diff --git a/README.md b/README.md index 92edc7464..2d6e8ce23 100644 --- a/README.md +++ b/README.md @@ -276,6 +276,10 @@ The default certificate revocation list to use, which is automatically set to 'u The default certificate revocation list path, which is automatically set to 'undef'. This default will work out of the box but must be updated with your specific certificate information before being used in production. +#####`default_ssl_crl_check` + +Sets the default certificate revocation check level via the [SSLCARevocationCheck directive](http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcarevocationcheck), which is automatically set to 'undef'. This default will work out of the box but must be specified when using CRLs in production. Only applicable to Apache 2.4 or higher, the value will be ignored on older versions. + #####`default_ssl_key` The default SSL key, which is automatically set based on your operating system ('/etc/pki/tls/private/localhost.key' for RedHat, '/etc/ssl/private/ssl-cert-snakeoil.key' for Debian, and '/usr/local/etc/apache22/server.key' for FreeBSD). This default will work out of the box but must be updated with your specific certificate information before being used in production. @@ -1776,6 +1780,10 @@ Specifies the certificate revocation list to use. Defaults to 'undef'. (This def Specifies the location of the certificate revocation list. Defaults to 'undef'. (This default will work out of the box but must be updated in the base `apache` class with your specific certificate information before being used in production.) +#####`ssl_crl_check` + +Sets the certificate revocation check level via the [SSLCARevocationCheck directive](http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcarevocationcheck), defaults to 'undef'. This default will work out of the box but must be specified when using CRLs in production. Only applicable to Apache 2.4 or higher, the value will be ignored on older versions. + #####`ssl_key` Specifies the SSL key. Defaults are based on your operating system: '/etc/pki/tls/private/localhost.key' for RedHat, '/etc/ssl/private/ssl-cert-snakeoil.key' for Debian, and '/usr/local/etc/apache22/server.key' for FreeBSD. (This default will work out of the box but must be updated in the base `apache` class with your specific certificate information before being used in production.) diff --git a/manifests/init.pp b/manifests/init.pp index ed0fb099b..74e3d6a05 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -13,56 +13,57 @@ # Sample Usage: # class apache ( - $apache_name = $::apache::params::apache_name, - $service_name = $::apache::params::service_name, - $default_mods = true, - $default_vhost = true, - $default_confd_files = true, - $default_ssl_vhost = false, - $default_ssl_cert = $::apache::params::default_ssl_cert, - $default_ssl_key = $::apache::params::default_ssl_key, - $default_ssl_chain = undef, - $default_ssl_ca = undef, - $default_ssl_crl_path = undef, - $default_ssl_crl = undef, - $ip = undef, - $service_enable = true, - $service_ensure = 'running', - $purge_configs = true, - $purge_vhost_dir = undef, - $purge_vdir = false, - $serveradmin = 'root@localhost', - $sendfile = 'On', - $error_documents = false, - $timeout = '120', - $httpd_dir = $::apache::params::httpd_dir, - $server_root = $::apache::params::server_root, - $conf_dir = $::apache::params::conf_dir, - $confd_dir = $::apache::params::confd_dir, - $vhost_dir = $::apache::params::vhost_dir, - $vhost_enable_dir = $::apache::params::vhost_enable_dir, - $mod_dir = $::apache::params::mod_dir, - $mod_enable_dir = $::apache::params::mod_enable_dir, - $mpm_module = $::apache::params::mpm_module, - $conf_template = $::apache::params::conf_template, - $servername = $::apache::params::servername, - $manage_user = true, - $manage_group = true, - $user = $::apache::params::user, - $group = $::apache::params::group, - $keepalive = $::apache::params::keepalive, - $keepalive_timeout = $::apache::params::keepalive_timeout, + $apache_name = $::apache::params::apache_name, + $service_name = $::apache::params::service_name, + $default_mods = true, + $default_vhost = true, + $default_confd_files = true, + $default_ssl_vhost = false, + $default_ssl_cert = $::apache::params::default_ssl_cert, + $default_ssl_key = $::apache::params::default_ssl_key, + $default_ssl_chain = undef, + $default_ssl_ca = undef, + $default_ssl_crl_path = undef, + $default_ssl_crl = undef, + $default_ssl_crl_check = undef, + $ip = undef, + $service_enable = true, + $service_ensure = 'running', + $purge_configs = true, + $purge_vhost_dir = undef, + $purge_vdir = false, + $serveradmin = 'root@localhost', + $sendfile = 'On', + $error_documents = false, + $timeout = '120', + $httpd_dir = $::apache::params::httpd_dir, + $server_root = $::apache::params::server_root, + $conf_dir = $::apache::params::conf_dir, + $confd_dir = $::apache::params::confd_dir, + $vhost_dir = $::apache::params::vhost_dir, + $vhost_enable_dir = $::apache::params::vhost_enable_dir, + $mod_dir = $::apache::params::mod_dir, + $mod_enable_dir = $::apache::params::mod_enable_dir, + $mpm_module = $::apache::params::mpm_module, + $conf_template = $::apache::params::conf_template, + $servername = $::apache::params::servername, + $manage_user = true, + $manage_group = true, + $user = $::apache::params::user, + $group = $::apache::params::group, + $keepalive = $::apache::params::keepalive, + $keepalive_timeout = $::apache::params::keepalive_timeout, $max_keepalive_requests = $apache::params::max_keepalive_requests, - $logroot = $::apache::params::logroot, - $logroot_mode = $::apache::params::logroot_mode, - $log_level = $::apache::params::log_level, - $log_formats = {}, - $ports_file = $::apache::params::ports_file, - $apache_version = $::apache::version::default, - $server_tokens = 'OS', - $server_signature = 'On', - $trace_enable = 'On', - $package_ensure = 'installed', + $logroot = $::apache::params::logroot, + $logroot_mode = $::apache::params::logroot_mode, + $log_level = $::apache::params::log_level, + $log_formats = {}, + $ports_file = $::apache::params::ports_file, + $apache_version = $::apache::version::default, + $server_tokens = 'OS', + $server_signature = 'On', + $trace_enable = 'On', + $package_ensure = 'installed', ) inherits ::apache::params { validate_bool($default_vhost) validate_bool($default_ssl_vhost) diff --git a/manifests/vhost.pp b/manifests/vhost.pp index 7fcfd3df1..1586f34a3 100644 --- a/manifests/vhost.pp +++ b/manifests/vhost.pp @@ -18,6 +18,7 @@ $ssl_ca = $::apache::default_ssl_ca, $ssl_crl_path = $::apache::default_ssl_crl_path, $ssl_crl = $::apache::default_ssl_crl, + $ssl_crl_check = $::apache::default_ssl_crl_check, $ssl_certs_dir = $::apache::params::ssl_certs_dir, $ssl_protocol = undef, $ssl_cipher = undef, @@ -651,6 +652,7 @@ # - $ssl_ca # - $ssl_crl_path # - $ssl_crl + # - $ssl_crl_check # - $ssl_proxyengine # - $ssl_protocol # - $ssl_cipher @@ -658,6 +660,7 @@ # - $ssl_verify_client # - $ssl_verify_depth # - $ssl_options + # - $apache_version if $ssl { concat::fragment { "${name}-ssl": target => "${priority_real}-${filename}.conf", diff --git a/spec/acceptance/apache_ssl_spec.rb b/spec/acceptance/apache_ssl_spec.rb index 3cfe59348..f8023fa24 100644 --- a/spec/acceptance/apache_ssl_spec.rb +++ b/spec/acceptance/apache_ssl_spec.rb @@ -1,4 +1,5 @@ require 'spec_helper_acceptance' +require_relative './version.rb' case fact('osfamily') when 'RedHat' @@ -13,14 +14,15 @@ it 'runs without error' do pp = <<-EOS class { 'apache': - service_ensure => stopped, - default_ssl_vhost => true, - default_ssl_cert => '/tmp/ssl_cert', - default_ssl_key => '/tmp/ssl_key', - default_ssl_chain => '/tmp/ssl_chain', - default_ssl_ca => '/tmp/ssl_ca', - default_ssl_crl_path => '/tmp/ssl_crl_path', - default_ssl_crl => '/tmp/ssl_crl', + service_ensure => stopped, + default_ssl_vhost => true, + default_ssl_cert => '/tmp/ssl_cert', + default_ssl_key => '/tmp/ssl_key', + default_ssl_chain => '/tmp/ssl_chain', + default_ssl_ca => '/tmp/ssl_ca', + default_ssl_crl_path => '/tmp/ssl_crl_path', + default_ssl_crl => '/tmp/ssl_crl', + default_ssl_crl_check => 'chain', } EOS apply_manifest(pp, :catch_failures => true) @@ -34,6 +36,11 @@ class { 'apache': it { is_expected.to contain 'SSLCACertificateFile "/tmp/ssl_ca"' } it { is_expected.to contain 'SSLCARevocationPath "/tmp/ssl_crl_path"' } it { is_expected.to contain 'SSLCARevocationFile "/tmp/ssl_crl"' } + if $apache_version == '2.4' + it { is_expected.to contain 'SSLCARevocationCheck "chain"' } + else + it { is_expected.not_to contain 'SSLCARevocationCheck' } + end end end @@ -53,6 +60,7 @@ class { 'apache': ssl_ca => '/tmp/ssl_ca', ssl_crl_path => '/tmp/ssl_crl_path', ssl_crl => '/tmp/ssl_crl', + ssl_crl_check => 'chain', ssl_certs_dir => '/tmp', ssl_protocol => 'test', ssl_cipher => 'test', @@ -81,6 +89,11 @@ class { 'apache': it { is_expected.to contain 'SSLVerifyClient test' } it { is_expected.to contain 'SSLVerifyDepth test' } it { is_expected.to contain 'SSLOptions test test1' } + if $apache_version == '2.4' + it { is_expected.to contain 'SSLCARevocationCheck "chain"' } + else + it { is_expected.not_to contain 'SSLCARevocationCheck' } + end end end diff --git a/templates/vhost/_ssl.erb b/templates/vhost/_ssl.erb index 55289ae7e..70213f48c 100644 --- a/templates/vhost/_ssl.erb +++ b/templates/vhost/_ssl.erb @@ -19,6 +19,9 @@ <%- if @ssl_crl -%> SSLCARevocationFile "<%= @ssl_crl %>" <%- end -%> + <%- if @ssl_crl_check && scope.function_versioncmp([@apache_version, '2.4']) >= 0 -%> + SSLCARevocationCheck "<%= @ssl_crl_check %>" + <%- end -%> <%- if @ssl_proxyengine -%> SSLProxyEngine On <%- end -%>