Merge pull request #798 from rchicoli/ssl_verify_client

add ssl_verify_client parameter
voxpupuli · Apr 12, 2016 · b4946b7 · b4946b7
2 parents f13fdc0 + e43d8dc
commit b4946b7
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 2 deletions.
diff --git a/manifests/resource/vhost.pp b/manifests/resource/vhost.pp
@@ -53,6 +53,7 @@
 #     for SSL Support. This is not generated by this module.
 #   [*ssl_client_cert*]     - Pre-generated SSL Certificate file to reference
 #     for client verify SSL Support. This is not generated by this module.
+#   [*ssl_verify_client*]   - Enables verification of client certificates.
 #   [*ssl_crl*]             - String: Specifies CRL path in file system
 #   [*ssl_dhparam*]         - This directive specifies a file containing
 #     Diffie-Hellman key agreement protocol cryptographic parameters, in PEM
@@ -191,6 +192,7 @@
   $ssl_listen_option            = true,
   $ssl_cert                     = undef,
   $ssl_client_cert              = undef,
+  $ssl_verify_client            = 'on',
   $ssl_dhparam                  = undef,
   $ssl_key                      = undef,
   $ssl_port                     = 443,
@@ -322,6 +324,9 @@
   if ($ssl_client_cert != undef) {
     validate_string($ssl_client_cert)
   }
+  if ($ssl_verify_client != undef) {
+    validate_string($ssl_verify_client)
+  }
   if ($ssl_crl != undef) {
     validate_string($ssl_crl)
   }

diff --git a/spec/defines/resource_vhost_spec.rb b/spec/defines/resource_vhost_spec.rb
@@ -922,12 +922,13 @@
           :ssl_key            => 'dummy.key',
           :ssl_cert           => 'dummy.cert',
           :ssl_client_cert    => 'client.cert',
+          :ssl_verify_client  => 'optional',
         }) end
 
         it { is_expected.to contain_nginx__resource__location("#{title}-default").with_ssl_only(true) }
         it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{access_log\s+/var/log/nginx/ssl-www\.rspec\.example\.com\.access\.log combined;}) }
         it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{error_log\s+/var/log/nginx/ssl-www\.rspec\.example\.com\.error\.log}) }
-        it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{ssl_verify_client on;}) }
+        it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{ssl_verify_client\s+optional;}) }
       end
       context 'when passenger_cgi_param is set' do
         let :params do default_params.merge({

diff --git a/templates/vhost/vhost_ssl_settings.erb b/templates/vhost/vhost_ssl_settings.erb
@@ -4,7 +4,7 @@
   ssl_certificate_key       <%= @ssl_key %>;
 <% if defined? @ssl_client_cert -%>
   ssl_client_certificate    <%= @ssl_client_cert %>;
-  ssl_verify_client on;
+  ssl_verify_client         <%= @ssl_verify_client %>;
 <% end -%>
 <% if defined? @ssl_dhparam -%>
   ssl_dhparam               <%= @ssl_dhparam %>;