Add client_renegotiation ssl option, use more ssl options in management plugin

REFERENCE.md

@@ -810,6 +810,14 @@ Reuse ssl sessions
 
 Default value: `true`
 
+##### `ssl_client_renegotiation`
+
+Data type: `Boolean`
+
+Allow ssl client renegotiation
+
+Default value: `false`
+
 ##### `ssl_secure_renegotiate`
 
 Data type: `Boolean`

data/common.yaml

@@ -61,6 +61,7 @@ rabbitmq::ssl_fail_if_no_peer_cert: false
 rabbitmq::ssl_management_verify: 'verify_none'
 rabbitmq::ssl_management_fail_if_no_peer_cert: false
 rabbitmq::ssl_versions: ~
+rabbitmq::ssl_client_renegotiation: false
 rabbitmq::ssl_secure_renegotiate: true
 rabbitmq::ssl_reuse_sessions: true
 rabbitmq::ssl_honor_cipher_order: true

manifests/config.pp

@@ -54,6 +54,7 @@
   $ssl_stomp_port                      = $rabbitmq::ssl_stomp_port
   $ssl_verify                          = $rabbitmq::ssl_verify
   $ssl_fail_if_no_peer_cert            = $rabbitmq::ssl_fail_if_no_peer_cert
+  $ssl_client_renegotiation            = $rabbitmq::ssl_client_renegotiation
   $ssl_secure_renegotiate              = $rabbitmq::ssl_secure_renegotiate
   $ssl_reuse_sessions                  = $rabbitmq::ssl_reuse_sessions
   $ssl_honor_cipher_order              = $rabbitmq::ssl_honor_cipher_order

manifests/init.pp

@@ -267,6 +267,8 @@
 #   SSL port for RabbitMQ
 # @param ssl_reuse_sessions
 #   Reuse ssl sessions
+# @param ssl_client_renegotiation
+#   Allow ssl client renegotiation
 # @param ssl_secure_renegotiate
 #   Use ssl secure renegotiate
 # @param ssl_stomp_port
@@ -392,6 +394,7 @@
   Enum['verify_none','verify_peer'] $ssl_management_verify                                         = 'verify_none',
   Boolean $ssl_management_fail_if_no_peer_cert                                                     = false,
   Optional[Array] $ssl_versions                                                                    = undef,
+  Boolean $ssl_client_renegotiation                                                                = false,
   Boolean $ssl_secure_renegotiate                                                                  = true,
   Boolean $ssl_reuse_sessions                                                                      = true,
   Boolean $ssl_honor_cipher_order                                                                  = true,

spec/classes/rabbitmq_spec.rb

@@ -912,6 +912,7 @@
             ssl_cacert: '/path/to/cacert',
             ssl_cert: '/path/to/cert',
             ssl_key: '/path/to/key',
+            ssl_client_renegotiation: false,
             ssl_secure_renegotiate: true,
             ssl_reuse_sessions: true,
             ssl_honor_cipher_order: true,
@@ -936,6 +937,9 @@
           is_expected.to contain_file('rabbitmq.config').with_content(
             %r{keyfile,"/path/to/key"}
           )
+          is_expected.to contain_file('rabbitmq.config').with_content(
+            %r{client_renegotiation,false}
+          )
           is_expected.to contain_file('rabbitmq.config').with_content(
             %r{secure_renegotiate,true}
           )
@@ -967,6 +971,7 @@
             ssl_cacert: '/path/to/cacert',
             ssl_cert: '/path/to/cert',
             ssl_key: '/path/to/key',
+            ssl_client_renegotiation: false,
             ssl_secure_renegotiate: true,
             ssl_reuse_sessions: true,
             ssl_honor_cipher_order: true,
@@ -995,6 +1000,9 @@
           is_expected.to contain_file('rabbitmq.config').with_content(
             %r{keyfile,"/path/to/key"}
           )
+          is_expected.to contain_file('rabbitmq.config').with_content(
+            %r{client_renegotiation,false}
+          )
           is_expected.to contain_file('rabbitmq.config').with_content(
             %r{secure_renegotiate,true}
           )
@@ -1041,6 +1049,7 @@
             ssl_cacert: '/path/to/cacert',
             ssl_cert: '/path/to/cert',
             ssl_key: '/path/to/key',
+            ssl_client_renegotiation: false,
             ssl_secure_renegotiate: true,
             ssl_reuse_sessions: true,
             ssl_honor_cipher_order: true,
@@ -1063,6 +1072,9 @@
           is_expected.to contain_file('rabbitmq.config').with_content(
             %r{keyfile,"/path/to/key"}
           )
+          is_expected.to contain_file('rabbitmq.config').with_content(
+            %r{client_renegotiation,false}
+          )
           is_expected.to contain_file('rabbitmq.config').with_content(
             %r{secure_renegotiate,true}
           )
@@ -1163,6 +1175,33 @@
         end
       end
 
+      describe 'ssl options with ssl version tlsv1.3' do
+        let(:params) do
+          { ssl: true,
+            ssl_port: 3141,
+            ssl_cacert: '/path/to/cacert',
+            ssl_cert: '/path/to/cert',
+            ssl_key: '/path/to/key',
+            ssl_versions: ['tlsv1.3'] }
+        end
+
+        it 'sets ssl options to specified values' do
+          is_expected.to contain_file('rabbitmq.config').with_content(%r{ssl_listeners, \[3141\]})
+          is_expected.to contain_file('rabbitmq.config').with_content(%r{ssl_options, \[})
+          is_expected.to contain_file('rabbitmq.config').with_content(%r{cacertfile,"/path/to/cacert"})
+          is_expected.to contain_file('rabbitmq.config').with_content(%r{certfile,"/path/to/cert"})
+          is_expected.to contain_file('rabbitmq.config').with_content(%r{keyfile,"/path/to/key})
+          is_expected.to contain_file('rabbitmq.config').with_content(%r{ssl, \[\{versions, \['tlsv1.3'\]\}\]})
+          is_expected.to contain_file('rabbitmq.config').with_content(%r{versions, \['tlsv1.3'\]})
+        end
+
+        it 'does not set ssl negotiation options with tlsv1.3' do
+          is_expected.to contain_file('rabbitmq.config'). \
+            without_content(%r{client_renegotiation}). \
+            without_content(%r{secure_renegotiate})
+        end
+      end
+
       describe 'ssl options with ssl_versions and not ssl' do
         let(:params) do
           { ssl: false,
@@ -1348,6 +1387,16 @@
         it { is_expected.to contain_file('rabbitmq.config').without_content(%r{dhfile,}) }
       end
 
+      describe 'ssl with ssl_client_renegotiation true' do
+        let(:params) do
+          { ssl: true,
+            ssl_interface: '0.0.0.0',
+            ssl_client_renegotiation: true }
+        end
+
+        it { is_expected.to contain_file('rabbitmq.config').with_content(%r{client_renegotiation,true}) }
+      end
+
       describe 'ssl with ssl_secure_renegotiate false' do
         let(:params) do
           { ssl: true,

templates/rabbitmq.config.erb

@@ -82,7 +82,10 @@ end
                    <%- if @ssl_dhfile -%>
                    {dhfile, "<%= @ssl_dhfile %>"},
                    <%- end -%>
+                   <%- if @ssl_versions and !@ssl_versions.include?('tlsv1.3') -%>
+                   {client_renegotiation,<%= @ssl_client_renegotiation %>},
                    {secure_renegotiate,<%= @ssl_secure_renegotiate %>},
+                   <%- end -%>
                    {reuse_sessions,<%= @ssl_reuse_sessions %>},
                    {honor_cipher_order,<%= @ssl_honor_cipher_order %>},
                    {verify,<%= @ssl_verify %>},
@@ -137,6 +140,12 @@ end
                   <%- end -%>
                   {certfile, "<%= @ssl_management_cert %>"},
                   {keyfile, "<%= @ssl_management_key %>"},
+                  <%- if @ssl_versions and !@ssl_versions.include?('tlsv1.3') -%>
+                  {client_renegotiation,<%= @ssl_client_renegotiation %>},
+                  {secure_renegotiate,<%= @ssl_secure_renegotiate %>},
+                  <%- end -%>
+                  {reuse_sessions,<%= @ssl_reuse_sessions %>},
+                  {honor_cipher_order,<%= @ssl_honor_cipher_order %>},
                   {verify,<%= @ssl_management_verify %>},
                   {fail_if_no_peer_cert,<%= @ssl_management_fail_if_no_peer_cert %>}
                    <%- if @ssl_versions -%>