 475512e commit bcf1061
Show file tree
Hide file tree
Showing 3 changed files with 18 additions and 1 deletion.
3 changes: 3 additions & 0 deletions manifests/resource/mailhost.pp
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@
# [*index_files*] - Default index files for NGINX to read when traversing a directory
# [*ssl*] - Indicates whether to setup SSL bindings for this mailhost.
# [*ssl_cert*] - Pre-generated SSL Certificate file to reference for SSL Support. This is not generated by this module.
# [*ssl_protocols*] - SSL protocols enabled. Defaults to nginx::config::ssl_protocols
# [*ssl_ciphers*] - Override default SSL ciphers (defaults to nginx::config::ssl_ciphers)
# [*ssl_key*] - Pre-generated SSL Key file to reference for SSL Support. This is not generated by this module.
# [*ssl_port*] - Default IP Port for NGINX to listen with this SSL vHost on. Defaults to TCP 443
Expand Down Expand Up @@ -53,6 +54,7 @@
$ipv6_listen_options = 'default ipv6only=on',
$ssl = false,
$ssl_cert = undef,
$ssl_protocols = $::nginx::config::ssl_protocols,
$ssl_ciphers = $::nginx::config::ssl_ciphers,
$ssl_key = undef,
$ssl_port = undef,
Expand Down Expand Up @@ -101,6 +103,7 @@
if ($ssl_cert != undef) {
validate_string($ssl_cert)
}
validate_string($ssl_protocols)
validate_string($ssl_ciphers)
if ($ssl_key != undef) {
validate_string($ssl_key)
Expand Down
14 changes: 14 additions & 0 deletions spec/defines/resource_mailhost_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -270,6 +270,18 @@
value: 'X-Auth-Key "secret_string"',
match: ' auth_http_header X-Auth-Key "secret_string";'
},
{
title: 'should set ssl_protocols',
attr: 'ssl_protocols',
value: 'test-ssl-protocol',
match: ' ssl_protocols test-ssl-protocol;'
},
{
title: 'should set ssl_ciphers',
attr: 'ssl_ciphers',
value: 'test-ssl-ciphers',
match: ' ssl_ciphers test-ssl-ciphers;'
},
{
title: 'should set ssl_certificate',
attr: 'ssl_cert',
Expand All @@ -290,6 +302,8 @@
ssl_port: 587,
ipv6_enable: true,
ssl: true,
ssl_protocols: 'default-protocols',
ssl_ciphers: 'default-ciphers',
ssl_cert: 'dummy.crt',
ssl_key: 'dummy.key'
}
Expand Down
2 changes: 1 addition & 1 deletion templates/mailhost/mailhost_ssl.erb
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ server {
ssl_certificate_key <%= @ssl_key %>;
ssl_session_timeout 5m;

ssl_protocols TLSv1;
ssl_protocols <%= @ssl_protocols %>;
ssl_ciphers <%= @ssl_ciphers %>;
ssl_prefer_server_ciphers on;
}

0 comments on commit bcf1061

Please sign in to comment.