Skip to content

Commit

Permalink
Merge pull request #866 from domcleal/ssl-crl-check
Browse files Browse the repository at this point in the history 
Add support to set SSLCARevocationCheck on Apache 2.4
  • Loading branch information
Morgan Haskel committed Sep 29, 2014
2 parents 7953700 + acc7980 commit 81b9541
Show file tree
Hide file tree
Showing 5 changed files with 85 additions and 57 deletions.
8 changes: 8 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -276,6 +276,10 @@ The default certificate revocation list to use, which is automatically set to 'u

The default certificate revocation list path, which is automatically set to 'undef'. This default will work out of the box but must be updated with your specific certificate information before being used in production.

#####`default_ssl_crl_check`

Sets the default certificate revocation check level via the [SSLCARevocationCheck directive](http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcarevocationcheck), which is automatically set to 'undef'. This default will work out of the box but must be specified when using CRLs in production. Only applicable to Apache 2.4 or higher, the value will be ignored on older versions.

#####`default_ssl_key`

The default SSL key, which is automatically set based on your operating system ('/etc/pki/tls/private/localhost.key' for RedHat, '/etc/ssl/private/ssl-cert-snakeoil.key' for Debian, and '/usr/local/etc/apache22/server.key' for FreeBSD). This default will work out of the box but must be updated with your specific certificate information before being used in production.
Expand Down Expand Up @@ -1776,6 +1780,10 @@ Specifies the certificate revocation list to use. Defaults to 'undef'. (This def

Specifies the location of the certificate revocation list. Defaults to 'undef'. (This default will work out of the box but must be updated in the base `apache` class with your specific certificate information before being used in production.)

#####`ssl_crl_check`

Sets the certificate revocation check level via the [SSLCARevocationCheck directive](http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcarevocationcheck), defaults to 'undef'. This default will work out of the box but must be specified when using CRLs in production. Only applicable to Apache 2.4 or higher, the value will be ignored on older versions.

#####`ssl_key`

Specifies the SSL key. Defaults are based on your operating system: '/etc/pki/tls/private/localhost.key' for RedHat, '/etc/ssl/private/ssl-cert-snakeoil.key' for Debian, and '/usr/local/etc/apache22/server.key' for FreeBSD. (This default will work out of the box but must be updated in the base `apache` class with your specific certificate information before being used in production.)
Expand Down
99 changes: 50 additions & 49 deletions manifests/init.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,56 +13,57 @@
# Sample Usage:
#
class apache (
$apache_name = $::apache::params::apache_name,
$service_name = $::apache::params::service_name,
$default_mods = true,
$default_vhost = true,
$default_confd_files = true,
$default_ssl_vhost = false,
$default_ssl_cert = $::apache::params::default_ssl_cert,
$default_ssl_key = $::apache::params::default_ssl_key,
$default_ssl_chain = undef,
$default_ssl_ca = undef,
$default_ssl_crl_path = undef,
$default_ssl_crl = undef,
$ip = undef,
$service_enable = true,
$service_ensure = 'running',
$purge_configs = true,
$purge_vhost_dir = undef,
$purge_vdir = false,
$serveradmin = 'root@localhost',
$sendfile = 'On',
$error_documents = false,
$timeout = '120',
$httpd_dir = $::apache::params::httpd_dir,
$server_root = $::apache::params::server_root,
$conf_dir = $::apache::params::conf_dir,
$confd_dir = $::apache::params::confd_dir,
$vhost_dir = $::apache::params::vhost_dir,
$vhost_enable_dir = $::apache::params::vhost_enable_dir,
$mod_dir = $::apache::params::mod_dir,
$mod_enable_dir = $::apache::params::mod_enable_dir,
$mpm_module = $::apache::params::mpm_module,
$conf_template = $::apache::params::conf_template,
$servername = $::apache::params::servername,
$manage_user = true,
$manage_group = true,
$user = $::apache::params::user,
$group = $::apache::params::group,
$keepalive = $::apache::params::keepalive,
$keepalive_timeout = $::apache::params::keepalive_timeout,
$apache_name = $::apache::params::apache_name,
$service_name = $::apache::params::service_name,
$default_mods = true,
$default_vhost = true,
$default_confd_files = true,
$default_ssl_vhost = false,
$default_ssl_cert = $::apache::params::default_ssl_cert,
$default_ssl_key = $::apache::params::default_ssl_key,
$default_ssl_chain = undef,
$default_ssl_ca = undef,
$default_ssl_crl_path = undef,
$default_ssl_crl = undef,
$default_ssl_crl_check = undef,
$ip = undef,
$service_enable = true,
$service_ensure = 'running',
$purge_configs = true,
$purge_vhost_dir = undef,
$purge_vdir = false,
$serveradmin = 'root@localhost',
$sendfile = 'On',
$error_documents = false,
$timeout = '120',
$httpd_dir = $::apache::params::httpd_dir,
$server_root = $::apache::params::server_root,
$conf_dir = $::apache::params::conf_dir,
$confd_dir = $::apache::params::confd_dir,
$vhost_dir = $::apache::params::vhost_dir,
$vhost_enable_dir = $::apache::params::vhost_enable_dir,
$mod_dir = $::apache::params::mod_dir,
$mod_enable_dir = $::apache::params::mod_enable_dir,
$mpm_module = $::apache::params::mpm_module,
$conf_template = $::apache::params::conf_template,
$servername = $::apache::params::servername,
$manage_user = true,
$manage_group = true,
$user = $::apache::params::user,
$group = $::apache::params::group,
$keepalive = $::apache::params::keepalive,
$keepalive_timeout = $::apache::params::keepalive_timeout,
$max_keepalive_requests = $apache::params::max_keepalive_requests,
$logroot = $::apache::params::logroot,
$logroot_mode = $::apache::params::logroot_mode,
$log_level = $::apache::params::log_level,
$log_formats = {},
$ports_file = $::apache::params::ports_file,
$apache_version = $::apache::version::default,
$server_tokens = 'OS',
$server_signature = 'On',
$trace_enable = 'On',
$package_ensure = 'installed',
$logroot = $::apache::params::logroot,
$logroot_mode = $::apache::params::logroot_mode,
$log_level = $::apache::params::log_level,
$log_formats = {},
$ports_file = $::apache::params::ports_file,
$apache_version = $::apache::version::default,
$server_tokens = 'OS',
$server_signature = 'On',
$trace_enable = 'On',
$package_ensure = 'installed',
) inherits ::apache::params {
validate_bool($default_vhost)
validate_bool($default_ssl_vhost)
Expand Down
3 changes: 3 additions & 0 deletions manifests/vhost.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@
$ssl_ca = $::apache::default_ssl_ca,
$ssl_crl_path = $::apache::default_ssl_crl_path,
$ssl_crl = $::apache::default_ssl_crl,
$ssl_crl_check = $::apache::default_ssl_crl_check,
$ssl_certs_dir = $::apache::params::ssl_certs_dir,
$ssl_protocol = undef,
$ssl_cipher = undef,
Expand Down Expand Up @@ -651,13 +652,15 @@
# - $ssl_ca
# - $ssl_crl_path
# - $ssl_crl
# - $ssl_crl_check
# - $ssl_proxyengine
# - $ssl_protocol
# - $ssl_cipher
# - $ssl_honorcipherorder
# - $ssl_verify_client
# - $ssl_verify_depth
# - $ssl_options
# - $apache_version
if $ssl {
concat::fragment { "${name}-ssl":
target => "${priority_real}-${filename}.conf",
Expand Down
29 changes: 21 additions & 8 deletions spec/acceptance/apache_ssl_spec.rb
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
require 'spec_helper_acceptance'
require_relative './version.rb'

case fact('osfamily')
when 'RedHat'
Expand All @@ -13,14 +14,15 @@
it 'runs without error' do
pp = <<-EOS
class { 'apache':
service_ensure => stopped,
default_ssl_vhost => true,
default_ssl_cert => '/tmp/ssl_cert',
default_ssl_key => '/tmp/ssl_key',
default_ssl_chain => '/tmp/ssl_chain',
default_ssl_ca => '/tmp/ssl_ca',
default_ssl_crl_path => '/tmp/ssl_crl_path',
default_ssl_crl => '/tmp/ssl_crl',
service_ensure => stopped,
default_ssl_vhost => true,
default_ssl_cert => '/tmp/ssl_cert',
default_ssl_key => '/tmp/ssl_key',
default_ssl_chain => '/tmp/ssl_chain',
default_ssl_ca => '/tmp/ssl_ca',
default_ssl_crl_path => '/tmp/ssl_crl_path',
default_ssl_crl => '/tmp/ssl_crl',
default_ssl_crl_check => 'chain',
}
EOS
apply_manifest(pp, :catch_failures => true)
Expand All @@ -34,6 +36,11 @@ class { 'apache':
it { is_expected.to contain 'SSLCACertificateFile "/tmp/ssl_ca"' }
it { is_expected.to contain 'SSLCARevocationPath "/tmp/ssl_crl_path"' }
it { is_expected.to contain 'SSLCARevocationFile "/tmp/ssl_crl"' }
if $apache_version == '2.4'
it { is_expected.to contain 'SSLCARevocationCheck "chain"' }
else
it { is_expected.not_to contain 'SSLCARevocationCheck' }
end
end
end

Expand All @@ -53,6 +60,7 @@ class { 'apache':
ssl_ca => '/tmp/ssl_ca',
ssl_crl_path => '/tmp/ssl_crl_path',
ssl_crl => '/tmp/ssl_crl',
ssl_crl_check => 'chain',
ssl_certs_dir => '/tmp',
ssl_protocol => 'test',
ssl_cipher => 'test',
Expand Down Expand Up @@ -81,6 +89,11 @@ class { 'apache':
it { is_expected.to contain 'SSLVerifyClient test' }
it { is_expected.to contain 'SSLVerifyDepth test' }
it { is_expected.to contain 'SSLOptions test test1' }
if $apache_version == '2.4'
it { is_expected.to contain 'SSLCARevocationCheck "chain"' }
else
it { is_expected.not_to contain 'SSLCARevocationCheck' }
end
end
end

Expand Down
3 changes: 3 additions & 0 deletions templates/vhost/_ssl.erb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,9 @@
<%- if @ssl_crl -%>
SSLCARevocationFile "<%= @ssl_crl %>"
<%- end -%>
<%- if @ssl_crl_check && scope.function_versioncmp([@apache_version, '2.4']) >= 0 -%>
SSLCARevocationCheck "<%= @ssl_crl_check %>"
<%- end -%>
<%- if @ssl_proxyengine -%>
SSLProxyEngine On
<%- end -%>
Expand Down

0 comments on commit 81b9541

Please sign in to comment.