diff --git a/REFERENCE.md b/REFERENCE.md index 5415c0acc..aeb2f03de 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -810,6 +810,14 @@ Reuse ssl sessions Default value: `true` +##### `ssl_client_renegotiation` + +Data type: `Optional[Boolean]` + +Allow ssl client renegotiation + +Default value: `undef` + ##### `ssl_secure_renegotiate` Data type: `Boolean` diff --git a/data/common.yaml b/data/common.yaml index f130e56a4..de36aa884 100644 --- a/data/common.yaml +++ b/data/common.yaml @@ -61,6 +61,7 @@ rabbitmq::ssl_fail_if_no_peer_cert: false rabbitmq::ssl_management_verify: 'verify_none' rabbitmq::ssl_management_fail_if_no_peer_cert: false rabbitmq::ssl_versions: ~ +rabbitmq::ssl_client_renegotiation: ~ rabbitmq::ssl_secure_renegotiate: true rabbitmq::ssl_reuse_sessions: true rabbitmq::ssl_honor_cipher_order: true diff --git a/manifests/config.pp b/manifests/config.pp index a2f83a8aa..9300907b7 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -54,6 +54,7 @@ $ssl_stomp_port = $rabbitmq::ssl_stomp_port $ssl_verify = $rabbitmq::ssl_verify $ssl_fail_if_no_peer_cert = $rabbitmq::ssl_fail_if_no_peer_cert + $ssl_client_renegotiation = $rabbitmq::ssl_client_renegotiation $ssl_secure_renegotiate = $rabbitmq::ssl_secure_renegotiate $ssl_reuse_sessions = $rabbitmq::ssl_reuse_sessions $ssl_honor_cipher_order = $rabbitmq::ssl_honor_cipher_order diff --git a/manifests/init.pp b/manifests/init.pp index 2fc033afb..d28fd97d8 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -267,6 +267,8 @@ # SSL port for RabbitMQ # @param ssl_reuse_sessions # Reuse ssl sessions +# @param ssl_client_renegotiation +# Allow ssl client renegotiation # @param ssl_secure_renegotiate # Use ssl secure renegotiate # @param ssl_stomp_port @@ -392,13 +394,14 @@ Enum['verify_none','verify_peer'] $ssl_management_verify = 'verify_none', Boolean $ssl_management_fail_if_no_peer_cert = false, Optional[Array] $ssl_versions = undef, + Optional[Boolean] $ssl_client_renegotiation = undef, Boolean $ssl_secure_renegotiate = true, Boolean $ssl_reuse_sessions = true, Boolean $ssl_honor_cipher_order = true, Optional[Stdlib::Absolutepath] $ssl_dhfile = undef, Array $ssl_ciphers = [], Enum['true','false','peer','best_effort'] $ssl_crl_check = 'false', - Optional[Stdlib::Absolutepath] $ssl_crl_cache_hash_dir = undef, + Optional[Stdlib::Absolutepath] $ssl_crl_cache_hash_dir = undef, Optional[Integer] $ssl_crl_cache_http_timeout = undef, Boolean $stomp_ensure = false, Boolean $ldap_auth = false, diff --git a/spec/classes/rabbitmq_spec.rb b/spec/classes/rabbitmq_spec.rb index 8d1711825..4e59032e3 100644 --- a/spec/classes/rabbitmq_spec.rb +++ b/spec/classes/rabbitmq_spec.rb @@ -1163,6 +1163,34 @@ end end + # tlsv1.3 not supported on older RMQ/Erlang with this distro + describe 'ssl options with ssl version tlsv1.3', unless: facts[:osfamily] == 'RedHat' do + let(:params) do + { ssl: true, + ssl_port: 3141, + ssl_cacert: '/path/to/cacert', + ssl_cert: '/path/to/cert', + ssl_key: '/path/to/key', + ssl_versions: ['tlsv1.3'] } + end + + it 'sets ssl options to specified values' do + is_expected.to contain_file('rabbitmq.config').with_content(%r{ssl_listeners, \[3141\]}) + is_expected.to contain_file('rabbitmq.config').with_content(%r{ssl_options, \[}) + is_expected.to contain_file('rabbitmq.config').with_content(%r{cacertfile,"/path/to/cacert"}) + is_expected.to contain_file('rabbitmq.config').with_content(%r{certfile,"/path/to/cert"}) + is_expected.to contain_file('rabbitmq.config').with_content(%r{keyfile,"/path/to/key}) + is_expected.to contain_file('rabbitmq.config').with_content(%r{ssl, \[\{versions, \['tlsv1.3'\]\}\]}) + is_expected.to contain_file('rabbitmq.config').with_content(%r{versions, \['tlsv1.3'\]}) + end + + it 'does not set ssl negotiation options with tlsv1.3' do + is_expected.to contain_file('rabbitmq.config'). \ + without_content(%r{client_renegotiation}). \ + without_content(%r{secure_renegotiate}) + end + end + describe 'ssl options with ssl_versions and not ssl' do let(:params) do { ssl: false, @@ -1348,6 +1376,16 @@ it { is_expected.to contain_file('rabbitmq.config').without_content(%r{dhfile,}) } end + describe 'ssl with ssl_client_renegotiation false' do + let(:params) do + { ssl: true, + ssl_interface: '0.0.0.0', + ssl_client_renegotiation: false } + end + + it { is_expected.to contain_file('rabbitmq.config').with_content(%r{client_renegotiation,false}) } + end + describe 'ssl with ssl_secure_renegotiate false' do let(:params) do { ssl: true, diff --git a/templates/rabbitmq.config.erb b/templates/rabbitmq.config.erb index 5ba4db2e3..d3c280e1c 100644 --- a/templates/rabbitmq.config.erb +++ b/templates/rabbitmq.config.erb @@ -82,7 +82,12 @@ end <%- if @ssl_dhfile -%> {dhfile, "<%= @ssl_dhfile %>"}, <%- end -%> + <%- if !@ssl_versions || !@ssl_versions.include?('tlsv1.3') -%> + <%- if defined?(@ssl_client_renegotiation) -%> + {client_renegotiation,<%= @ssl_client_renegotiation %>}, + <%- end -%> {secure_renegotiate,<%= @ssl_secure_renegotiate %>}, + <%- end -%> {reuse_sessions,<%= @ssl_reuse_sessions %>}, {honor_cipher_order,<%= @ssl_honor_cipher_order %>}, {verify,<%= @ssl_verify %>}, @@ -137,6 +142,14 @@ end <%- end -%> {certfile, "<%= @ssl_management_cert %>"}, {keyfile, "<%= @ssl_management_key %>"}, + <%- if !@ssl_versions || !@ssl_versions.include?('tlsv1.3') -%> + <%- if defined?(@ssl_client_renegotiation) -%> + {client_renegotiation,<%= @ssl_client_renegotiation %>}, + <%- end -%> + {secure_renegotiate,<%= @ssl_secure_renegotiate %>}, + <%- end -%> + {reuse_sessions,<%= @ssl_reuse_sessions %>}, + {honor_cipher_order,<%= @ssl_honor_cipher_order %>}, {verify,<%= @ssl_management_verify %>}, {fail_if_no_peer_cert,<%= @ssl_management_fail_if_no_peer_cert %>} <%- if @ssl_versions -%>