Add ability to specify SSL protocols.

ghoneycutt · ghoneycutt · commit af10eedfc67f · 2014-10-29T19:29:15.000-04:00
This is in response to CVE-2014-3566 - POODLE
diff --git a/manifests/params.pp b/manifests/params.pp
@@ -7,6 +7,7 @@
   $open_listen_port          = false
   $ssl_listen_address        = $::fqdn
   $ssl_listen_port           = '8081'
+  $ssl_protocols             = undef
   $disable_ssl               = false
   $open_ssl_listen_port      = undef
   $postgres_listen_addresses = 'localhost'
diff --git a/manifests/server/jetty_ini.pp b/manifests/server/jetty_ini.pp
@@ -9,6 +9,7 @@
   $ssl_cert_path      = $puppetdb::params::ssl_cert_path,
   $ssl_key_path       = $puppetdb::params::ssl_key_path,
   $ssl_ca_cert_path   = $puppetdb::params::ssl_ca_cert_path,
+  $ssl_protocols      = $puppetdb::params::ssl_protocols,
   $confdir            = $puppetdb::params::confdir,
   $max_threads        = $puppetdb::params::max_threads,
 ) inherits puppetdb::params {
@@ -47,6 +48,17 @@
     value   => $ssl_listen_port,
   }
 
+  if $ssl_protocols != undef {
+
+    validate_string($ssl_protocols)
+
+    ini_setting { 'puppetdb_sslprotocols':
+      ensure  => $ssl_setting_ensure,
+      setting => 'ssl-protocols',
+      value   => $ssl_protocols,
+    }
+  }
+
   if str2bool($ssl_set_cert_paths) == true {
     # assume paths have been validated in calling class
     ini_setting { 'puppetdb_ssl_key':
diff --git a/spec/unit/classes/server/jetty_ini_spec.rb b/spec/unit/classes/server/jetty_ini_spec.rb
@@ -44,6 +44,7 @@
              'setting' => 'ssl-port',
              'value'   => 8081
              )}
+      it { should_not contain_ini_setting('puppetdb_sslprotocols') }
     end
 
     describe 'when disabling ssl' do
@@ -99,5 +100,31 @@
              'value'   => '150'
              )}
     end
+
+    describe 'when setting ssl_protocols' do
+      context 'to a valid string' do
+        let(:params) { { 'ssl_protocols' => 'TLSv1, TLSv1.1, TLSv1.2' } }
+
+        it {
+          should contain_ini_setting('puppetdb_sslprotocols').with(
+            'ensure' => 'present',
+            'path' => '/etc/puppetdb/conf.d/jetty.ini',
+            'section' => 'jetty',
+            'setting' => 'ssl-protocols',
+            'value' => 'TLSv1, TLSv1.1, TLSv1.2'
+          )
+        }
+      end
+
+      context 'to an invalid type (non-string)' do
+        let(:params) { { 'ssl_protocols' => ['invalid','type'] } }
+
+        it 'should fail' do
+          expect {
+            should contain_class('puppetdb::server::jetty_ini')
+          }.to raise_error(Puppet::Error)
+        end
+      end
+    end
   end
 end
