Puppet Function: ssl_ciphersuite

Defined in:

modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb

Function type:

Ruby 3.x API

Overview

ssl_ciphersuite() ⇒ Any

Outputs the ssl configuration part of the webserver config. Function parameters are:

server - either nginx or apache
encryption_type - strong, mid, or compat
hsts - optional boolean, true emits our standard public HSTS

Examples:

ssl_ciphersuite('apache', 'compat', true) # Compatible config for apache
ssl_ciphersuite('apache', 'mid', true) # FS-only for apache
ssl_ciphersuite('nginx', 'strong', true) # FS-only, AEAD-only, TLSv1.2-only

Returns:

• (Any)

# File 'modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb', line 118

newfunction(
            :ssl_ciphersuite,
            :type => :rvalue,
            :doc  => <<-END
Outputs the ssl configuration part of the webserver config.
Function parameters are:
 server - either nginx or apache
 encryption_type - strong, mid, or compat
 hsts - optional boolean, true emits our standard public HSTS

Examples:

 ssl_ciphersuite('apache', 'compat', true) # Compatible config for apache
 ssl_ciphersuite('apache', 'mid', true) # FS-only for apache
 ssl_ciphersuite('nginx', 'strong', true) # FS-only, AEAD-only, TLSv1.2-only
END
            ) do |args|

  Puppet::Parser::Functions.function(:notice)
  os_major_release = lookupvar('operatingsystemmajrelease').to_i

  if args.length < 2 || args.length > 3
    fail(ArgumentError, 'ssl_ciphersuite() requires at least 2 arguments')
  end

  server = args.shift
  if server != 'apache' && server != 'nginx'
    fail(ArgumentError, "ssl_ciphersuite(): unknown server string '#{server}'")
  end

  ciphersuite = args.shift
  unless ciphersuites.key?(ciphersuite)
    fail(ArgumentError, "ssl_ciphersuite(): unknown ciphersuite '#{ciphersuite}'")
  end

  do_hsts = false
  if args.length == 1
    do_hsts = args.shift
  end

  # OS / Server -dependant feature flags:
  tls1_3 = os_major_release > 9
  cipherlist = ciphersuites[ciphersuite].join(":")

  output = []

  if server == 'apache'
    if tls1_3
      cipherlist = ciphersuites[ciphersuite].reject{|x| x =~ /^TLS_/}.join(':')
      cipherlist_tls1_3 = ciphersuites[ciphersuite].reject{|x| x !~ /^TLS_/}.join(':')
    end
    if ciphersuite == 'compat'
      output.push('SSLProtocol all -SSLv2 -SSLv3')
    else
      output.push('SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1')
    end
    output.push("SSLCipherSuite #{cipherlist}")
    if tls1_3
      output.push("SSLCipherSuite TLSv1.3 #{cipherlist_tls1_3}")
    end
    # Note: missing config to restrict ECDH curves
    output.push('SSLHonorCipherOrder On')
    output.push('SSLOpenSSLConfCmd DHParameters "/etc/ssl/dhparam.pem"')
    if do_hsts
      output.push("Header always set Strict-Transport-Security \"#{hsts_val}\"")
    end
  else # nginx
    compat_protocols = 'TLSv1 TLSv1.1 TLSv1.2'
    protocols = 'TLSv1.2'
    if tls1_3
      compat_protocols += ' TLSv1.3'
      protocols += ' TLSv1.3'
    end
    if ciphersuite == 'compat'
      output.push("ssl_protocols #{compat_protocols};")
    else
      output.push("ssl_protocols #{protocols};")
    end
    output.push("ssl_ciphers #{cipherlist};")
    output.push("ssl_ecdh_curve X25519:prime256v1;")
    output.push('ssl_prefer_server_ciphers on;')
    output.push('ssl_dhparam /etc/ssl/dhparam.pem;')
    if do_hsts
      output.push("add_header Strict-Transport-Security \"#{hsts_val}\" always;")
    end
  end
  return output
end