Add client_renegotiation ssl option, use more ssl options in manageme…

…nt plugin (#1024)

Add ssl options for client renegotiation to rabbitmq-server

---------

Co-authored-by: kperronne <[email protected]>

REFERENCE.md

@@ -264,6 +264,7 @@ The following parameters are available in the `rabbitmq` class:
 * [`ssl_cacert`](#-rabbitmq--ssl_cacert)
 * [`ssl_cert`](#-rabbitmq--ssl_cert)
 * [`ssl_cert_password`](#-rabbitmq--ssl_cert_password)
+* [`ssl_client_renegotiation`](#-rabbitmq--ssl_client_renegotiation)
 * [`ssl_depth`](#-rabbitmq--ssl_depth)
 * [`ssl_dhfile`](#-rabbitmq--ssl_dhfile)
 * [`ssl_erl_dist`](#-rabbitmq--ssl_erl_dist)
@@ -882,6 +883,14 @@ Password used when generating CSR.
 
 Default value: `undef`
 
+##### <a name="-rabbitmq--ssl_client_renegotiation"></a>`ssl_client_renegotiation`
+
+Data type: `Optional[Boolean]`
+
+Allow ssl client renegotiation
+
+Default value: `undef`
+
 ##### <a name="-rabbitmq--ssl_depth"></a>`ssl_depth`
 
 Data type: `Optional[Integer]`

manifests/config.pp

@@ -56,6 +56,7 @@
   $ssl_stomp_port                      = $rabbitmq::ssl_stomp_port
   $ssl_verify                          = $rabbitmq::ssl_verify
   $ssl_fail_if_no_peer_cert            = $rabbitmq::ssl_fail_if_no_peer_cert
+  $ssl_client_renegotiation            = $rabbitmq::ssl_client_renegotiation
   $ssl_secure_renegotiate              = $rabbitmq::ssl_secure_renegotiate
   $ssl_reuse_sessions                  = $rabbitmq::ssl_reuse_sessions
   $ssl_honor_cipher_order              = $rabbitmq::ssl_honor_cipher_order

manifests/init.pp

@@ -263,6 +263,8 @@
 #   Cert to use for SSL.
 # @param ssl_cert_password
 #   Password used when generating CSR.
+# @param ssl_client_renegotiation
+#   Allow ssl client renegotiation
 # @param ssl_depth
 #   SSL verification depth.
 # @param ssl_dhfile
@@ -419,13 +421,14 @@
   Enum['verify_none','verify_peer'] $ssl_management_verify                                         = 'verify_none',
   Boolean $ssl_management_fail_if_no_peer_cert                                                     = false,
   Optional[Array] $ssl_versions                                                                    = undef,
+  Optional[Boolean] $ssl_client_renegotiation                                                      = undef,
   Boolean $ssl_secure_renegotiate                                                                  = true,
   Boolean $ssl_reuse_sessions                                                                      = true,
   Boolean $ssl_honor_cipher_order                                                                  = true,
   Optional[Stdlib::Absolutepath] $ssl_dhfile                                                       = undef,
   Array $ssl_ciphers                                                                               = [],
   Enum['true','false','peer','best_effort'] $ssl_crl_check                                         = 'false',
-  Optional[Stdlib::Absolutepath] $ssl_crl_cache_hash_dir                                                         = undef,
+  Optional[Stdlib::Absolutepath] $ssl_crl_cache_hash_dir                                           = undef,
   Optional[Integer] $ssl_crl_cache_http_timeout                                                    = undef,
   Boolean $stomp_ensure                                                                            = false,
   Boolean $ldap_auth                                                                               = false,

spec/classes/rabbitmq_spec.rb

@@ -1194,6 +1194,34 @@
         end
       end
 
+      # tlsv1.3 not supported on older RMQ/Erlang with this distro
+      describe 'ssl options with ssl version tlsv1.3' do
+        let(:params) do
+          { ssl: true,
+            ssl_port: 3141,
+            ssl_cacert: '/path/to/cacert',
+            ssl_cert: '/path/to/cert',
+            ssl_key: '/path/to/key',
+            ssl_versions: ['tlsv1.3'] }
+        end
+
+        it 'sets ssl options to specified values' do
+          is_expected.to contain_file('rabbitmq.config').with_content(%r{ssl_listeners, \[3141\]})
+          is_expected.to contain_file('rabbitmq.config').with_content(%r{ssl_options, \[})
+          is_expected.to contain_file('rabbitmq.config').with_content(%r{cacertfile,"/path/to/cacert"})
+          is_expected.to contain_file('rabbitmq.config').with_content(%r{certfile,"/path/to/cert"})
+          is_expected.to contain_file('rabbitmq.config').with_content(%r{keyfile,"/path/to/key})
+          is_expected.to contain_file('rabbitmq.config').with_content(%r{ssl, \[\{versions, \['tlsv1.3'\]\}\]})
+          is_expected.to contain_file('rabbitmq.config').with_content(%r{versions, \['tlsv1.3'\]})
+        end
+
+        it 'does not set ssl negotiation options with tlsv1.3' do
+          is_expected.to contain_file('rabbitmq.config'). \
+            without_content(%r{client_renegotiation}). \
+            without_content(%r{secure_renegotiate})
+        end
+      end
+
       describe 'ssl options with ssl_versions and not ssl' do
         let(:params) do
           { ssl: false,
@@ -1379,6 +1407,16 @@
         it { is_expected.to contain_file('rabbitmq.config').without_content(%r{dhfile,}) }
       end
 
+      describe 'ssl with ssl_client_renegotiation false' do
+        let(:params) do
+          { ssl: true,
+            ssl_interface: '0.0.0.0',
+            ssl_client_renegotiation: false }
+        end
+
+        it { is_expected.to contain_file('rabbitmq.config').with_content(%r{client_renegotiation,false}) }
+      end
+
       describe 'ssl with ssl_secure_renegotiate false' do
         let(:params) do
           { ssl: true,

templates/rabbitmq.config.epp

@@ -77,7 +77,12 @@
                    <%- if $rabbitmq::config::ssl_dhfile {-%>
                    {dhfile, "<%= $rabbitmq::config::ssl_dhfile %>"},
                    <%- } -%>
+                   <%- if !$rabbitmq::config::ssl_versions or !('tlsv1.3' in $rabbitmq::config::ssl_versions) {-%>
+                     <%- if $rabbitmq::config::ssl_client_renegotiation != undef {-%>
+                   {client_renegotiation,<%= $rabbitmq::config::ssl_client_renegotiation %>},
+                     <%- } -%>
                    {secure_renegotiate,<%= $rabbitmq::config::ssl_secure_renegotiate %>},
+                   <%- } -%>
                    {reuse_sessions,<%= $rabbitmq::config::ssl_reuse_sessions %>},
                    {honor_cipher_order,<%= $rabbitmq::config::ssl_honor_cipher_order %>},
                    {verify,<%= $rabbitmq::config::ssl_verify %>},
@@ -150,6 +155,14 @@
                   <%- } -%>
                   {certfile, "<%= $rabbitmq::config::ssl_management_cert %>"},
                   {keyfile, "<%= $rabbitmq::config::ssl_management_key %>"},
+                  <%- if !$rabbitmq::config::ssl_versions or !('tlsv1.3' in $rabbitmq::config::ssl_versions) {-%>
+                    <%- if $rabbitmq::config::ssl_client_renegotiation != undef {-%>
+                  {client_renegotiation,<%= $rabbitmq::config::ssl_client_renegotiation %>},
+                    <%- } -%>
+                  {secure_renegotiate,<%= $rabbitmq::config::ssl_secure_renegotiate %>},
+                  <%- } -%>
+                  {reuse_sessions,<%= $rabbitmq::config::ssl_reuse_sessions %>},
+                  {honor_cipher_order,<%= $rabbitmq::config::ssl_honor_cipher_order %>},
                   {verify,<%= $rabbitmq::config::ssl_management_verify %>},
                   {fail_if_no_peer_cert,<%= $rabbitmq::config::ssl_management_fail_if_no_peer_cert %>}
                    <%- if $rabbitmq::config::ssl_versions {-%>