From 8acbad42d05ff050ccf9304aff2ccc974db574ff Mon Sep 17 00:00:00 2001 From: Ramesh Sencha Date: Thu, 10 Aug 2023 10:47:46 +0530 Subject: [PATCH 1/3] (CAT-1281) - Support to add cipher with respective ssl protocol --- README.md | 17 +++++++++++++++++ manifests/mod/ssl.pp | 2 +- manifests/vhost.pp | 2 +- spec/classes/mod/ssl_spec.rb | 14 ++++++++++++++ templates/mod/ssl.conf.erb | 6 ++++++ templates/vhost/_ssl.erb | 4 ++++ 6 files changed, 43 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 3efeb02d8d..0df2fd1c6b 100644 --- a/README.md +++ b/README.md @@ -236,6 +236,7 @@ [`ssl`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#ssl [`ssl_cert`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#ssl_cert [`ssl_compression`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#ssl_compression +[`ssl_cipher`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#ssl_compression [`ssl_key`]: https://forge.puppet.com/modules/puppetlabs/apache/reference#ssl_key [`StartServers`]: https://httpd.apache.org/docs/current/mod/mpm_common.html#startservers [supported operating system]: https://forge.puppet.com/supported#puppet-supported-modules-compatibility-matrix @@ -657,6 +658,22 @@ class { 'apache::mod::ssl': } ``` +You can pass the SSL Ciphers to override the default ciphers. +```puppet +class { 'apache::mod::ssl': + ssl_cipher => 'PROFILE=SYSTEM', +} +``` + +You can also pass the different [`ssl_cipher`][] for different SSL protocols. This allows you to fine-tune the ciphers based on the specific SSL/TLS protocol version being used. +```puppet +class { 'apache::mod::ssl': + ssl_cipher => { + 'TLSv1.1' => 'RSA:!EXP:!NULL:+HIGH:+MEDIUM' + }, +} +``` + Note that some modules have prerequisites, which are documented in their references under [`apache::mod::`][]. #### Installing arbitrary modules diff --git a/manifests/mod/ssl.pp b/manifests/mod/ssl.pp index 83aca77834..1b8f1beca6 100644 --- a/manifests/mod/ssl.pp +++ b/manifests/mod/ssl.pp @@ -95,7 +95,7 @@ Optional[Stdlib::Absolutepath] $ssl_cert = undef, Optional[Stdlib::Absolutepath] $ssl_key = undef, Optional[Stdlib::Absolutepath] $ssl_ca = undef, - String $ssl_cipher = $apache::params::ssl_cipher, + Variant[String, Hash[String[1], String[1]]] $ssl_cipher = $apache::params::ssl_cipher, Variant[Boolean, Apache::OnOff] $ssl_honorcipherorder = true, Array[String] $ssl_protocol = $apache::params::ssl_protocol, Array $ssl_proxy_protocol = [], diff --git a/manifests/vhost.pp b/manifests/vhost.pp index ba11a68413..783bd925bb 100644 --- a/manifests/vhost.pp +++ b/manifests/vhost.pp @@ -1719,7 +1719,7 @@ Optional[Stdlib::Absolutepath] $ssl_certs_dir = $apache::params::ssl_certs_dir, Boolean $ssl_reload_on_change = $apache::default_ssl_reload_on_change, Optional[Variant[Array[String], String]] $ssl_protocol = undef, - Optional[Variant[Array[String], String]] $ssl_cipher = undef, + Optional[Variant[Array[String], String, Hash[String[1], String[1]]]] $ssl_cipher = undef, Variant[Boolean, Apache::OnOff, Undef] $ssl_honorcipherorder = undef, Optional[Enum['none', 'optional', 'require', 'optional_no_ca']] $ssl_verify_client = undef, Optional[Integer] $ssl_verify_depth = undef, diff --git a/spec/classes/mod/ssl_spec.rb b/spec/classes/mod/ssl_spec.rb index d54be82016..a424c3ee06 100644 --- a/spec/classes/mod/ssl_spec.rb +++ b/spec/classes/mod/ssl_spec.rb @@ -45,6 +45,20 @@ it { is_expected.to contain_file('ssl.conf').without_content(%r{SSLProtocol}) } end + + context 'ciphers with ssl_protocol' do + let(:params) do + { + ssl_cipher: { + 'TLSv1.1' => 'RSA:!EXP:!NULL:+HIGH:+MEDIUM', + 'TLSv1.2' => 'RSA:!EXP:!NULL:+HIGH:+MEDIUM:-LOW' + } + } + end + + it { is_expected.to contain_file('ssl.conf').without_content(%r{ SSLCipherSuite TLSv1.1 RSA:!EXP:!NULL:+HIGH:+MEDIUM}) } + it { is_expected.to contain_file('ssl.conf').without_content(%r{ SSLCipherSuite TLSv1.2 RSA:!EXP:!NULL:+HIGH:+MEDIUM:-LOW}) } + end end context '7 OS with custom directories for PR#1635' do diff --git a/templates/mod/ssl.conf.erb b/templates/mod/ssl.conf.erb index 33a4c6feda..6d021f331d 100644 --- a/templates/mod/ssl.conf.erb +++ b/templates/mod/ssl.conf.erb @@ -33,7 +33,13 @@ SSLStaplingReturnResponderErrors <%= scope.call_function('apache::bool2httpd', [@ssl_stapling_return_errors]) %> <%- end -%> SSLStaplingCache "shmcb:<%= @_stapling_cache %>" + <%- if @ssl_cipher.kind_of?(Hash) -%> + <%- @ssl_cipher.map do |protocol, cipher| -%> + SSLCipherSuite <%= protocol %> <%= cipher %> + <%- end -%> + <%- else -%> SSLCipherSuite <%= @ssl_cipher %> + <%- end -%> <% if not @ssl_protocol.empty? -%> SSLProtocol <%= @ssl_protocol.compact.join(' ') %> <% end -%> diff --git a/templates/vhost/_ssl.erb b/templates/vhost/_ssl.erb index 4fed7b9e19..11bcf6d0b6 100644 --- a/templates/vhost/_ssl.erb +++ b/templates/vhost/_ssl.erb @@ -15,6 +15,10 @@ <%- if @ssl_cipher -%> <%- if @ssl_cipher.kind_of?(String) -%> SSLCipherSuite <%= @ssl_cipher %> + <%- elsif @ssl_cipher.kind_of?(Hash) -%> + <%- @ssl_cipher.map do |protocol, cipher| -%> + SSLCipherSuite <%= protocol %> <%= cipher%> + <%- end -%> <%- else -%> SSLCipherSuite <%= @ssl_cipher.flatten.compact.join(':') %> <%- end -%> From 0ceeb04cad81a48233ae5ff62c505cb32403649b Mon Sep 17 00:00:00 2001 From: Ramesh Sencha Date: Fri, 11 Aug 2023 13:51:09 +0530 Subject: [PATCH 2/3] Addressing review comments --- manifests/mod/ssl.pp | 2 +- manifests/vhost.pp | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/mod/ssl.pp b/manifests/mod/ssl.pp index 1b8f1beca6..6dd52013ef 100644 --- a/manifests/mod/ssl.pp +++ b/manifests/mod/ssl.pp @@ -95,7 +95,7 @@ Optional[Stdlib::Absolutepath] $ssl_cert = undef, Optional[Stdlib::Absolutepath] $ssl_key = undef, Optional[Stdlib::Absolutepath] $ssl_ca = undef, - Variant[String, Hash[String[1], String[1]]] $ssl_cipher = $apache::params::ssl_cipher, + Variant[String[1], Hash[String[1], String[1]]] $ssl_cipher = $apache::params::ssl_cipher, Variant[Boolean, Apache::OnOff] $ssl_honorcipherorder = true, Array[String] $ssl_protocol = $apache::params::ssl_protocol, Array $ssl_proxy_protocol = [], diff --git a/manifests/vhost.pp b/manifests/vhost.pp index 783bd925bb..160d96f8be 100644 --- a/manifests/vhost.pp +++ b/manifests/vhost.pp @@ -1719,7 +1719,7 @@ Optional[Stdlib::Absolutepath] $ssl_certs_dir = $apache::params::ssl_certs_dir, Boolean $ssl_reload_on_change = $apache::default_ssl_reload_on_change, Optional[Variant[Array[String], String]] $ssl_protocol = undef, - Optional[Variant[Array[String], String, Hash[String[1], String[1]]]] $ssl_cipher = undef, + Optional[Variant[Array[String], String[1], Hash[String[1], String[1]]]] $ssl_cipher = undef, Variant[Boolean, Apache::OnOff, Undef] $ssl_honorcipherorder = undef, Optional[Enum['none', 'optional', 'require', 'optional_no_ca']] $ssl_verify_client = undef, Optional[Integer] $ssl_verify_depth = undef, From 12ffca650595bc88d94422e10787333bcdda28a3 Mon Sep 17 00:00:00 2001 From: Ramesh Sencha Date: Sat, 12 Aug 2023 18:31:00 +0530 Subject: [PATCH 3/3] Addressing review comments --- manifests/vhost.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/vhost.pp b/manifests/vhost.pp index 160d96f8be..3b9bca577d 100644 --- a/manifests/vhost.pp +++ b/manifests/vhost.pp @@ -1719,7 +1719,7 @@ Optional[Stdlib::Absolutepath] $ssl_certs_dir = $apache::params::ssl_certs_dir, Boolean $ssl_reload_on_change = $apache::default_ssl_reload_on_change, Optional[Variant[Array[String], String]] $ssl_protocol = undef, - Optional[Variant[Array[String], String[1], Hash[String[1], String[1]]]] $ssl_cipher = undef, + Optional[Variant[Array[String[1]], String[1], Hash[String[1], String[1]]]] $ssl_cipher = undef, Variant[Boolean, Apache::OnOff, Undef] $ssl_honorcipherorder = undef, Optional[Enum['none', 'optional', 'require', 'optional_no_ca']] $ssl_verify_client = undef, Optional[Integer] $ssl_verify_depth = undef,