Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,11 @@
# Changelog

## [31.0.0](https://github.com/theforeman/puppet-foreman_proxy/tree/31.0.0) (unreleased)

**Breaking changes:**

- Replace `ssl_disabled_ciphers` and `tls_disabled_versions` with `tls_ciphers` and `tls_min_version`. [\#901](https://github.com/theforeman/puppet-foreman_proxy/pull/901) ([adamruzicka](https://github.com/adamruzicka))

## [30.2.0](https://github.com/theforeman/puppet-foreman_proxy/tree/30.2.0) (2026-05-25)

[Full Changelog](https://github.com/theforeman/puppet-foreman_proxy/compare/30.1.0...30.2.0)
Expand Down
10 changes: 6 additions & 4 deletions manifests/init.pp
Original file line number Diff line number Diff line change
Expand Up @@ -42,9 +42,11 @@
# $foreman_ssl_key:: Corresponding key to a foreman_ssl_cert certificate
# When not specified, the ssl_key is used instead.
#
# $ssl_disabled_ciphers:: List of OpenSSL cipher suite names that will be disabled from the default
# $tls_ciphers:: TLS cipher string passed directly to OpenSSL. When unset, auto-detects:
# 'PROFILE=SYSTEM' if crypto-policies are present, otherwise 'HIGH'.
#
# $tls_disabled_versions:: List of TLS versions that will be disabled from the default
# $tls_min_version:: Minimum TLS version to accept. When unset, determined by system OpenSSL
# configuration. Valid values: '1.0', '1.1', '1.2', '1.3'.
#
# $trusted_hosts:: Only hosts listed will be permitted, empty array to disable authorization
#
Expand Down Expand Up @@ -305,8 +307,8 @@
Optional[Stdlib::Absolutepath] $foreman_ssl_cert = undef,
Optional[Stdlib::Absolutepath] $foreman_ssl_key = undef,
Array[String] $trusted_hosts = $foreman_proxy::params::trusted_hosts,
Array[String] $ssl_disabled_ciphers = [],
Array[String] $tls_disabled_versions = [],
Optional[String] $tls_ciphers = undef,

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just out of curiosity: how do we deal with this during upgrades?..

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added a changelog entry marking this as a breaking change. A bit heavy handed, but better than nothing.

I could also open a PR against the installer to add a migration to remove the old value from the stored answers, but I'm not sure if that's necessary.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added a changelog entry marking this as a breaking change. A bit heavy handed, but better than nothing.

I'd also suggest a changelog entry in https://github.com/theforeman/foreman-documentation/blob/master/guides/doc-Release_Notes/topics/foreman.adoc. Those are a bit more visible to users.

I could also open a PR against the installer to add a migration to remove the old value from the stored answers, but I'm not sure if that's necessary.

IIRC the installer (or really, Kafo) automatically removes keys that no longer exist. The only reason you'd need a migration is to convert the old value to the new. I don't think it's really feasible to do so and an explicit release note is IMHO good enough.

Optional[Enum['1.0', '1.1', '1.2', '1.3']] $tls_min_version = undef,
Boolean $puppetca = true,
Foreman_proxy::ListenOn $puppetca_listen_on = 'https',
Stdlib::Absolutepath $ssldir = $foreman_proxy::params::ssldir,
Expand Down
19 changes: 8 additions & 11 deletions spec/classes/foreman_proxy__spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -951,25 +951,22 @@
end
end

context 'with ssl_disabled_ciphers' do
let(:params) { super().merge(ssl_disabled_ciphers: ['CIPHER-SUITE-1', 'CIPHER-SUITE-2']) }
context 'with tls_ciphers' do
let(:params) { super().merge(tls_ciphers: 'HIGH:!aNULL') }

it 'should set ssl_disabled_ciphers to YAML array in settings.yml' do
it 'should set tls_ciphers in settings.yml' do
verify_contents(catalogue, "#{etc_dir}/foreman-proxy/settings.yml", [
':ssl_disabled_ciphers:',
' - CIPHER-SUITE-1',
' - CIPHER-SUITE-2',
':tls_ciphers: HIGH:!aNULL',
])
end
end

context 'with tls_disabled_versions' do
let(:params) { super().merge(tls_disabled_versions: ['1.1']) }
context 'with tls_min_version' do
let(:params) { super().merge(tls_min_version: '1.2') }

it 'should set tls_disabled_versions to YAML array in settings.yml' do
it 'should set tls_min_version in settings.yml' do
verify_contents(catalogue, "#{etc_dir}/foreman-proxy/settings.yml", [
':tls_disabled_versions:',
' - 1.1'
":tls_min_version: '1.2'",
])
end
end
Expand Down
32 changes: 13 additions & 19 deletions templates/settings.yml.erb
Original file line number Diff line number Diff line change
Expand Up @@ -28,29 +28,23 @@
#:ssl_private_key: ssl/private_keys/fqdn.key
<% end -%>

# Use this option only if you need to disable certain cipher suites.
# Note: we use the OpenSSL suite name, such as "RC4-MD5".
# The complete list of cipher suite names can be found at:
# https://www.openssl.org/docs/manmaster/man1/ciphers.html#CIPHER-SUITE-NAMES
<% if ciphers = scope.lookupvar("foreman_proxy::ssl_disabled_ciphers") and ciphers.any? -%>
:ssl_disabled_ciphers:
<% ciphers.each do |c| -%>
<%= " - #{c}" %>
<% end -%>
# TLS cipher string passed directly to OpenSSL. Accepts any valid OpenSSL cipher
# string. When unset, foreman-proxy auto-detects: 'PROFILE=SYSTEM' is used if
# /etc/crypto-policies/back-ends/opensslcnf.config, otherwise 'HIGH' is used
# as a secure default.
<% if (tls_ciphers = scope.lookupvar("foreman_proxy::tls_ciphers")) -%>
:tls_ciphers: <%= tls_ciphers %>
<% else -%>
#:ssl_disabled_ciphers: [CIPHER-SUITE-1, CIPHER-SUITE-2]
#:tls_ciphers: PROFILE=SYSTEM
<% end -%>

# Use this option only if you need to strictly specify TLS versions to be
# disabled. SSLv3 and TLS v1.0 are always disabled and cannot be configured.
# Specify versions like: '1.1', or '1.2'
<% if versions = scope.lookupvar("foreman_proxy::tls_disabled_versions") and versions.any? -%>
:tls_disabled_versions:
<% versions.each do |v| -%>
<%= " - #{v}" %>
<% end -%>
# Minimum TLS protocol version to accept. When unset, the minimum version is
# determined by the system's OpenSSL configuration (crypto-policies).
# Valid values: '1.0', '1.1', '1.2', '1.3'.
<% if (tls_min_version = scope.lookupvar("foreman_proxy::tls_min_version")) -%>
:tls_min_version: '<%= tls_min_version %>'
<% else -%>
#:tls_disabled_versions: []
#:tls_min_version: '1.2'
<% end -%>

# Hosts which the proxy accepts connections from
Expand Down
Loading