Merge pull request #1067 from wyardley/issues_1032

Make ssl_prefer_server_ciphers configurable in server / mailhost

manifests/config.pp

@@ -110,6 +110,7 @@
   $worker_connections             = $::nginx::worker_connections
   $worker_processes               = $::nginx::worker_processes
   $worker_rlimit_nofile           = $::nginx::worker_rlimit_nofile
+  $ssl_prefer_server_ciphers      = $::nginx::ssl_prefer_server_ciphers
   $ssl_protocols                  = $::nginx::ssl_protocols
   $ssl_ciphers                    = $::nginx::ssl_ciphers
 

manifests/init.pp

@@ -130,6 +130,7 @@
   Integer $worker_connections                                                                   = 1024,
   Variant[Integer, Enum['auto']] $worker_processes                                              = 1,
   Integer $worker_rlimit_nofile                                                                 = 1024,
+  Enum['on', 'off'] $ssl_prefer_server_ciphers                                                  = 'on',
   $ssl_protocols                                                                                = 'TLSv1 TLSv1.1 TLSv1.2',
   $ssl_ciphers                                                                                  = 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS',
 

manifests/resource/mailhost.pp

@@ -3,54 +3,56 @@
 # This definition creates a virtual host
 #
 # Parameters:
-#   [*ensure*]                   - Enables or disables the specified mailhost (present|absent)
-#   [*listen_ip*]                - Default IP Address for NGINX to listen with this server on. Defaults to all interfaces (*)
-#   [*listen_port*]              - Default IP Port for NGINX to listen with this server on. Defaults to TCP 80
-#   [*listen_options*]           - Extra options for listen directive like 'default' to catchall. Undef by default.
-#   [*ipv6_enable*]              - BOOL value to enable/disable IPv6 support (false|true). Module will check to see if IPv6
-#                                  support exists on your system before enabling.
-#   [*ipv6_listen_ip*]           - Default IPv6 Address for NGINX to listen with this server on. Defaults to all interfaces (::)
-#   [*ipv6_listen_port*]         - Default IPv6 Port for NGINX to listen with this server on. Defaults to TCP 80
-#   [*ipv6_listen_options*]      - Extra options for listen directive like 'default' to catchall. Template will allways add ipv6only=on.
-#                                  While issue jfryman/puppet-nginx#30 is discussed, default value is 'default'.
-#   [*index_files*]              - Default index files for NGINX to read when traversing a directory
-#   [*ssl*]                      - Indicates whether to setup SSL bindings for this mailhost.
-#   [*ssl_cert*]                 - Pre-generated SSL Certificate file to reference for SSL Support. This is not generated by this module.
-#   [*ssl_ciphers*]              - Override default SSL ciphers. Defaults to nginx::ssl_ciphers
-#   [*ssl_client_cert*]          - Pre-generated SSL Certificate file to reference for client verify SSL Support. This is not generated by this module.
-#   [*ssl_crl*]                  - String: Specifies CRL path in file system
-#   [*ssl_dhparam*]              - This directive specifies a file containing Diffie-Hellman key agreement protocol cryptographic parameters, in PEM
-#                                  format, utilized for exchanging session keys between server and client.
-#   [*ssl_ecdh_curve*]           - This directive specifies a curve for ECDHE ciphers.
-#   [*ssl_key*]                  - Pre-generated SSL Key file to reference for SSL Support. This is not generated by this module.
-#   [*ssl_password_file*]        - This directive specifies a file containing passphrases for secret keys.
-#   [*ssl_port*]                 - Default IP Port for NGINX to listen with this SSL server on. Defaults to TCP 443
-#   [*ssl_protocols*]            - SSL protocols enabled. Defaults to nginx::ssl_protocols
-#   [*ssl_session_cache*]        - Sets the type and size of the session cache.
-#   [*ssl_session_ticket_key*]   - This directive specifies a file containing secret key used to encrypt and decrypt TLS session tickets.
-#   [*ssl_session_tickets*]      - Whether to enable or disable session resumption through TLS session tickets.
-#   [*ssl_session_timeout*]      - String: Specifies a time during which a client may reuse the session parameters stored in a cache.
-#                                  Defaults to 5m.
-#   [*ssl_trusted_cert*]         - String: Specifies a file with trusted CA certificates in the PEM format used to verify client
-#                                  certificates and OCSP responses if ssl_stapling is enabled.
-#   [*ssl_verify_depth*]         - Sets the verification depth in the client certificates chain.
-#   [*starttls*]                 - Enable STARTTLS support: (on|off|only)
-#   [*protocol*]                 - Mail protocol to use: (imap|pop3|smtp)
-#   [*auth_http*]                - With this directive you can set the URL to the external HTTP-like server for authorization.
-#   [*xclient*]                  - Whether to use xclient for smtp (on|off)
-#   [*imap_auth*]                - Sets permitted methods of authentication for IMAP clients.
-#   [*imap_capabilities*]        - Sets the IMAP protocol extensions list that is passed to the client in response to the CAPABILITY command.
-#   [*imap_client_buffer*]       - Sets the IMAP commands read buffer size.
-#   [*pop3_auth*]                - Sets permitted methods of authentication for POP3 clients.
-#   [*pop3_capabilities*]        - Sets the POP3 protocol extensions list that is passed to the client in response to the CAPA command.
-#   [*smtp_auth*]                - Sets permitted methods of SASL authentication for SMTP clients.
-#   [*smtp_capabilities*]        - Sets the SMTP protocol extensions list that is passed to the client in response to the EHLO command.
-#   [*proxy_pass_error_message*] - Indicates whether to pass the error message obtained during the authentication on the backend to the client.
-#   [*server_name*]              - List of mailhostnames for which this mailhost will respond. Default [$name].
-#   [*raw_prepend*]              - A single string, or an array of strings to prepend to the server directive (after mailhost_cfg_prepend directive). NOTE: YOU are responsible for a semicolon on each line that requires one.
-#   [*raw_append*]               - A single string, or an array of strings to append to the server directive (after mailhost_cfg_append directive). NOTE: YOU are responsible for a semicolon on each line that requires one.
-#   [*mailhost_cfg_append*]      - It expects a hash with custom directives to put after everything else inside server
-#   [*mailhost_cfg_prepend*]     - It expects a hash with custom directives to put before everything else inside server
+#   [*ensure*]                    - Enables or disables the specified mailhost (present|absent)
+#   [*listen_ip*]                 - Default IP Address for NGINX to listen with this server on. Defaults to all interfaces (*)
+#   [*listen_port*]               - Default IP Port for NGINX to listen with this server on. Defaults to TCP 80
+#   [*listen_options*]            - Extra options for listen directive like 'default' to catchall. Undef by default.
+#   [*ipv6_enable*]               - BOOL value to enable/disable IPv6 support (false|true). Module will check to see if IPv6
+#                                   support exists on your system before enabling.
+#   [*ipv6_listen_ip*]            - Default IPv6 Address for NGINX to listen with this server on. Defaults to all interfaces (::)
+#   [*ipv6_listen_port*]          - Default IPv6 Port for NGINX to listen with this server on. Defaults to TCP 80
+#   [*ipv6_listen_options*]       - Extra options for listen directive like 'default' to catchall. Template will allways add ipv6only=on.
+#                                   While issue jfryman/puppet-nginx#30 is discussed, default value is 'default'.
+#   [*index_files*]               - Default index files for NGINX to read when traversing a directory
+#   [*ssl*]                       - Indicates whether to setup SSL bindings for this mailhost.
+#   [*ssl_cert*]                  - Pre-generated SSL Certificate file to reference for SSL Support. This is not generated by this module.
+#   [*ssl_ciphers*]               - Override default SSL ciphers. Defaults to nginx::ssl_ciphers
+#   [*ssl_client_cert*]           - Pre-generated SSL Certificate file to reference for client verify SSL Support. This is not generated by this module.
+#   [*ssl_crl*]                   - String: Specifies CRL path in file system
+#   [*ssl_dhparam*]               - This directive specifies a file containing Diffie-Hellman key agreement protocol cryptographic parameters, in PEM
+#                                   format, utilized for exchanging session keys between server and client.
+#   [*ssl_ecdh_curve*]            - This directive specifies a curve for ECDHE ciphers.
+#   [*ssl_key*]                   - Pre-generated SSL Key file to reference for SSL Support. This is not generated by this module.
+#   [*ssl_password_file*]         - This directive specifies a file containing passphrases for secret keys.
+#   [*ssl_port*]                  - Default IP Port for NGINX to listen with this SSL server on. Defaults to TCP 443
+#   [*ssl_prefer_server_ciphers*] - Specifies that server ciphers should be preferred over client ciphers when using the SSLv3 and TLS protocols. Defaults
+#                                   to $nginx::ssl_prefer_server_ciphers.
+#   [*ssl_protocols*]             - SSL protocols enabled. Defaults to nginx::ssl_protocols
+#   [*ssl_session_cache*]         - Sets the type and size of the session cache.
+#   [*ssl_session_ticket_key*]    - This directive specifies a file containing secret key used to encrypt and decrypt TLS session tickets.
+#   [*ssl_session_tickets*]       - Whether to enable or disable session resumption through TLS session tickets.
+#   [*ssl_session_timeout*]       - String: Specifies a time during which a client may reuse the session parameters stored in a cache.
+#                                   Defaults to 5m.
+#   [*ssl_trusted_cert*]          - String: Specifies a file with trusted CA certificates in the PEM format used to verify client
+#                                   certificates and OCSP responses if ssl_stapling is enabled.
+#   [*ssl_verify_depth*]          - Sets the verification depth in the client certificates chain.
+#   [*starttls*]                  - Enable STARTTLS support: (on|off|only)
+#   [*protocol*]                  - Mail protocol to use: (imap|pop3|smtp)
+#   [*auth_http*]                 - With this directive you can set the URL to the external HTTP-like server for authorization.
+#   [*xclient*]                   - Whether to use xclient for smtp (on|off)
+#   [*imap_auth*]                 - Sets permitted methods of authentication for IMAP clients.
+#   [*imap_capabilities*]         - Sets the IMAP protocol extensions list that is passed to the client in response to the CAPABILITY command.
+#   [*imap_client_buffer*]        - Sets the IMAP commands read buffer size.
+#   [*pop3_auth*]                 - Sets permitted methods of authentication for POP3 clients.
+#   [*pop3_capabilities*]         - Sets the POP3 protocol extensions list that is passed to the client in response to the CAPA command.
+#   [*smtp_auth*]                 - Sets permitted methods of SASL authentication for SMTP clients.
+#   [*smtp_capabilities*]         - Sets the SMTP protocol extensions list that is passed to the client in response to the EHLO command.
+#   [*proxy_pass_error_message*]  - Indicates whether to pass the error message obtained during the authentication on the backend to the client.
+#   [*server_name*]               - List of mailhostnames for which this mailhost will respond. Default [$name].
+#   [*raw_prepend*]               - A single string, or an array of strings to prepend to the server directive (after mailhost_cfg_prepend directive). NOTE: YOU are responsible for a semicolon on each line that requires one.
+#   [*raw_append*]                - A single string, or an array of strings to append to the server directive (after mailhost_cfg_append directive). NOTE: YOU are responsible for a semicolon on each line that requires one.
+#   [*mailhost_cfg_append*]       - It expects a hash with custom directives to put after everything else inside server
+#   [*mailhost_cfg_prepend*]      - It expects a hash with custom directives to put before everything else inside server
 #
 # Actions:
 #
@@ -88,6 +90,7 @@
   Optional[String] $ssl_key                      = undef,
   Optional[String] $ssl_password_file            = undef,
   Optional[Integer] $ssl_port                    = undef,
+  Enum['on', 'off'] $ssl_prefer_server_ciphers   = $::nginx::ssl_prefer_server_ciphers,
   String $ssl_protocols                          = $::nginx::ssl_protocols,
   Optional[String] $ssl_session_cache            = undef,
   Optional[String] $ssl_session_ticket_key       = undef,