vhost: add ssl_crl parameter

2015-04-14 14:28:19 -04:00 · 2015-04-14 14:28:19 -04:00 · 678a361106
commit 678a361106
parent be4decdb78
3 changed files with 14 additions and 0 deletions
--- a/manifests/resource/vhost.pp
+++ b/manifests/resource/vhost.pp
@ -46,6 +46,7 @@
 #     for SSL Support. This is not generated by this module.
 #   [*ssl_client_cert*]     - Pre-generated SSL Certificate file to reference
 #     for client verify SSL Support. This is not generated by this module.
+#   [*ssl_crl*]             - String: Specifies CRL path in file system
 #   [*ssl_dhparam*]         - This directive specifies a file containing
 #     Diffie-Hellman key agreement protocol cryptographic parameters, in PEM
 #     format, utilized for exchanging session keys between server and client.
@ -178,6 +179,7 @@ define nginx::resource::vhost (
  $ssl_protocols                = 'TLSv1 TLSv1.1 TLSv1.2',
  $ssl_ciphers                  = 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA',
  $ssl_cache                    = 'shared:SSL:10m',
+  $ssl_crl                      = undef,
  $ssl_stapling                 = false,
  $ssl_stapling_file            = undef,
  $ssl_stapling_responder       = undef,
@ -280,6 +282,9 @@ define nginx::resource::vhost (
  if ($ssl_client_cert != undef) {
    validate_string($ssl_client_cert)
  }
+  if ($ssl_crl != undef) {
+    validate_string($ssl_crl)
+  }
  validate_bool($ssl_listen_option)
  if ($ssl_dhparam != undef) {
    validate_string($ssl_dhparam)
--- a/spec/defines/resource_vhost_spec.rb
+++ b/spec/defines/resource_vhost_spec.rb
@ -434,6 +434,12 @@ describe 'nginx::resource::vhost' do
          :value => '/tmp/client_certificate',
          :match => %r'\s+ssl_client_certificate\s+/tmp/client_certificate;',
        },
+        {
+          :title => 'should set the SSL CRL file',
+          :attr  => 'ssl_crl',
+          :value => '/tmp/crl',
+          :match => %r'\s+ssl_crl\s+/tmp/crl;',
+        },
        {
          :title => 'should set the SSL DH parameters file',
          :attr  => 'ssl_dhparam',
--- a/templates/vhost/vhost_ssl_settings.erb
+++ b/templates/vhost/vhost_ssl_settings.erb
@ -14,6 +14,9 @@
  ssl_protocols             <%= @ssl_protocols %>;
  ssl_ciphers               <%= @ssl_ciphers %>;
  ssl_prefer_server_ciphers on;
+<% if @ssl_crl -%>
+  ssl_crl                   <%= @ssl_crl %>;
+<% end -%>
 <%- if instance_variables.any? { |iv| iv.to_s.include? 'ssl_' } -%>
  <%- if @ssl_stapling -%>
  ssl_stapling              on;