Merge pull request puppetlabs#1571 from AntagonistHQ/server_ssl_stapling_return_errors

Add ability to set SSLStaplingReturnResponderErrors on server level

Author: bmjen

README.md

@@ -1185,6 +1185,12 @@ Specifies whether or not to use [SSLUseStapling](http://httpd.apache.org/docs/cu
 
 This parameter only applies to Apache 2.4 or higher and is ignored on older versions.
 
+##### `ssl_stapling_return_errors`
+
+Can be used to set the [SSLStaplingReturnResponderErrors](http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslstaplingreturnrespondererrors) directive. No default. It is possible to override this on a vhost level.
+
+This parameter only applies to Apache 2.4 or higher and is ignored on older versions.
+
 ##### `timeout`
 
 Sets Apache's [`TimeOut`][] directive, which defines the number of seconds Apache waits for certain events before failing a request. Default: 120.

manifests/mod/ssl.pp

@@ -1,18 +1,19 @@
 class apache::mod::ssl (
-  $ssl_compression         = false,
-  $ssl_cryptodevice        = 'builtin',
-  $ssl_options             = [ 'StdEnvVars' ],
-  $ssl_openssl_conf_cmd    = undef,
-  $ssl_cipher              = 'HIGH:MEDIUM:!aNULL:!MD5:!RC4',
-  $ssl_honorcipherorder    = true,
-  $ssl_protocol            = [ 'all', '-SSLv2', '-SSLv3' ],
-  $ssl_pass_phrase_dialog  = 'builtin',
-  $ssl_random_seed_bytes   = '512',
-  $ssl_sessioncachetimeout = '300',
-  $ssl_stapling            = false,
-  $ssl_mutex               = undef,
-  $apache_version          = undef,
-  $package_name            = undef,
+  $ssl_compression            = false,
+  $ssl_cryptodevice           = 'builtin',
+  $ssl_options                = [ 'StdEnvVars' ],
+  $ssl_openssl_conf_cmd       = undef,
+  $ssl_cipher                 = 'HIGH:MEDIUM:!aNULL:!MD5:!RC4',
+  $ssl_honorcipherorder       = true,
+  $ssl_protocol               = [ 'all', '-SSLv2', '-SSLv3' ],
+  $ssl_pass_phrase_dialog     = 'builtin',
+  $ssl_random_seed_bytes      = '512',
+  $ssl_sessioncachetimeout    = '300',
+  $ssl_stapling               = false,
+  $ssl_stapling_return_errors = undef,
+  $ssl_mutex                  = undef,
+  $apache_version             = undef,
+  $package_name               = undef,
 ) {
   include ::apache
   include ::apache::mod::mime
@@ -70,6 +71,10 @@
 
   validate_bool($ssl_stapling)
 
+  if $ssl_stapling_return_errors != undef {
+    validate_bool($ssl_stapling_return_errors)
+  }
+
   $stapling_cache = $::osfamily ? {
     'debian'  => "\${APACHE_RUN_DIR}/ocsp(32768)",
     'redhat'  => '/run/httpd/ssl_stapling(32768)',

spec/classes/mod/ssl_spec.rb

@@ -188,6 +188,15 @@
         end
         it { is_expected.to contain_file('ssl.conf').with_content(/^  SSLUseStapling On$/)}
       end
+      context 'setting ssl_stapling_return_errors to true' do
+        let :params do
+          {
+            :apache_version => '2.4',
+            :ssl_stapling_return_errors => true,
+          }
+        end
+        it { is_expected.to contain_file('ssl.conf').with_content(/^  SSLStaplingReturnResponderErrors On$/)}
+      end
     end
 
     context 'setting ssl_pass_phrase_dialog' do

templates/mod/ssl.conf.erb

@@ -22,6 +22,9 @@
   SSLHonorCipherOrder <%= scope.function_bool2httpd([@_ssl_honorcipherorder]) %>
 <% if scope.function_versioncmp([@_apache_version, '2.4']) >= 0 -%>
   SSLUseStapling <%= scope.function_bool2httpd([@ssl_stapling]) %>
+  <%- if not @ssl_stapling_return_errors.nil? -%>
+  SSLStaplingReturnResponderErrors <%= scope.function_bool2httpd([@ssl_stapling_return_errors]) %>
+  <%- end -%>
   SSLStaplingCache "shmcb:<%= @stapling_cache %>"
 <% end -%>
   SSLCipherSuite <%= @ssl_cipher %>

templates/vhost/_ssl.erb

@@ -49,7 +49,7 @@
   <%- if @ssl_stapling_timeout && scope.function_versioncmp([@apache_version, '2.4']) >= 0 -%>
   SSLStaplingResponderTimeout <%= @ssl_stapling_timeout %>
   <%- end -%>
-  <%- if @ssl_stapling_return_errors && scope.function_versioncmp([@apache_version, '2.4']) >= 0 -%>
-  SSLStaplingReturnResponderErrors <%= @ssl_stapling_return_errors %>
+  <%- if not @ssl_stapling_return_errors.nil? && scope.function_versioncmp([@apache_version, '2.4']) >= 0 -%>
+  SSLStaplingReturnResponderErrors <%= scope.function_bool2httpd([@ssl_stapling_return_errors]) %>
   <%- end -%>
 <% end -%>