Merge pull request #215 from camptocamp/allow_vuln_ssl

improvment: add a new parameter to allow the use of vulnerable SSL/TLS
djjudas21 · Apr 25, 2024 · 90109c9 · 90109c9
2 parents 0ddb4d1 + 3b91c4d
commit 90109c9
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -138,6 +138,9 @@ Add a syslog rule (using the `saz/rsyslog` module). Default: `false`.
 ##### `log_auth`
 Log authentication requests (yes/no). Default: `no`.
 
+##### `allow_vulnerable_openssl`
+Allow the server to start with versions of OpenSSL known to have critical vulnerabilities. (yes/no). Default: `yes`.
+
 ##### `package_ensure`
 Choose whether the package is just installed and left (`installed`), or updated every Puppet run (`latest`). Default: `installed`
 

diff --git a/manifests/init.pp b/manifests/init.pp
@@ -17,6 +17,7 @@
   Boolean $syslog                                              = false,
   String $syslog_facility                                      = 'daemon',
   Freeradius::Boolean $log_auth                                = 'no',
+  Freeradius::Boolean $allow_vulnerable_ssl                    = 'yes',
   Boolean $preserve_mods                                       = true,
   Boolean $correct_escapes                                     = true,
   Boolean $manage_logpath                                      = true,

diff --git a/templates/radiusd.conf.erb b/templates/radiusd.conf.erb
@@ -574,7 +574,7 @@ security {
 	#  and may not reflect patches applied to libssl by
 	#  distribution maintainers.
 	#
-	allow_vulnerable_openssl = yes
+  allow_vulnerable_openssl = <%= @allow_vulnerable_openssl%>
 }
 
 # PROXY CONFIGURATION