improvment: add a new parameter to allow the use of vulnerable SSL/TL…

…S versions Signed-off-by: Julien Godin <julien.godin@camptocamp.com>
djjudas21 · Apr 25, 2024 · 3b91c4d · 3b91c4d
1 parent 0ddb4d1
commit 3b91c4d
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -138,6 +138,9 @@ Add a syslog rule (using the `saz/rsyslog` module). Default: `false`.
 ##### `log_auth`
 Log authentication requests (yes/no). Default: `no`.
 
+##### `allow_vulnerable_openssl`
+Allow the server to start with versions of OpenSSL known to have critical vulnerabilities. (yes/no). Default: `yes`.
+
 ##### `package_ensure`
 Choose whether the package is just installed and left (`installed`), or updated every Puppet run (`latest`). Default: `installed`
 

diff --git a/manifests/init.pp b/manifests/init.pp
@@ -17,6 +17,7 @@
  Boolean $syslog = false,
  String $syslog_facility = 'daemon',
  Freeradius::Boolean $log_auth = 'no',
+ Freeradius::Boolean $allow_vulnerable_ssl = 'yes',
  Boolean $preserve_mods = true,
  Boolean $correct_escapes = true,
  Boolean $manage_logpath = true,

diff --git a/templates/radiusd.conf.erb b/templates/radiusd.conf.erb
@@ -574,7 +574,7 @@ security {
  # and may not reflect patches applied to libssl by
  # distribution maintainers.
  #
- allow_vulnerable_openssl = yes
+ allow_vulnerable_openssl = <%= @allow_vulnerable_openssl%>
 }
 
 # PROXY CONFIGURATION