From 9cdadc08028b527f2a85a281915b881308e6541d Mon Sep 17 00:00:00 2001
From: Olivier Le Monnier <olm@unicaen.fr>
Date: Fri, 29 Mar 2019 15:41:30 +0100
Subject: [PATCH] Freeradius 3.0.16 introduces two new EAP options
---
manifests/module/eap.pp | 2 ++
templates/eap.erb | 20 ++++++++++++++++++++
2 files changed, 22 insertions(+)
diff --git a/manifests/module/eap.pp b/manifests/module/eap.pp
index 86f514d..b1343a8 100644
--- a/manifests/module/eap.pp
+++ b/manifests/module/eap.pp
@@ -36,6 +36,8 @@ define freeradius::module::eap (
Optional[String] $tls_check_cert_cn = undef,
String $tls_cipher_list = 'DEFAULT',
Optional[Freeradius::Boolean] $tls_disable_tlsv1_2 = undef,
+ Optional[String] $tls_min_version = undef,
+ Optional[String] $tls_max_version = undef,
String $tls_ecdh_curve = 'prime256v1',
Freeradius::Boolean $tls_cache_enable = 'yes',
Integer $tls_cache_lifetime = 24,
diff --git a/templates/eap.erb b/templates/eap.erb
index 4aedc9b..6e909c8 100644
--- a/templates/eap.erb
+++ b/templates/eap.erb
@@ -381,7 +381,27 @@ eap {
disable_tlsv1_2 = <%= @tls_disable_tlsv1_2 %>
<%- end -%>
+<%- if @tls_min_version or @tls_max_version -%>
+ # Set min / max TLS version. Mainly for Debian
+ # "trusty", which disables older versions of TLS, and
+ # requires the application to manually enable them.
#
+ # If you are running Debian trusty, you should set
+ # these options, otherwise older clients will not be
+ # able to connect.
+ #
+ # Allowed values are "1.0", "1.1", and "1.2".
+ #
+ # The values must be in quotes.
+ #
+<%- end -%>
+
+<%- if @tls_min_version -%>
+ tls_min_version = "<%= @tls_min_version -%>"
+<%- end -%>
+<%- if @tls_max_version -%>
+ tls_max_version = "<%= @tls_max_version -%>"
+<%- end -%>
#
# Elliptical cryptography configuration
--
GitLab