diff --git a/manifests/init.pp b/manifests/init.pp index a0eed47f0..2577fd7d2 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -156,12 +156,16 @@ # @param ssl_cert Cert to use for SSL. # @param ssl_cert_password Password used when generating CSR. # @param ssl_depth SSL verification depth. +# @param ssl_dhfile Use this dhparam file [example: generate with `openssl dhparam -out /etc/rabbitmq/ssl/dhparam.pem 2048` # @param ssl_erl_dist Whether to use the erlang package's SSL (relies on the ssl_erl_path fact) +# @param ssl_honor_cipher_order Force use of server cipher order # @param ssl_interface Interface for SSL listener to bind to # @param ssl_key Key to use for SSL. # @param ssl_only Configures the service to only use SSL. No cleartext TCP listeners will be created. Requires that ssl => true and # @param ssl_management_port SSL management port. # @param ssl_port SSL port for RabbitMQ +# @param ssl_reuse_sessions Reuse ssl sessions +# @param ssl_secure_renegotiate Use ssl secure renegotiate # @param ssl_stomp_port SSL stomp port. # @param ssl_verify rabbitmq.config SSL verify setting. # @param ssl_fail_if_no_peer_cert rabbitmq.config `fail_if_no_peer_cert` setting. diff --git a/spec/classes/rabbitmq_spec.rb b/spec/classes/rabbitmq_spec.rb index 7214d2b03..d1be83963 100644 --- a/spec/classes/rabbitmq_spec.rb +++ b/spec/classes/rabbitmq_spec.rb @@ -686,6 +686,10 @@ ssl_cacert: '/path/to/cacert', ssl_cert: '/path/to/cert', ssl_key: '/path/to/key', + ssl_secure_renegotiate: true, + ssl_reuse_sessions: true, + ssl_honor_cipher_order: true, + ssl_dhfile: :undef, management_ssl: false, management_port: 13_142 } end @@ -706,6 +710,18 @@ is_expected.to contain_file('rabbitmq.config').with_content( %r{keyfile,"/path/to/key"} ) + is_expected.to contain_file('rabbitmq.config').with_content( + %r{secure_renegotiate,true} + ) + is_expected.to contain_file('rabbitmq.config').with_content( + %r{reuse_sessions,true} + ) + is_expected.to contain_file('rabbitmq.config').with_content( + %r{honor_cipher_order,true} + ) + is_expected.to contain_file('rabbitmq.config').without_content( + %r{dhfile,} + ) end it 'sets non ssl port for management port' do is_expected.to contain_file('rabbitmq.config').with_content( @@ -724,6 +740,11 @@ ssl_cacert: '/path/to/cacert', ssl_cert: '/path/to/cert', ssl_key: '/path/to/key', + ssl_secure_renegotiate: true, + ssl_reuse_sessions: true, + ssl_honor_cipher_order: true, + ssl_dhfile: :undef, + management_ssl: true, ssl_management_port: 13_141 } end @@ -747,6 +768,18 @@ is_expected.to contain_file('rabbitmq.config').with_content( %r{keyfile,"/path/to/key"} ) + is_expected.to contain_file('rabbitmq.config').with_content( + %r{secure_renegotiate,true} + ) + is_expected.to contain_file('rabbitmq.config').with_content( + %r{reuse_sessions,true} + ) + is_expected.to contain_file('rabbitmq.config').with_content( + %r{honor_cipher_order,true} + ) + is_expected.to contain_file('rabbitmq.config').without_content( + %r{dhfile,} + ) end it 'sets ssl managment port to specified values' do is_expected.to contain_file('rabbitmq.config').with_content( @@ -778,7 +811,11 @@ ssl_port: 3141, ssl_cacert: '/path/to/cacert', ssl_cert: '/path/to/cert', - ssl_key: '/path/to/key' } + ssl_key: '/path/to/key', + ssl_secure_renegotiate: true, + ssl_reuse_sessions: true, + ssl_honor_cipher_order: true, + ssl_dhfile: :undef } end it 'sets ssl options to specified values' do @@ -797,6 +834,18 @@ is_expected.to contain_file('rabbitmq.config').with_content( %r{keyfile,"/path/to/key"} ) + is_expected.to contain_file('rabbitmq.config').with_content( + %r{secure_renegotiate,true} + ) + is_expected.to contain_file('rabbitmq.config').with_content( + %r{reuse_sessions,true} + ) + is_expected.to contain_file('rabbitmq.config').with_content( + %r{honor_cipher_order,true} + ) + is_expected.to contain_file('rabbitmq.config').without_content( + %r{dhfile,} + ) end end @@ -938,6 +987,56 @@ end end + describe 'ssl with ssl_dhfile' do + let(:params) do + { ssl: true, + ssl_interface: '0.0.0.0', + ssl_dhfile: '/etc/pki/tls/dh-params.pem' } + end + + it { is_expected.to contain_file('rabbitmq.config').with_content(%r{dhfile, "/etc/pki/tls/dh-params\.pem}) } + end + + describe 'ssl with ssl_dhfile unset' do + let(:params) do + { ssl: true, + ssl_interface: '0.0.0.0', + ssl_dhfile: :undef } + end + + it { is_expected.to contain_file('rabbitmq.config').without_content(%r{dhfile,}) } + end + + describe 'ssl with ssl_secure_renegotiate false' do + let(:params) do + { ssl: true, + ssl_interface: '0.0.0.0', + ssl_secure_renegotiate: false } + end + + it { is_expected.to contain_file('rabbitmq.config').with_content(%r{secure_renegotiate,false}) } + end + + describe 'ssl with ssl_reuse_sessions false' do + let(:params) do + { ssl: true, + ssl_interface: '0.0.0.0', + ssl_reuse_sessions: false } + end + + it { is_expected.to contain_file('rabbitmq.config').with_content(%r{reuse_sessions,false}) } + end + + describe 'ssl with ssl_honor_cipher_order false' do + let(:params) do + { ssl: true, + ssl_interface: '0.0.0.0', + ssl_honor_cipher_order: false } + end + + it { is_expected.to contain_file('rabbitmq.config').with_content(%r{honor_cipher_order,false}) } + end + describe 'ssl admin options' do let(:params) do { ssl: true, diff --git a/templates/rabbitmq.config.erb b/templates/rabbitmq.config.erb index 436f18ae1..1cec0fa78 100644 --- a/templates/rabbitmq.config.erb +++ b/templates/rabbitmq.config.erb @@ -65,7 +65,7 @@ <%- if @ssl_depth -%> {depth,<%= @ssl_depth %>}, <%- end -%> - <%- if @ssl_dhfile != 'UNSET' -%> + <%- if @ssl_dhfile -%> {dhfile, "<%= @ssl_dhfile %>"}, <%- end -%> {secure_renegotiate,<%= @ssl_secure_renegotiate %>}, @@ -112,7 +112,6 @@ {ssl_opts, [<%- if @ssl_cacert %> {cacertfile, "<%= @ssl_cacert %>"}, <%- end -%> - {certfile, "<%= @ssl_cert %>"}, {keyfile, "<%= @ssl_key %>"} <%- if @ssl_versions -%>