Merge pull request #1001 from jpds/ssl_random_seed_options

ssl.pp: Allow setting of SSLRandomSeed option.
strider · Feb 17, 2015 · 8b7710c · 8b7710c
2 parents 7467efc + d431fce
commit 8b7710c
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 10 deletions.
diff --git a/README.md b/README.md
@@ -750,7 +750,12 @@ Installs Apache SSL capabilities and uses the ssl.conf.erb template. These are t
       ssl_cipher             => 'HIGH:MEDIUM:!aNULL:!MD5',
       ssl_protocol           => 'all -SSLv2 -SSLv3',
       ssl_pass_phrase_dialog => 'builtin',
-      ssl_random_seed_bytes  => '512',
+      ssl_random_seeds       => [
+        'startup builtin',
+        'startup file:/dev/urandom 512',
+        'connect builtin',
+        'connect file:/dev/urandom 512',
+      ],
     }
 ```
 

diff --git a/manifests/mod/ssl.pp b/manifests/mod/ssl.pp
@@ -4,7 +4,12 @@
   $ssl_cipher             = 'HIGH:MEDIUM:!aNULL:!MD5',
   $ssl_protocol           = [ 'all', '-SSLv2', '-SSLv3' ],
   $ssl_pass_phrase_dialog = 'builtin',
-  $ssl_random_seed_bytes  = '512',
+  $ssl_random_seeds = [
+    'startup builtin',
+    'startup file:/dev/urandom 512',
+    'connect builtin',
+    'connect file:/dev/urandom 512',
+  ],
   $apache_version         = $::apache::apache_version,
   $package_name           = undef,
 ) {
@@ -49,6 +54,7 @@
   # $ssl_options
   # $session_cache,
   # $ssl_mutex
+  # $ssl_random_seeds
   # $apache_version
   #
   file { 'ssl.conf':

diff --git a/spec/classes/mod/ssl_spec.rb b/spec/classes/mod/ssl_spec.rb
@@ -111,13 +111,17 @@
       it { is_expected.to contain_file('ssl.conf').with_content(/^  SSLPassPhraseDialog exec:\/path\/to\/program$/)}
     end
 
-    context 'setting ssl_random_seed_bytes' do
+    context 'setting ssl_random_seeds' do
       let :params do
         {
-          :ssl_random_seed_bytes => '1024',
-        }
+          :ssl_random_seeds => ['startup builtin',
+                                'startup file:/dev/random 256',
+                                'connect file:/dev/urandom 1024' ],
+         }
       end
-      it { is_expected.to contain_file('ssl.conf').with_content(%r{^  SSLRandomSeed startup file:/dev/urandom 1024$})}
+      it { is_expected.to contain_file('ssl.conf').with_content(/^  SSLRandomSeed startup builtin$/)}
+      it { is_expected.to contain_file('ssl.conf').with_content(/^  SSLRandomSeed startup file:\/dev\/random 256$/)}
+      it { is_expected.to contain_file('ssl.conf').with_content(/^  SSLRandomSeed connect file:\/dev\/urandom 1024$/)}
     end
 
   end

diff --git a/templates/mod/ssl.conf.erb b/templates/mod/ssl.conf.erb
@@ -1,8 +1,9 @@
 <IfModule mod_ssl.c>
-  SSLRandomSeed startup builtin
-  SSLRandomSeed startup file:/dev/urandom <%= @ssl_random_seed_bytes %>
-  SSLRandomSeed connect builtin
-  SSLRandomSeed connect file:/dev/urandom <%= @ssl_random_seed_bytes %>
+  <%- Array(@ssl_random_seeds).each do |ssl_random_seed| -%>
+    <%- if ssl_random_seed != '' -%>
+  SSLRandomSeed <%= ssl_random_seed %>
+    <%- end -%>
+  <%- end -%>
 
   AddType application/x-x509-ca-cert .crt
   AddType application/x-pkcs7-crl    .crl