This patch adds the following options to the ssl config to harden the…

… rabbitmq ssl setup

ssl_secure_renegotiate (boolean default true)
ssl_reuse_sessions (boolean default true)
ssl_honor_cipher_order (boolean default true)
ssl_dhfile (string default empty)

manifests/config.pp

@@ -46,6 +46,10 @@
   $ssl_stomp_port              = $rabbitmq::ssl_stomp_port
   $ssl_verify                  = $rabbitmq::ssl_verify
   $ssl_fail_if_no_peer_cert    = $rabbitmq::ssl_fail_if_no_peer_cert
+  $ssl_secure_renegotiate      = $rabbitmq::ssl_secure_renegotiate
+  $ssl_reuse_sessions          = $rabbitmq::ssl_reuse_sessions
+  $ssl_honor_cipher_order      = $rabbitmq::ssl_honor_cipher_order
+  $ssl_dhfile                  = $rabbitmq::ssl_dhfile
   $ssl_versions                = $rabbitmq::ssl_versions
   $ssl_ciphers                 = $rabbitmq::ssl_ciphers
   $stomp_port                  = $rabbitmq::stomp_port

manifests/init.pp

@@ -243,6 +243,10 @@
   $ssl_verify                                    = $rabbitmq::params::ssl_verify,
   $ssl_fail_if_no_peer_cert                      = $rabbitmq::params::ssl_fail_if_no_peer_cert,
   Optional[Array] $ssl_versions                  = undef,
+  Boolean $ssl_secure_renegotiate                = $rabbitmq::params::ssl_secure_renegotiate,
+  Boolean $ssl_reuse_sessions                    = $rabbitmq::params::ssl_reuse_sessions,
+  Boolean $ssl_honor_cipher_order                = $rabbitmq::params::ssl_honor_cipher_order,
+  Optional[String] $ssl_dhfile                   = undef,
   Array $ssl_ciphers                             = $rabbitmq::params::ssl_ciphers,
   Boolean $stomp_ensure                          = $rabbitmq::params::stomp_ensure,
   Boolean $ldap_auth                             = $rabbitmq::params::ldap_auth,

manifests/params.pp

@@ -98,14 +98,21 @@
   $tcp_keepalive               = false
   $tcp_backlog                 = 128
   $ssl                         = false
+  $ssl_ciphers                 = []
+  $ssl_erl_dist                = false
+  $ssl_fail_if_no_peer_cert    = false
+  $ssl_honor_cipher_order      = true
+  $ssl_management_port         = 15671
   $ssl_only                    = false
   $ssl_port                    = 5671
-  $ssl_management_port         = 15671
+  $ssl_reuse_sessions          = true
+  $ssl_secure_renegotiate      = true
   $ssl_stomp_port              = 6164
   $ssl_verify                  = 'verify_none'
-  $ssl_fail_if_no_peer_cert    = false
-  $ssl_ciphers                 = []
+  $ssl_versions                = undef
   $stomp_ensure                = false
+  $stomp_port                  = 6163
+  $stomp_ssl_only              = false
   $ldap_auth                   = false
   $ldap_server                 = 'ldap'
   $ldap_user_dn_pattern        = 'cn=username,ou=People,dc=example,dc=com'
@@ -114,8 +121,6 @@
   $ldap_port                   = 389
   $ldap_log                    = false
   $ldap_config_variables       = {}
-  $stomp_port                  = 6163
-  $stomp_ssl_only              = false
   $wipe_db_on_cookie_change    = false
   $cluster_partition_handling  = 'ignore'
   $environment_variables       = {}
@@ -127,5 +132,4 @@
   $ipv6                        = false
   $inetrc_config               = 'rabbitmq/inetrc.erb'
   $inetrc_config_path          = '/etc/rabbitmq/inetrc'
-  $ssl_erl_dist                = false
 }

templates/rabbitmq.config.erb

@@ -65,6 +65,12 @@
                    <%- if @ssl_depth -%>
                    {depth,<%= @ssl_depth %>},
                    <%- end -%>
+                   <%- if @ssl_dhfile != 'UNSET' -%>
+                   {dhfile, "<%= @ssl_dhfile %>"},
+                   <%- end -%>
+                   {secure_renegotiate,<%= @ssl_secure_renegotiate %>},
+                   {reuse_sessions,<%= @ssl_reuse_sessions %>},
+                   {honor_cipher_order,<%= @ssl_honor_cipher_order %>},
                    {verify,<%= @ssl_verify %>},
                    {fail_if_no_peer_cert,<%= @ssl_fail_if_no_peer_cert %>}
                    <%- if @ssl_versions -%>