From cc15f829561ae67931016363d1d1688a23275502 Mon Sep 17 00:00:00 2001 From: Michiel Brandenburg Date: Thu, 8 Jun 2017 23:05:57 +0200 Subject: [PATCH] This patch adds the following options to the ssl config to harden the rabbitmq ssl setup ssl_secure_renegotiate (boolean default true) ssl_reuse_sessions (boolean default true) ssl_honor_cipher_order (boolean default true) ssl_dhfile (string default empty) --- manifests/config.pp | 4 ++++ manifests/init.pp | 4 ++++ manifests/params.pp | 16 ++++++++++------ templates/rabbitmq.config.erb | 6 ++++++ 4 files changed, 24 insertions(+), 6 deletions(-) diff --git a/manifests/config.pp b/manifests/config.pp index a3700d034..d6589de0e 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -46,6 +46,10 @@ $ssl_stomp_port = $rabbitmq::ssl_stomp_port $ssl_verify = $rabbitmq::ssl_verify $ssl_fail_if_no_peer_cert = $rabbitmq::ssl_fail_if_no_peer_cert + $ssl_secure_renegotiate = $rabbitmq::ssl_secure_renegotiate + $ssl_reuse_sessions = $rabbitmq::ssl_reuse_sessions + $ssl_honor_cipher_order = $rabbitmq::ssl_honor_cipher_order + $ssl_dhfile = $rabbitmq::ssl_dhfile $ssl_versions = $rabbitmq::ssl_versions $ssl_ciphers = $rabbitmq::ssl_ciphers $stomp_port = $rabbitmq::stomp_port diff --git a/manifests/init.pp b/manifests/init.pp index 5a277ebaa..a0eed47f0 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -243,6 +243,10 @@ $ssl_verify = $rabbitmq::params::ssl_verify, $ssl_fail_if_no_peer_cert = $rabbitmq::params::ssl_fail_if_no_peer_cert, Optional[Array] $ssl_versions = undef, + Boolean $ssl_secure_renegotiate = $rabbitmq::params::ssl_secure_renegotiate, + Boolean $ssl_reuse_sessions = $rabbitmq::params::ssl_reuse_sessions, + Boolean $ssl_honor_cipher_order = $rabbitmq::params::ssl_honor_cipher_order, + Optional[String] $ssl_dhfile = undef, Array $ssl_ciphers = $rabbitmq::params::ssl_ciphers, Boolean $stomp_ensure = $rabbitmq::params::stomp_ensure, Boolean $ldap_auth = $rabbitmq::params::ldap_auth, diff --git a/manifests/params.pp b/manifests/params.pp index ef567ce49..4cade1ef0 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -98,14 +98,21 @@ $tcp_keepalive = false $tcp_backlog = 128 $ssl = false + $ssl_ciphers = [] + $ssl_erl_dist = false + $ssl_fail_if_no_peer_cert = false + $ssl_honor_cipher_order = true + $ssl_management_port = 15671 $ssl_only = false $ssl_port = 5671 - $ssl_management_port = 15671 + $ssl_reuse_sessions = true + $ssl_secure_renegotiate = true $ssl_stomp_port = 6164 $ssl_verify = 'verify_none' - $ssl_fail_if_no_peer_cert = false - $ssl_ciphers = [] + $ssl_versions = undef $stomp_ensure = false + $stomp_port = 6163 + $stomp_ssl_only = false $ldap_auth = false $ldap_server = 'ldap' $ldap_user_dn_pattern = 'cn=username,ou=People,dc=example,dc=com' @@ -114,8 +121,6 @@ $ldap_port = 389 $ldap_log = false $ldap_config_variables = {} - $stomp_port = 6163 - $stomp_ssl_only = false $wipe_db_on_cookie_change = false $cluster_partition_handling = 'ignore' $environment_variables = {} @@ -127,5 +132,4 @@ $ipv6 = false $inetrc_config = 'rabbitmq/inetrc.erb' $inetrc_config_path = '/etc/rabbitmq/inetrc' - $ssl_erl_dist = false } diff --git a/templates/rabbitmq.config.erb b/templates/rabbitmq.config.erb index c92e64b6d..436f18ae1 100644 --- a/templates/rabbitmq.config.erb +++ b/templates/rabbitmq.config.erb @@ -65,6 +65,12 @@ <%- if @ssl_depth -%> {depth,<%= @ssl_depth %>}, <%- end -%> + <%- if @ssl_dhfile != 'UNSET' -%> + {dhfile, "<%= @ssl_dhfile %>"}, + <%- end -%> + {secure_renegotiate,<%= @ssl_secure_renegotiate %>}, + {reuse_sessions,<%= @ssl_reuse_sessions %>}, + {honor_cipher_order,<%= @ssl_honor_cipher_order %>}, {verify,<%= @ssl_verify %>}, {fail_if_no_peer_cert,<%= @ssl_fail_if_no_peer_cert %>} <%- if @ssl_versions -%>