From ec9a24bf81c4cead7c9faeded45387bf0f440014 Mon Sep 17 00:00:00 2001 From: Will Yardley Date: Sat, 16 Nov 2024 09:42:05 -0800 Subject: [PATCH] Add client_renegotiation ssl option, use more ssl options in management plugin (#1024) Add ssl options for client renegotiation to rabbitmq-server --------- Co-authored-by: kperronne --- REFERENCE.md | 9 +++++++++ manifests/config.pp | 1 + manifests/init.pp | 5 ++++- spec/classes/rabbitmq_spec.rb | 38 +++++++++++++++++++++++++++++++++++ templates/rabbitmq.config.epp | 13 ++++++++++++ 5 files changed, 65 insertions(+), 1 deletion(-) diff --git a/REFERENCE.md b/REFERENCE.md index 8ac74408f..ccb0f54d9 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -264,6 +264,7 @@ The following parameters are available in the `rabbitmq` class: * [`ssl_cacert`](#-rabbitmq--ssl_cacert) * [`ssl_cert`](#-rabbitmq--ssl_cert) * [`ssl_cert_password`](#-rabbitmq--ssl_cert_password) +* [`ssl_client_renegotiation`](#-rabbitmq--ssl_client_renegotiation) * [`ssl_depth`](#-rabbitmq--ssl_depth) * [`ssl_dhfile`](#-rabbitmq--ssl_dhfile) * [`ssl_erl_dist`](#-rabbitmq--ssl_erl_dist) @@ -882,6 +883,14 @@ Password used when generating CSR. Default value: `undef` +##### `ssl_client_renegotiation` + +Data type: `Optional[Boolean]` + +Allow ssl client renegotiation + +Default value: `undef` + ##### `ssl_depth` Data type: `Optional[Integer]` diff --git a/manifests/config.pp b/manifests/config.pp index 3eef82ef7..5f7062900 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -56,6 +56,7 @@ $ssl_stomp_port = $rabbitmq::ssl_stomp_port $ssl_verify = $rabbitmq::ssl_verify $ssl_fail_if_no_peer_cert = $rabbitmq::ssl_fail_if_no_peer_cert + $ssl_client_renegotiation = $rabbitmq::ssl_client_renegotiation $ssl_secure_renegotiate = $rabbitmq::ssl_secure_renegotiate $ssl_reuse_sessions = $rabbitmq::ssl_reuse_sessions $ssl_honor_cipher_order = $rabbitmq::ssl_honor_cipher_order diff --git a/manifests/init.pp b/manifests/init.pp index 671214f41..0e9790ed2 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -263,6 +263,8 @@ # Cert to use for SSL. # @param ssl_cert_password # Password used when generating CSR. +# @param ssl_client_renegotiation +# Allow ssl client renegotiation # @param ssl_depth # SSL verification depth. # @param ssl_dhfile @@ -419,13 +421,14 @@ Enum['verify_none','verify_peer'] $ssl_management_verify = 'verify_none', Boolean $ssl_management_fail_if_no_peer_cert = false, Optional[Array] $ssl_versions = undef, + Optional[Boolean] $ssl_client_renegotiation = undef, Boolean $ssl_secure_renegotiate = true, Boolean $ssl_reuse_sessions = true, Boolean $ssl_honor_cipher_order = true, Optional[Stdlib::Absolutepath] $ssl_dhfile = undef, Array $ssl_ciphers = [], Enum['true','false','peer','best_effort'] $ssl_crl_check = 'false', - Optional[Stdlib::Absolutepath] $ssl_crl_cache_hash_dir = undef, + Optional[Stdlib::Absolutepath] $ssl_crl_cache_hash_dir = undef, Optional[Integer] $ssl_crl_cache_http_timeout = undef, Boolean $stomp_ensure = false, Boolean $ldap_auth = false, diff --git a/spec/classes/rabbitmq_spec.rb b/spec/classes/rabbitmq_spec.rb index c52ebf8da..2af8a0524 100644 --- a/spec/classes/rabbitmq_spec.rb +++ b/spec/classes/rabbitmq_spec.rb @@ -1194,6 +1194,34 @@ end end + # tlsv1.3 not supported on older RMQ/Erlang with this distro + describe 'ssl options with ssl version tlsv1.3' do + let(:params) do + { ssl: true, + ssl_port: 3141, + ssl_cacert: '/path/to/cacert', + ssl_cert: '/path/to/cert', + ssl_key: '/path/to/key', + ssl_versions: ['tlsv1.3'] } + end + + it 'sets ssl options to specified values' do + is_expected.to contain_file('rabbitmq.config').with_content(%r{ssl_listeners, \[3141\]}) + is_expected.to contain_file('rabbitmq.config').with_content(%r{ssl_options, \[}) + is_expected.to contain_file('rabbitmq.config').with_content(%r{cacertfile,"/path/to/cacert"}) + is_expected.to contain_file('rabbitmq.config').with_content(%r{certfile,"/path/to/cert"}) + is_expected.to contain_file('rabbitmq.config').with_content(%r{keyfile,"/path/to/key}) + is_expected.to contain_file('rabbitmq.config').with_content(%r{ssl, \[\{versions, \['tlsv1.3'\]\}\]}) + is_expected.to contain_file('rabbitmq.config').with_content(%r{versions, \['tlsv1.3'\]}) + end + + it 'does not set ssl negotiation options with tlsv1.3' do + is_expected.to contain_file('rabbitmq.config'). \ + without_content(%r{client_renegotiation}). \ + without_content(%r{secure_renegotiate}) + end + end + describe 'ssl options with ssl_versions and not ssl' do let(:params) do { ssl: false, @@ -1379,6 +1407,16 @@ it { is_expected.to contain_file('rabbitmq.config').without_content(%r{dhfile,}) } end + describe 'ssl with ssl_client_renegotiation false' do + let(:params) do + { ssl: true, + ssl_interface: '0.0.0.0', + ssl_client_renegotiation: false } + end + + it { is_expected.to contain_file('rabbitmq.config').with_content(%r{client_renegotiation,false}) } + end + describe 'ssl with ssl_secure_renegotiate false' do let(:params) do { ssl: true, diff --git a/templates/rabbitmq.config.epp b/templates/rabbitmq.config.epp index c70c6b865..be71d1187 100644 --- a/templates/rabbitmq.config.epp +++ b/templates/rabbitmq.config.epp @@ -77,7 +77,12 @@ <%- if $rabbitmq::config::ssl_dhfile {-%> {dhfile, "<%= $rabbitmq::config::ssl_dhfile %>"}, <%- } -%> + <%- if !$rabbitmq::config::ssl_versions or !('tlsv1.3' in $rabbitmq::config::ssl_versions) {-%> + <%- if $rabbitmq::config::ssl_client_renegotiation != undef {-%> + {client_renegotiation,<%= $rabbitmq::config::ssl_client_renegotiation %>}, + <%- } -%> {secure_renegotiate,<%= $rabbitmq::config::ssl_secure_renegotiate %>}, + <%- } -%> {reuse_sessions,<%= $rabbitmq::config::ssl_reuse_sessions %>}, {honor_cipher_order,<%= $rabbitmq::config::ssl_honor_cipher_order %>}, {verify,<%= $rabbitmq::config::ssl_verify %>}, @@ -150,6 +155,14 @@ <%- } -%> {certfile, "<%= $rabbitmq::config::ssl_management_cert %>"}, {keyfile, "<%= $rabbitmq::config::ssl_management_key %>"}, + <%- if !$rabbitmq::config::ssl_versions or !('tlsv1.3' in $rabbitmq::config::ssl_versions) {-%> + <%- if $rabbitmq::config::ssl_client_renegotiation != undef {-%> + {client_renegotiation,<%= $rabbitmq::config::ssl_client_renegotiation %>}, + <%- } -%> + {secure_renegotiate,<%= $rabbitmq::config::ssl_secure_renegotiate %>}, + <%- } -%> + {reuse_sessions,<%= $rabbitmq::config::ssl_reuse_sessions %>}, + {honor_cipher_order,<%= $rabbitmq::config::ssl_honor_cipher_order %>}, {verify,<%= $rabbitmq::config::ssl_management_verify %>}, {fail_if_no_peer_cert,<%= $rabbitmq::config::ssl_management_fail_if_no_peer_cert %>} <%- if $rabbitmq::config::ssl_versions {-%>