Add ssl_ecdh_curve to server resource

voxpupuli · Mar 17, 2018 · 0850b07 · 0850b07
1 parent 65b7c74
commit 0850b07
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 0 deletions.
diff --git a/manifests/resource/server.pp b/manifests/resource/server.pp
@@ -44,6 +44,7 @@
 #   [*ssl_crl*]                    - String: Specifies CRL path in file system
 #   [*ssl_dhparam*]                - This directive specifies a file containing Diffie-Hellman key agreement protocol cryptographic
 #     parameters, in PEM format, utilized for exchanging session keys between server and client. Defaults to nginx::ssl_dhparam
+#   [*ssl_ecdh_curve*]             - This directive specifies a curve for ECDHE ciphers.
 #   [*ssl_prefer_server_ciphers*]  - String: Specifies that server ciphers should be preferred over client ciphers when using the SSLv3 and
 #     TLS protocols. Defaults to nginx::ssl_prefer_server_ciphers.
 #   [*ssl_redirect*]               - Adds a server directive and return statement to force ssl redirect. Will honor ssl_port if it's set.
@@ -159,6 +160,7 @@
   Optional[String] $ssl_client_cert                                              = undef,
   String $ssl_verify_client                                                      = 'on',
   Optional[String] $ssl_dhparam                                                  = $::nginx::ssl_dhparam,
+  Optional[String] $ssl_ecdh_curve                                               = undef,
   Boolean $ssl_redirect                                                          = false,
   Optional[Integer] $ssl_redirect_port                                           = undef,
   Optional[Variant[String, Boolean]] $ssl_key                                    = undef,

diff --git a/spec/defines/resource_server_spec.rb b/spec/defines/resource_server_spec.rb
@@ -560,6 +560,12 @@
               value: '/tmp/dhparam',
               match: %r{\s+ssl_dhparam\s+/tmp/dhparam;}
             },
+            {
+              title: 'should set ssl_ecdh_curve',
+              attr: 'ssl_ecdh_curve',
+              value: 'secp521r1',
+              match: %r{\s+ssl_ecdh_curve\s+secp521r1;}
+            },
             {
               title: 'should set the SSL stapling file',
               attr: 'ssl_stapling_file',

diff --git a/templates/server/server_ssl_settings.erb b/templates/server/server_ssl_settings.erb
@@ -13,6 +13,9 @@
 <% if defined? @ssl_dhparam -%>
   ssl_dhparam               <%= @ssl_dhparam %>;
 <% end -%>
+<%- if defined? @ssl_ecdh_curve -%>
+  ssl_ecdh_curve            <%= @ssl_ecdh_curve %>;
+<%- end -%>
   ssl_session_cache         <%= @ssl_cache %>;
   ssl_session_timeout       <%= @ssl_session_timeout %>;
 <% if @ssl_session_tickets -%>