Add ssl_disabled_ciphers configuration option for 1.12

manifests/init.pp

@@ -67,6 +67,9 @@
 # $foreman_ssl_key::            Corresponding key to a foreman_ssl_cert certificate
 #                               When not specified, the ssl_key is used instead.
 #
+# $ssl_disabled_ciphers::       List of OpenSSL cipher suite names that will be disabled from the default
+#                               type:array
+#
 # $trusted_hosts::              Only hosts listed will be permitted, empty array to disable authorization
 #                               type:array
 #
@@ -309,6 +312,7 @@
   $foreman_ssl_cert           = $foreman_proxy::params::foreman_ssl_cert,
   $foreman_ssl_key            = $foreman_proxy::params::foreman_ssl_key,
   $trusted_hosts              = $foreman_proxy::params::trusted_hosts,
+  $ssl_disabled_ciphers       = $foreman_proxy::params::ssl_disabled_ciphers,
   $manage_sudoersd            = $foreman_proxy::params::manage_sudoersd,
   $use_sudoersd               = $foreman_proxy::params::use_sudoersd,
   $puppetca                   = $foreman_proxy::params::puppetca,
@@ -419,7 +423,7 @@
   # Validate misc params
   validate_string($bind_host)
   validate_bool($ssl, $manage_sudoersd, $use_sudoersd, $register_in_foreman)
-  validate_array($trusted_hosts)
+  validate_array($trusted_hosts, $ssl_disabled_ciphers)
   validate_re($log_level, '^(UNKNOWN|FATAL|ERROR|WARN|INFO|DEBUG)$')
   validate_re($plugin_version, '^(installed|present|latest|absent)$')
   validate_re($ensure_packages_version, '^(installed|present|latest|absent)$')

manifests/params.pp

@@ -132,6 +132,7 @@
   # Used to communicate to Foreman
   $ssl_cert = "${ssldir}/certs/${lower_fqdn}.pem"
   $ssl_key = "${ssldir}/private_keys/${lower_fqdn}.pem"
+  $ssl_disabled_ciphers = []
 
   $foreman_ssl_ca  = undef
   $foreman_ssl_cert = undef

spec/classes/foreman_proxy__config__spec.rb

@@ -941,6 +941,22 @@
           end
         end
       end
+
+      context 'with ssl_disabled_ciphers' do
+        let :pre_condition do
+          'class {"foreman_proxy":
+            ssl_disabled_ciphers => ["CIPHER-SUITE-1", "CIPHER-SUITE-2"],
+          }'
+        end
+
+        it 'should set ssl_disabled_ciphers to YAML array in setting.yml' do
+          verify_contents(catalogue, "#{etc_dir}/foreman-proxy/settings.yml", [
+            ':ssl_disabled_ciphers:',
+            '  - CIPHER-SUITE-1',
+            '  - CIPHER-SUITE-2',
+          ])
+        end
+      end
     end
   end
 end

templates/settings.yml.erb

@@ -27,6 +27,19 @@
 #:ssl_private_key: ssl/private_keys/fqdn.key
 <% end -%>
 
+# Use this option only if you need to disable certain cipher suites.
+# Note: we use the OpenSSL suite name, take a look at:
+# https://www.openssl.org/docs/manmaster/apps/ciphers.html#CIPHER-SUITE-NAMES
+# for more information.
+<% if ciphers = scope.lookupvar("foreman_proxy::ssl_disabled_ciphers") and ciphers.any? -%>
+:ssl_disabled_ciphers:
+<% ciphers.each do |c| -%>
+<%= "  - #{c}" %>
+<% end -%>
+<% else -%>
+#:ssl_disabled_ciphers: [CIPHER-SUITE-1, CIPHER-SUITE-2]
+<% end -%>
+
 # the hosts which the proxy accepts connections from
 # commenting the following lines would mean every verified SSL connection allowed
 <% if thosts = scope.lookupvar("foreman_proxy::trusted_hosts") and thosts.any? -%>