From c7ce06cac84c2c57c5fb25852f2e8573555607d0 Mon Sep 17 00:00:00 2001
From: Tobias Muellerleile <tobias@muellerleile.net>
Date: Thu, 21 May 2015 14:04:40 +0200
Subject: [PATCH] Add ssl_openssl_conf_cmd param (apache::mod::ssl and
 apache::vhost)

---
 README.md                    | 5 +++++
 manifests/mod/ssl.pp         | 2 ++
 manifests/vhost.pp           | 2 ++
 spec/classes/mod/ssl_spec.rb | 9 +++++++++
 spec/defines/vhost_spec.rb   | 3 +++
 templates/mod/ssl.conf.erb   | 3 +++
 templates/vhost/_ssl.erb     | 3 +++
 7 files changed, 27 insertions(+)

diff --git a/README.md b/README.md
index 087bbc869..f954533e1 100644
--- a/README.md
+++ b/README.md
@@ -823,6 +823,7 @@ Installs Apache SSL capabilities and uses the ssl.conf.erb template. These are t
       ssl_compression         => false,
       ssl_cryptodevice        => 'builtin',
       ssl_options             => [ 'StdEnvVars' ],
+      ssl_openssl_conf_cmd    => undef,
       ssl_cipher              => 'HIGH:MEDIUM:!aNULL:!MD5',
       ssl_honorcipherorder    => 'On',
       ssl_protocol            => [ 'all', '-SSLv2', '-SSLv3' ],
@@ -2251,6 +2252,10 @@ An array:
     }
 ```
 
+#####`ssl_openssl_conf_cmd`
+
+Sets the [SSLOpenSSLConfCmd](http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslopensslconfcmd) directive, which provides direct configuration of OpenSSL parameters. Defaults to 'undef'.
+
 #####`ssl_proxyengine`
 
 Specifies whether or not to use [SSLProxyEngine](http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxyengine). Valid values are 'true' and 'false'. Defaults to 'false'.
diff --git a/manifests/mod/ssl.pp b/manifests/mod/ssl.pp
index 4a6b82334..9e68d21b7 100644
--- a/manifests/mod/ssl.pp
+++ b/manifests/mod/ssl.pp
@@ -2,6 +2,7 @@
   $ssl_compression         = false,
   $ssl_cryptodevice        = 'builtin',
   $ssl_options             = [ 'StdEnvVars' ],
+  $ssl_openssl_conf_cmd    = undef,
   $ssl_cipher              = 'HIGH:MEDIUM:!aNULL:!MD5',
   $ssl_honorcipherorder    = 'On',
   $ssl_protocol            = [ 'all', '-SSLv2', '-SSLv3' ],
@@ -57,6 +58,7 @@
   # $ssl_cipher
   # $ssl_honorcipherorder
   # $ssl_options
+  # $ssl_openssl_conf_cmd
   # $session_cache
   # $ssl_mutex
   # $ssl_random_seed_bytes
diff --git a/manifests/vhost.pp b/manifests/vhost.pp
index 17f61e313..60b5124e1 100644
--- a/manifests/vhost.pp
+++ b/manifests/vhost.pp
@@ -26,6 +26,7 @@
   $ssl_verify_client           = undef,
   $ssl_verify_depth            = undef,
   $ssl_options                 = undef,
+  $ssl_openssl_conf_cmd        = undef,
   $ssl_proxyengine             = false,
   $priority                    = undef,
   $default_vhost               = false,
@@ -729,6 +730,7 @@
   # - $ssl_verify_client
   # - $ssl_verify_depth
   # - $ssl_options
+  # - $ssl_openssl_conf_cmd
   # - $apache_version
   if $ssl {
     concat::fragment { "${name}-ssl":
diff --git a/spec/classes/mod/ssl_spec.rb b/spec/classes/mod/ssl_spec.rb
index 50aa8292f..1e8b94edc 100644
--- a/spec/classes/mod/ssl_spec.rb
+++ b/spec/classes/mod/ssl_spec.rb
@@ -136,5 +136,14 @@
       end
       it { is_expected.to contain_file('ssl.conf').with_content(%r{^  SSLRandomSeed startup file:/dev/urandom 1024$})}
     end
+
+    context 'setting ssl_openssl_conf_cmd' do
+      let :params do
+        {
+          :ssl_openssl_conf_cmd => 'DHParameters "foo.pem"',
+        }
+      end
+      it { is_expected.to contain_file('ssl.conf').with_content(/^\s+SSLOpenSSLConfCmd DHParameters "foo.pem"$/)}
+    end
   end
 end
diff --git a/spec/defines/vhost_spec.rb b/spec/defines/vhost_spec.rb
index 47c1b1f45..489c9b43f 100644
--- a/spec/defines/vhost_spec.rb
+++ b/spec/defines/vhost_spec.rb
@@ -153,6 +153,7 @@
           'ssl_verify_client'           => 'optional',
           'ssl_verify_depth'            => '3',
           'ssl_options'                 => '+ExportCertData',
+          'ssl_openssl_conf_cmd'        => 'DHParameters "foo.pem"',
           'ssl_proxyengine'             => true,
           'priority'                    => '30',
           'default_vhost'               => true,
@@ -398,6 +399,8 @@
       it { is_expected.to contain_concat__fragment('rspec.example.com-serveralias') }
       it { is_expected.to contain_concat__fragment('rspec.example.com-setenv') }
       it { is_expected.to contain_concat__fragment('rspec.example.com-ssl') }
+      it { is_expected.to contain_concat__fragment('rspec.example.com-ssl').with(
+        :content => /^\s+SSLOpenSSLConfCmd\s+DHParameters "foo.pem"$/ ) }
       it { is_expected.to contain_concat__fragment('rspec.example.com-suphp') }
       it { is_expected.to contain_concat__fragment('rspec.example.com-php_admin') }
       it { is_expected.to contain_concat__fragment('rspec.example.com-header') }
diff --git a/templates/mod/ssl.conf.erb b/templates/mod/ssl.conf.erb
index 933aa1fcc..96b80b003 100644
--- a/templates/mod/ssl.conf.erb
+++ b/templates/mod/ssl.conf.erb
@@ -25,4 +25,7 @@
 <% if @ssl_options -%>
   SSLOptions <%= @ssl_options.compact.join(' ') %>
 <% end -%>
+<%- if @ssl_openssl_conf_cmd -%>
+  SSLOpenSSLConfCmd <%= @ssl_openssl_conf_cmd %>
+<%- end -%>
 </IfModule>
diff --git a/templates/vhost/_ssl.erb b/templates/vhost/_ssl.erb
index 516992558..c2d941350 100644
--- a/templates/vhost/_ssl.erb
+++ b/templates/vhost/_ssl.erb
@@ -43,4 +43,7 @@
   <%- if @ssl_options -%>
   SSLOptions <%= Array(@ssl_options).join(' ') %>
   <%- end -%>
+  <%- if @ssl_openssl_conf_cmd -%>
+  SSLOpenSSLConfCmd       <%= @ssl_openssl_conf_cmd %>
+  <%- end -%>
 <% end -%>