Allow ssl_protocol to be empty

ekohl · ekohl · commit b3b9a82f5044 · 2022-10-25T15:14:06.000+02:00
On EL8+ the default ssl.conf file doesn't specify SSLProtocol at all,
which implies using the system profile where it can be changed. This
changes the template to deal with ssl_protocol set to an empty array,
which was previously generating invalid syntax anyway.
diff --git a/spec/classes/mod/ssl_spec.rb b/spec/classes/mod/ssl_spec.rb
@@ -33,6 +33,16 @@
 
         it { is_expected.to contain_file('ssl.conf').with_content(%r{SSLProxyCipherSuite PROFILE=system}) }
       end
+
+      context 'with empty ssl_protocol' do
+        let(:params) do
+          {
+            ssl_protocol: [],
+          }
+        end
+
+        it { is_expected.to contain_file('ssl.conf').without_content(%r{SSLProtocol}) }
+      end
     end
 
     context '7 OS with custom directories for PR#1635' do
diff --git a/templates/mod/ssl.conf.erb b/templates/mod/ssl.conf.erb
@@ -40,7 +40,9 @@
   SSLStaplingCache "shmcb:<%= @_stapling_cache %>"
 <% end -%>
   SSLCipherSuite <%= @ssl_cipher %>
+<% if not @ssl_protocol.empty? -%>
   SSLProtocol <%= @ssl_protocol.compact.join(' ') %>
+<% end -%>
 <% if not @ssl_proxy_protocol.empty? -%>
   SSLProxyProtocol <%= @ssl_proxy_protocol.compact.join(' ') %>
 <% end -%>
