refs #21350 - allow only enabling specific tls versions

theforeman · Feb 2, 2018 · d749ba5 · d749ba5
1 parent 27b6d62
commit d749ba5
Show file tree

Hide file tree

Showing 4 changed files with 23 additions and 1 deletion.
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -68,6 +68,8 @@
 #
 # $ciphers::                      Allowed ciphers for ssl connection. Array of strings
 #
+# $tls_versions::                 Allowed versions of TLS, for example 1.1, 1.2, etc
+#
 # $version::                      Version of Candlepin to install
 #
 # $wget_version::                 Version of wget to install
@@ -166,6 +168,7 @@
   Optional[Stdlib::Absolutepath] $qpid_ssl_cert = $::candlepin::params::qpid_ssl_cert,
   Optional[Stdlib::Absolutepath] $qpid_ssl_key = $::candlepin::params::qpid_ssl_key,
   Array[String] $ciphers = $::candlepin::params::ciphers,
+  Array[String] $tls_versions = $::candlepin::params::tls_versions,
   String $version = $::candlepin::params::version,
   String $wget_version = $::candlepin::params::wget_version,
   Boolean $run_init = $::candlepin::params::run_init,

diff --git a/manifests/params.pp b/manifests/params.pp
@@ -63,6 +63,11 @@
     'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA',
   ]
 
+  $tls_versions = [
+    '1.1',
+    '1.2',
+  ]
+
   $version = 'present'
   $wget_version = 'present'
   $run_init = true

diff --git a/spec/classes/candlepin_config_spec.rb b/spec/classes/candlepin_config_spec.rb
@@ -119,6 +119,20 @@
             with({})
         end
       end
+
+      describe 'with tls_versions' do
+        let :pre_condition do
+          "class {'candlepin':
+            tls_versions => ['1.2', '1.3'],
+          }"
+        end
+
+        it "should setup the tomcat config file" do
+          should contain_file("/etc/tomcat/server.xml").
+            with_content(/sslProtocols="TLSv1.2,TLSv1.3"/).
+            with({})
+        end
+      end
     end
   end
 end
diff --git a/templates/tomcat/server.xml.erb b/templates/tomcat/server.xml.erb
@@ -87,7 +87,7 @@
     <Connector port="<%= scope['::candlepin::ssl_port'] %>" protocol="HTTP/1.1" SSLEnabled="true"
                maxThreads="150" scheme="https" secure="true"
                clientAuth="want"
-               sslProtocols="TLSv1.2,TLSv1.1,TLSv1"
+               sslProtocols="<%= scope['::candlepin::tls_versions'].map { |version| "TLSv#{version}"}.join(",") %>"
                keystoreFile="<%= scope['::candlepin::keystore_file'] %>"
                truststoreFile="<%= scope['::candlepin::truststore_file'] %>"
                keystorePass="<%= scope['::candlepin::keystore_password'] %>"