From a0e5cfd0f102aa2b678e19978861f21c861726e9 Mon Sep 17 00:00:00 2001
From: Alex Harvey <Alex_Harvey@amp.com.au>
Date: Thu, 6 Jul 2017 15:49:27 +1000
Subject: [PATCH 1/2] Fix support for no verify

On RHEL 7, which has Stunnel version 4.56, we found that a different
configuration was required.

Instead of specifying verify = default, it is in fact necessary to
simply not specify verify at all.

Without this patch applied, an error message is seen:

  "verify = default": Bad verify level

On RHEL 6, Stunnel version 4.29 is available and it behaves differently,
but it also allows verify to simply be not specified.

Therefore, this patch modifies templates/stunnel.conf.erb to simply not
add the verify line if verify level default is specified.
---
 manifests/tun.pp           | 5 ++++-
 spec/defines/tun_spec.rb   | 2 +-
 templates/stunnel.conf.erb | 4 +---
 3 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/manifests/tun.pp b/manifests/tun.pp
index 109f9ca..e3b8d93 100644
--- a/manifests/tun.pp
+++ b/manifests/tun.pp
@@ -33,10 +33,13 @@
 # [*verify*]
 #   Verify peer certificate. Default is 2 for backwards compatibility with
 #     this Puppet module.
-#   Other values: 1 - verify peer certificate if present
+#   Other values: 0 - request and ignore peer certificate.
+#                 1 - verify peer certificate if present
 #                 2 - verify peer certificate
 #                 3 - verify peer with locally installed certificate
+#                 4 - ignore CA chain and only verify peer certificate
 #                 default - no verify
+#   Note that this module has only been tested using verify mode 2 and default.
 #   See below for examples.
 #
 # [*ssl_version*]
diff --git a/spec/defines/tun_spec.rb b/spec/defines/tun_spec.rb
index b64a84b..0281ec3 100644
--- a/spec/defines/tun_spec.rb
+++ b/spec/defines/tun_spec.rb
@@ -17,7 +17,7 @@
     end
     it {
       is_expected.to contain_file('/etc/stunnel/rsyncd.conf')
-        .with_content(/verify = default/)
+        .without_content(/verify/)
     }
   end
 
diff --git a/templates/stunnel.conf.erb b/templates/stunnel.conf.erb
index 173046e..e106c71 100644
--- a/templates/stunnel.conf.erb
+++ b/templates/stunnel.conf.erb
@@ -1,8 +1,6 @@
 ; This stunnel config is managed by Puppet.
 
-<% if @verify == 'default' -%>
-verify = default
-<% else -%>
+<% unless @verify == 'default' -%>
 cert = <%= @certificate %>
 key = <%= @private_key %>
 CAfile = <%= @ca_file %>

From 79fae39ffddbcd3d8211b830f3a645d5a0a6e9c9 Mon Sep 17 00:00:00 2001
From: Alex Harvey <Alex_Harvey@amp.com.au>
Date: Thu, 6 Jul 2017 22:17:21 +1000
Subject: [PATCH 2/2] Remove Ruby 1.9.3 from Travis suites

Before this, the Travis build was failing with:

    Using rake 12.0.0
    Gem::InstallError: public_suffix requires Ruby version >= 2.0.
    An error occurred while installing public_suffix (2.0.5), and Bundler
    cannot

Considering that Ruby 1.9.3 is very very old now, it seems to make sense
to simply remove it from .travis.yml, which is what this patch does.
---
 .travis.yml | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/.travis.yml b/.travis.yml
index 3a846bb..3e9ae9a 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -28,8 +28,5 @@ matrix:
   - rvm: 2.1.5
     bundler_args: --without system_tests
     env: PUPPET_GEM_VERSION="~> 3.0"
-  - rvm: 1.9.3
-    bundler_args: --without system_tests
-    env: PUPPET_GEM_VERSION="~> 3.0"
 notifications:
   email: false