Force stunnel to use TLSv1.2
This allows us to force a TLS version for stunnel, which we set to TLSv1.2. This ensures that we're compliant with FedRamp, which requires a minimum version of TLSv1.1. Unfortunately, using the "option" key didn't work in the configuration as was tried in a previous commit. This option would have only only disabled the versions we set, instead of only allowing one, like "sslVersions" does. This seems to be the only alternative we have at the moment. Related-Bug: #1754368 Change-Id: I353f893ee5dcc265269704e23f65aa0460724078
This commit is contained in:
parent
c5131729e7
commit
a5561f0a1d
|
@ -42,6 +42,10 @@
|
|||
# Host where the tunnel will be proxying to.
|
||||
# Defaults to 'localhost'
|
||||
#
|
||||
# [*ssl_version*]
|
||||
# (Optional) select the TLS protocol version
|
||||
# Defaults to 'TLSv1.2'
|
||||
#
|
||||
define tripleo::stunnel::service_proxy (
|
||||
$accept_host,
|
||||
$accept_port,
|
||||
|
@ -50,6 +54,7 @@ define tripleo::stunnel::service_proxy (
|
|||
$key,
|
||||
$client = 'no',
|
||||
$connect_host = 'localhost',
|
||||
$ssl_version = 'TLSv1.2'
|
||||
) {
|
||||
concat::fragment { "stunnel-service-${name}":
|
||||
target => '/etc/stunnel/stunnel.conf',
|
||||
|
|
|
@ -4,3 +4,4 @@ accept=<%= @accept_host %>:<%= @accept_port %>
|
|||
connect=<%= @connect_host %>:<%= @connect_port %>
|
||||
cert=<%= @certificate %>
|
||||
key=<%= @key %>
|
||||
sslVersion = <%= @ssl_version %>
|
||||
|
|
Loading…
Reference in New Issue