Force stunnel to use TLSv1.2

This allows us to force a TLS version for stunnel, which we
set to TLSv1.2. This ensures that we're compliant with FedRamp,
which requires a minimum version of TLSv1.1.

Unfortunately, using the "option" key didn't work in the configuration
as was tried in a previous commit. This option would have only only
disabled the versions we set, instead of only allowing one, like
"sslVersions" does. This seems to be the only alternative we have at
the moment.

Related-Bug: #1754368
Change-Id: I353f893ee5dcc265269704e23f65aa0460724078
(cherry picked from commit a5561f0a1d)
This commit is contained in:
Juan Antonio Osorio Robles 2018-04-19 07:53:01 +00:00
parent f47888f70c
commit c94340b812
2 changed files with 6 additions and 0 deletions

View File

@ -42,6 +42,10 @@
# Host where the tunnel will be proxying to.
# Defaults to 'localhost'
#
# [*ssl_version*]
# (Optional) select the TLS protocol version
# Defaults to 'TLSv1.2'
#
define tripleo::stunnel::service_proxy (
$accept_host,
$accept_port,
@ -50,6 +54,7 @@ define tripleo::stunnel::service_proxy (
$key,
$client = 'no',
$connect_host = 'localhost',
$ssl_version = 'TLSv1.2'
) {
concat::fragment { "stunnel-service-${name}":
target => '/etc/stunnel/stunnel.conf',

View File

@ -4,3 +4,4 @@ accept=<%= @accept_host %>:<%= @accept_port %>
connect=<%= @connect_host %>:<%= @connect_port %>
cert=<%= @certificate %>
key=<%= @key %>
sslVersion = <%= @ssl_version %>