Added ssl_protocol parameter to apache::mod::ssl

ticklejw · igalic · commit 8f2df799b242 · 2014-10-28T15:13:00.000+01:00
makes it easier to fix things like POODLE
diff --git a/README.md b/README.md
@@ -710,6 +710,7 @@ Installs Apache SSL capabilities and uses the ssl.conf.erb template. These are t
     class { 'apache::mod::ssl':
       ssl_compression => false,
       ssl_options     => [ 'StdEnvVars' ],
+      ssl_protocol    => 'all -SSLv2 -SSLv3',
   }
 ```
 
diff --git a/manifests/mod/ssl.pp b/manifests/mod/ssl.pp
@@ -2,6 +2,7 @@
   $ssl_compression = false,
   $ssl_options     = [ 'StdEnvVars' ],
   $ssl_cipher      = 'HIGH:MEDIUM:!aNULL:!MD5',
+  $ssl_protocol    = [ 'all', '-SSLv2', '-SSLv3' ],
   $apache_version  = $::apache::apache_version,
   $package_name    = undef,
 ) {
diff --git a/templates/mod/ssl.conf.erb b/templates/mod/ssl.conf.erb
@@ -21,7 +21,7 @@
   SSLCryptoDevice builtin
   SSLHonorCipherOrder On
   SSLCipherSuite <%= @ssl_cipher %>
-  SSLProtocol all -SSLv2 -SSLv3
+  SSLProtocol <%= @ssl_protocol.compact.join(' ') %>
 <% if @ssl_options -%>
   SSLOptions <%= @ssl_options.compact.join(' ') %>
 <% end -%>

Original file line number	Diff line number	Diff line change
`@@ -710,6 +710,7 @@ Installs Apache SSL capabilities and uses the ssl.conf.erb template. These are t`
`710`	`710`	`class { 'apache::mod::ssl':`
`711`	`711`	`ssl_compression => false,`
`712`	`712`	`ssl_options => [ 'StdEnvVars' ],`
	`713`	`+ ssl_protocol => 'all -SSLv2 -SSLv3',`
`713`	`714`	`}`
`714`	`715`	```
`715`	`716`