Add ability to specify SSL protocols.

This is in response to CVE-2014-3566 - POODLE
2014-10-17 01:07:45 -04:00 · 2014-10-17 01:07:45 -04:00 · af10eedfc6
commit af10eedfc6
parent ed5e57ca89
3 changed files with 40 additions and 0 deletions
--- a/manifests/params.pp
+++ b/manifests/params.pp
@ -7,6 +7,7 @@ class puppetdb::params {
  $open_listen_port          = false
  $ssl_listen_address        = $::fqdn
  $ssl_listen_port           = '8081'
+  $ssl_protocols             = undef
  $disable_ssl               = false
  $open_ssl_listen_port      = undef
  $postgres_listen_addresses = 'localhost'
--- a/manifests/server/jetty_ini.pp
+++ b/manifests/server/jetty_ini.pp
@ -9,6 +9,7 @@ class puppetdb::server::jetty_ini (
  $ssl_cert_path      = $puppetdb::params::ssl_cert_path,
  $ssl_key_path       = $puppetdb::params::ssl_key_path,
  $ssl_ca_cert_path   = $puppetdb::params::ssl_ca_cert_path,
+  $ssl_protocols      = $puppetdb::params::ssl_protocols,
  $confdir            = $puppetdb::params::confdir,
  $max_threads        = $puppetdb::params::max_threads,
 ) inherits puppetdb::params {
@ -47,6 +48,17 @@ class puppetdb::server::jetty_ini (
    value   => $ssl_listen_port,
  }

+  if $ssl_protocols != undef {
+
+    validate_string($ssl_protocols)
+
+    ini_setting { 'puppetdb_sslprotocols':
+      ensure  => $ssl_setting_ensure,
+      setting => 'ssl-protocols',
+      value   => $ssl_protocols,
+    }
+  }
+
  if str2bool($ssl_set_cert_paths) == true {
    # assume paths have been validated in calling class
    ini_setting { 'puppetdb_ssl_key':
--- a/spec/unit/classes/server/jetty_ini_spec.rb
+++ b/spec/unit/classes/server/jetty_ini_spec.rb
@ -44,6 +44,7 @@ describe 'puppetdb::server::jetty_ini', :type => :class do
             'setting' => 'ssl-port',
             'value'   => 8081
             )}
+      it { should_not contain_ini_setting('puppetdb_sslprotocols') }
    end

    describe 'when disabling ssl' do
@ -99,5 +100,31 @@ describe 'puppetdb::server::jetty_ini', :type => :class do
             'value'   => '150'
             )}
    end
+
+    describe 'when setting ssl_protocols' do
+      context 'to a valid string' do
+        let(:params) { { 'ssl_protocols' => 'TLSv1, TLSv1.1, TLSv1.2' } }
+
+        it {
+          should contain_ini_setting('puppetdb_sslprotocols').with(
+            'ensure' => 'present',
+            'path' => '/etc/puppetdb/conf.d/jetty.ini',
+            'section' => 'jetty',
+            'setting' => 'ssl-protocols',
+            'value' => 'TLSv1, TLSv1.1, TLSv1.2'
+          )
+        }
+      end
+
+      context 'to an invalid type (non-string)' do
+        let(:params) { { 'ssl_protocols' => ['invalid','type'] } }
+
+        it 'should fail' do
+          expect {
+            should contain_class('puppetdb::server::jetty_ini')
+          }.to raise_error(Puppet::Error)
+        end
+      end
+    end
  end
 end