From 04fab9ec858ace1286083be3dcb90d7cfbb7843e Mon Sep 17 00:00:00 2001 From: Ewoud Kohl van Wijngaarden Date: Mon, 17 Oct 2016 15:41:07 +0200 Subject: [PATCH] Use default ssl_protocols for ssl mailhosts Based on https://github.com/voxpupuli/puppet-nginx/pull/909. It also adds a test for the $ssl_ciphers parameter. --- manifests/resource/mailhost.pp | 3 +++ spec/defines/resource_mailhost_spec.rb | 14 ++++++++++++++ templates/mailhost/mailhost_ssl.erb | 2 +- 3 files changed, 18 insertions(+), 1 deletion(-) diff --git a/manifests/resource/mailhost.pp b/manifests/resource/mailhost.pp index 7b14812bd..01744673f 100644 --- a/manifests/resource/mailhost.pp +++ b/manifests/resource/mailhost.pp @@ -16,6 +16,7 @@ # [*index_files*] - Default index files for NGINX to read when traversing a directory # [*ssl*] - Indicates whether to setup SSL bindings for this mailhost. # [*ssl_cert*] - Pre-generated SSL Certificate file to reference for SSL Support. This is not generated by this module. +# [*ssl_protocols*] - SSL protocols enabled. Defaults to nginx::config::ssl_protocols # [*ssl_ciphers*] - Override default SSL ciphers (defaults to nginx::config::ssl_ciphers) # [*ssl_key*] - Pre-generated SSL Key file to reference for SSL Support. This is not generated by this module. # [*ssl_port*] - Default IP Port for NGINX to listen with this SSL vHost on. Defaults to TCP 443 @@ -53,6 +54,7 @@ $ipv6_listen_options = 'default ipv6only=on', $ssl = false, $ssl_cert = undef, + $ssl_protocols = $::nginx::config::ssl_protocols, $ssl_ciphers = $::nginx::config::ssl_ciphers, $ssl_key = undef, $ssl_port = undef, @@ -101,6 +103,7 @@ if ($ssl_cert != undef) { validate_string($ssl_cert) } + validate_string($ssl_protocols) validate_string($ssl_ciphers) if ($ssl_key != undef) { validate_string($ssl_key) diff --git a/spec/defines/resource_mailhost_spec.rb b/spec/defines/resource_mailhost_spec.rb index 2db7a42d7..5a8521c5e 100644 --- a/spec/defines/resource_mailhost_spec.rb +++ b/spec/defines/resource_mailhost_spec.rb @@ -270,6 +270,18 @@ value: 'X-Auth-Key "secret_string"', match: ' auth_http_header X-Auth-Key "secret_string";' }, + { + title: 'should set ssl_protocols', + attr: 'ssl_protocols', + value: 'test-ssl-protocol', + match: ' ssl_protocols test-ssl-protocol;' + }, + { + title: 'should set ssl_ciphers', + attr: 'ssl_ciphers', + value: 'test-ssl-ciphers', + match: ' ssl_ciphers test-ssl-ciphers;' + }, { title: 'should set ssl_certificate', attr: 'ssl_cert', @@ -290,6 +302,8 @@ ssl_port: 587, ipv6_enable: true, ssl: true, + ssl_protocols: 'default-protocols', + ssl_ciphers: 'default-ciphers', ssl_cert: 'dummy.crt', ssl_key: 'dummy.key' } diff --git a/templates/mailhost/mailhost_ssl.erb b/templates/mailhost/mailhost_ssl.erb index f308d0580..603ec69d2 100644 --- a/templates/mailhost/mailhost_ssl.erb +++ b/templates/mailhost/mailhost_ssl.erb @@ -30,7 +30,7 @@ server { ssl_certificate_key <%= @ssl_key %>; ssl_session_timeout 5m; - ssl_protocols TLSv1; + ssl_protocols <%= @ssl_protocols %>; ssl_ciphers <%= @ssl_ciphers %>; ssl_prefer_server_ciphers on; }