Force stunnel to use TLSv1.2

This allows us to force a TLS version for stunnel, which we
set to TLSv1.2. This ensures that we're compliant with FedRamp,
which requires a minimum version of TLSv1.1.

Unfortunately, using the "option" key didn't work in the configuration
as was tried in a previous commit. This option would have only only
disabled the versions we set, instead of only allowing one, like
"sslVersions" does. This seems to be the only alternative we have at
the moment.

Related-Bug: #1754368
Change-Id: I353f893ee5dcc265269704e23f65aa0460724078
This commit is contained in:
Juan Antonio Osorio Robles 2018-04-19 07:53:01 +00:00
parent c5131729e7
commit a5561f0a1d
2 changed files with 6 additions and 0 deletions

View File

@ -42,6 +42,10 @@
# Host where the tunnel will be proxying to.
# Defaults to 'localhost'
#
# [*ssl_version*]
# (Optional) select the TLS protocol version
# Defaults to 'TLSv1.2'
#
define tripleo::stunnel::service_proxy (
$accept_host,
$accept_port,
@ -50,6 +54,7 @@ define tripleo::stunnel::service_proxy (
$key,
$client = 'no',
$connect_host = 'localhost',
$ssl_version = 'TLSv1.2'
) {
concat::fragment { "stunnel-service-${name}":
target => '/etc/stunnel/stunnel.conf',

View File

@ -4,3 +4,4 @@ accept=<%= @accept_host %>:<%= @accept_port %>
connect=<%= @connect_host %>:<%= @connect_port %>
cert=<%= @certificate %>
key=<%= @key %>
sslVersion = <%= @ssl_version %>