From bef7b09f2ea9e5410cfcd467d6fba78966237336 Mon Sep 17 00:00:00 2001 From: Iain Buclaw Date: Thu, 16 Jun 2016 18:26:50 +0200 Subject: [PATCH] Add ssl_session_tickets and ssl_session_ticket_key parameters --- manifests/resource/vhost.pp | 12 ++++++++++++ templates/vhost/vhost_ssl_settings.erb | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/manifests/resource/vhost.pp b/manifests/resource/vhost.pp index ad37a095b..14add6666 100644 --- a/manifests/resource/vhost.pp +++ b/manifests/resource/vhost.pp @@ -79,6 +79,10 @@ # OCSP responses by the server. Defaults to false. # [*ssl_session_timeout*] - String: Specifies a time during which a client # may reuse the session parameters stored in a cache. Defaults to 5m. +# [*ssl_session_tickets*] - String: Enables or disables session resumption +# through TLS session tickets. +# [*ssl_session_ticket_key*] - String: Sets a file with the secret key used +# to encrypt and decrypt TLS session tickets. # [*ssl_trusted_cert*] - String: Specifies a file with trusted CA # certificates in the PEM format used to verify client certificates and # OCSP responses if ssl_stapling is enabled. @@ -206,6 +210,8 @@ $ssl_stapling_responder = undef, $ssl_stapling_verify = false, $ssl_session_timeout = '5m', + $ssl_session_tickets = undef, + $ssl_session_ticket_key = undef, $ssl_trusted_cert = undef, $spdy = $::nginx::config::spdy, $http2 = $::nginx::config::http2, @@ -355,6 +361,12 @@ } validate_bool($ssl_stapling_verify) validate_string($ssl_session_timeout) + if ($ssl_session_tickets) { + validate_string($ssl_session_tickets) + } + if ($ssl_session_ticket_key) { + validate_string($ssl_session_ticket_key) + } if ($ssl_trusted_cert != undef) { validate_string($ssl_trusted_cert) } diff --git a/templates/vhost/vhost_ssl_settings.erb b/templates/vhost/vhost_ssl_settings.erb index a5d1863d6..9c621c056 100644 --- a/templates/vhost/vhost_ssl_settings.erb +++ b/templates/vhost/vhost_ssl_settings.erb @@ -11,6 +11,12 @@ <% end -%> ssl_session_cache <%= @ssl_cache %>; ssl_session_timeout <%= @ssl_session_timeout %>; +<% if @ssl_session_tickets -%> + ssl_session_tickets <%= @ssl_session_tickets %>; +<% end -%> +<% if @ssl_session_ticket_key -%> + ssl_session_ticket_key <%= @ssl_session_ticket_key %>; +<% end -%> <% if @ssl_buffer_size -%> ssl_buffer_size <%= @ssl_buffer_size %>; <% end -%>