Force stunnel to use TLSv1.2

This allows us to force a TLS version for stunnel, which we
set to TLSv1.2. This ensures that we're compliant with FedRamp,
which requires a minimum version of TLSv1.1.

Unfortunately, using the "option" key didn't work in the configuration
as was tried in a previous commit. This option would have only only
disabled the versions we set, instead of only allowing one, like
"sslVersions" does. This seems to be the only alternative we have at
the moment.

Related-Bug: #1754368
Change-Id: I353f893ee5dcc265269704e23f65aa0460724078
(cherry picked from commit a5561f0a1d)

manifests/stunnel/service_proxy.pp

@@ -42,6 +42,10 @@
 #   Host where the tunnel will be proxying to.
 #   Defaults to 'localhost'
 #
+# [*ssl_version*]
+#   (Optional) select the TLS protocol version
+#   Defaults to 'TLSv1.2'
+#
 define tripleo::stunnel::service_proxy (
   $accept_host,
   $accept_port,
@@ -50,6 +54,7 @@ define tripleo::stunnel::service_proxy (
   $key,
   $client = 'no',
   $connect_host = 'localhost',
+  $ssl_version = 'TLSv1.2'
 ) {
   concat::fragment { "stunnel-service-${name}":
     target  => '/etc/stunnel/stunnel.conf',

templates/stunnel/service.erb

@@ -4,3 +4,4 @@ accept=<%= @accept_host %>:<%= @accept_port %>
 connect=<%= @connect_host %>:<%= @connect_port %>
 cert=<%= @certificate %>
 key=<%= @key %>
+sslVersion = <%= @ssl_version %>