Updates

1) Generate ssl_dhparam using openssl_dhparam resource
2) Update CRL only if its older than specified

Signed-off-by: Rony Xavier <[email protected]>

Author: rx294

.kitchen.yml

@@ -12,8 +12,8 @@ provisioner:
 verifier:
   name: inspec
   sudo: true
-  #format: json
-  #output: "%{platform}_%{suite}-<%= Time.now.iso8601 %>.json"
+  # reporter: json
+  # output: "%{platform}_%{suite}-<%= Time.now.iso8601 %>.json"
 
 platforms:
 - name: debian-7

attributes/hardening.rb

@@ -94,3 +94,4 @@
 default['nginx-hardening']['options']['ssl_prefer_server_ciphers'] = 'on'
 default['nginx-hardening']['options']['ssl_session_tickets'] = 'off'
 default['nginx-hardening']['dh-size'] = 2048
+default['nginx-hardening']['crl_udpate_frequency_days'] = 7

recipes/default.rb

@@ -63,8 +63,8 @@
   action :delete
 end
 
-execute 'generate_dh_group' do
-  command "openssl dhparam -out #{node['nginx-hardening']['options']['ssl_dhparam']} #{node['nginx-hardening']['dh-size']}"
+openssl_dhparam node['nginx-hardening']['options']['ssl_dhparam'] do
+  key_length node['nginx-hardening']['dh-size']
   not_if { File.exist?(node['nginx-hardening']['options']['ssl_dhparam']) }
 end
 
@@ -106,6 +106,8 @@
       mv DOD_CRL-bundle.crl ../ 
       cd ../; rm -rf crl_temp # Remove temp dir to make bundle
     EOH
+  # Run if CRL was updated more than specified days ago
+  not_if { File.exist?(node['nginx-hardening']['options']['ssl_crl']) and File.ctime(node['nginx-hardening']['options']['ssl_crl']) >  Time.now - node['nginx-hardening']['crl_udpate_frequency_days'] * 86400 }
 end
 
 file File.join((node['nginx-hardening']['certificates_dir'] || '/etc/nginx/'), 'DOD_CRL-bundle.crl') do
@@ -153,5 +155,3 @@
 end
 
 
-
-