Use default ssl_protocols for ssl mailhosts

Based on voxpupuli#909. It also adds a test for the $ssl_ciphers parameter.
cegeka · Oct 17, 2016 · b8287f2 · b8287f2
1 parent 38d17eb
commit b8287f2
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 1 deletion.
diff --git a/manifests/resource/mailhost.pp b/manifests/resource/mailhost.pp
@@ -16,6 +16,7 @@
 #   [*index_files*]         - Default index files for NGINX to read when traversing a directory
 #   [*ssl*]                 - Indicates whether to setup SSL bindings for this mailhost.
 #   [*ssl_cert*]            - Pre-generated SSL Certificate file to reference for SSL Support. This is not generated by this module.
+#   [*ssl_protocols*]       - SSL protocols enabled. Defaults to nginx::config::ssl_protocols
 #   [*ssl_ciphers*]         - Override default SSL ciphers (defaults to nginx::config::ssl_ciphers)
 #   [*ssl_key*]             - Pre-generated SSL Key file to reference for SSL Support. This is not generated by this module.
 #   [*ssl_port*]            - Default IP Port for NGINX to listen with this SSL vHost on. Defaults to TCP 443
@@ -53,6 +54,7 @@
   $ipv6_listen_options = 'default ipv6only=on',
   $ssl                 = false,
   $ssl_cert            = undef,
+  $ssl_protocols       = $::nginx::config::ssl_protocols,
   $ssl_ciphers         = $::nginx::config::ssl_ciphers,
   $ssl_key             = undef,
   $ssl_port            = undef,
@@ -101,6 +103,7 @@
   if ($ssl_cert != undef) {
     validate_string($ssl_cert)
   }
+  validate_string($ssl_protocols)
   validate_string($ssl_ciphers)
   if ($ssl_key != undef) {
     validate_string($ssl_key)

diff --git a/spec/defines/resource_mailhost_spec.rb b/spec/defines/resource_mailhost_spec.rb
@@ -270,6 +270,18 @@
           value: 'X-Auth-Key "secret_string"',
           match: '  auth_http_header      X-Auth-Key "secret_string";'
         },
+        {
+          title: 'should set ssl_protocols',
+          attr: 'ssl_protocols',
+          value: 'test-ssl-protocol',
+          match: '  ssl_protocols test-ssl-protocol;'
+        },
+        {
+          title: 'should set ssl_ciphers',
+          attr: 'ssl_ciphers',
+          value: 'test-ssl-ciphers',
+          match: '  ssl_ciphers test-ssl-ciphers;'
+        },
         {
           title: 'should set ssl_certificate',
           attr: 'ssl_cert',
@@ -290,6 +302,8 @@
               ssl_port: 587,
               ipv6_enable: true,
               ssl: true,
+              ssl_protocols: 'default-protocols',
+              ssl_ciphers: 'default-ciphers',
               ssl_cert: 'dummy.crt',
               ssl_key: 'dummy.key'
             }

diff --git a/templates/mailhost/mailhost_ssl.erb b/templates/mailhost/mailhost_ssl.erb
@@ -30,7 +30,7 @@ server {
   ssl_certificate_key  <%= @ssl_key %>;
   ssl_session_timeout  5m;
 
-  ssl_protocols TLSv1;
+  ssl_protocols <%= @ssl_protocols %>;
   ssl_ciphers <%= @ssl_ciphers %>;
   ssl_prefer_server_ciphers   on;
 }