From a5561f0a1d48ff3364f6e1785000dd454bd57057 Mon Sep 17 00:00:00 2001 From: Juan Antonio Osorio Robles Date: Thu, 19 Apr 2018 07:53:01 +0000 Subject: [PATCH] Force stunnel to use TLSv1.2 This allows us to force a TLS version for stunnel, which we set to TLSv1.2. This ensures that we're compliant with FedRamp, which requires a minimum version of TLSv1.1. Unfortunately, using the "option" key didn't work in the configuration as was tried in a previous commit. This option would have only only disabled the versions we set, instead of only allowing one, like "sslVersions" does. This seems to be the only alternative we have at the moment. Related-Bug: #1754368 Change-Id: I353f893ee5dcc265269704e23f65aa0460724078 --- manifests/stunnel/service_proxy.pp | 5 +++++ templates/stunnel/service.erb | 1 + 2 files changed, 6 insertions(+) diff --git a/manifests/stunnel/service_proxy.pp b/manifests/stunnel/service_proxy.pp index 2c9519a83..591210056 100644 --- a/manifests/stunnel/service_proxy.pp +++ b/manifests/stunnel/service_proxy.pp @@ -42,6 +42,10 @@ # Host where the tunnel will be proxying to. # Defaults to 'localhost' # +# [*ssl_version*] +# (Optional) select the TLS protocol version +# Defaults to 'TLSv1.2' +# define tripleo::stunnel::service_proxy ( $accept_host, $accept_port, @@ -50,6 +54,7 @@ define tripleo::stunnel::service_proxy ( $key, $client = 'no', $connect_host = 'localhost', + $ssl_version = 'TLSv1.2' ) { concat::fragment { "stunnel-service-${name}": target => '/etc/stunnel/stunnel.conf', diff --git a/templates/stunnel/service.erb b/templates/stunnel/service.erb index b707444a3..63f298c50 100644 --- a/templates/stunnel/service.erb +++ b/templates/stunnel/service.erb @@ -4,3 +4,4 @@ accept=<%= @accept_host %>:<%= @accept_port %> connect=<%= @connect_host %>:<%= @connect_port %> cert=<%= @certificate %> key=<%= @key %> +sslVersion = <%= @ssl_version %>