Description
Currently, if we manage IIS site bindings via the puppetlabs-iis module, but then want to Enable/Disable the more modern SSLFlags, such as disabling OCSP stapling, we're unable to do so at the server level. If we go into IIS and manually check the box within the MMC console to "Disable OCSP Stapling", that works, but during the next Puppet run, the change is reverted due to site binding management.
It would be great if the existing "SSLFlags" parameter could get retooled to support strings such as:
None, Sni, CentralCertStore, DisableHTTP2, DisableOCSPStp, DisableQUIC, DisableTLS13, DisableLegacyTLS
Or, even have it get a sibling parameter of "SSLFlag". Yeah, just using singular version of the name gets a little confusing, but the equivalent PowerShell argument is singular so I'm just tossing it out there (https://docs.microsoft.com/en-us/powershell/module/iisadministration/new-iissitebinding?view=windowsserver2022-ps).
We've thought about trying to feed in additional "SSLFlags" integers (for example, 9), but even if that worked, after a while it gets a little confusing as we began to think about that scaling out the various configurations we'd need to support all our web servers (we have a lot of snowflakes).
While not a high priority item, not being able to drop back to managing the setting manually (while still being able to manage the bindings via Puppet) is the main pain point.
