Merge pull request #917 from igalic/poodle

Poodle: make ssl_protocol better configurable
xbezdick · Oct 28, 2014 · f774198 · f774198
2 parents a31f00e + 2799c4e
commit f774198
Show file tree

Hide file tree

Showing 3 changed files with 3 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -710,6 +710,7 @@ Installs Apache SSL capabilities and uses the ssl.conf.erb template. These are t
     class { 'apache::mod::ssl':
       ssl_compression => false,
       ssl_options     => [ 'StdEnvVars' ],
+      ssl_protocol    => [ 'all', '-SSLv2', '-SSLv3'],
   }
 ```
 

diff --git a/manifests/mod/ssl.pp b/manifests/mod/ssl.pp
@@ -2,6 +2,7 @@
   $ssl_compression = false,
   $ssl_options     = [ 'StdEnvVars' ],
   $ssl_cipher      = 'HIGH:MEDIUM:!aNULL:!MD5',
+  $ssl_protocol    = [ 'all', '-SSLv2', '-SSLv3' ],
   $apache_version  = $::apache::apache_version,
   $package_name    = undef,
 ) {

diff --git a/templates/mod/ssl.conf.erb b/templates/mod/ssl.conf.erb
@@ -21,7 +21,7 @@
   SSLCryptoDevice builtin
   SSLHonorCipherOrder On
   SSLCipherSuite <%= @ssl_cipher %>
-  SSLProtocol all -SSLv2 -SSLv3
+  SSLProtocol <%= @ssl_protocol.compact.join(' ') %>
 <% if @ssl_options -%>
   SSLOptions <%= @ssl_options.compact.join(' ') %>
 <% end -%>