From ece87ba8ca0cf1450457c98c71166ef0b9a517a0 Mon Sep 17 00:00:00 2001 From: James Page Date: Wed, 10 Nov 2021 10:21:22 +0000 Subject: [PATCH] Restrict TLS versions TLS < 1.2 is considered insecure; where possible limit the versions of TLS to 1.2 or higher, enabling support for TLS 1.3 when the required erlang and rabbitmq versions are installed. Change-Id: Iec5ab60488986f8e332ff0e9a11895822a61c1ee Closes-Bug: 1892450 Func-Test-PR: https://github.com/openstack-charmers/zaza-openstack-tests/pull/668 --- hooks/rabbitmq_context.py | 4 ++++ templates/rabbitmq.conf | 6 ++++++ unit_tests/test_rabbitmq_context.py | 29 ++++++++++++++++++++++++++++- 3 files changed, 38 insertions(+), 1 deletion(-) diff --git a/hooks/rabbitmq_context.py b/hooks/rabbitmq_context.py index 316e0c33..7eec5f5b 100644 --- a/hooks/rabbitmq_context.py +++ b/hooks/rabbitmq_context.py @@ -120,6 +120,10 @@ class RabbitMQSSLContext(object): "ssl_client": ssl_client, "ssl_ca_file": "", "ssl_only": ssl_only, + "tls13": ( + cmp_pkgrevno('erlang-base', '23.0') >= 0 and + cmp_pkgrevno('rabbitmq-server', '3.8.11') >= 0 + ), } if ssl_ca: diff --git a/templates/rabbitmq.conf b/templates/rabbitmq.conf index 3043f036..97c7dfb1 100644 --- a/templates/rabbitmq.conf +++ b/templates/rabbitmq.conf @@ -13,6 +13,12 @@ listeners.ssl.1 = {{ ssl_port }} {%- endif %} {%- if ssl_mode == "on" or ssl_mode == "only" %} ssl_options.verify = verify_peer +{%- if tls13 %} +ssl_options.versions.1 = tlsv1.3 +ssl_options.versions.2 = tlsv1.2 +{% else %} +ssl_options.versions.1 = tlsv1.2 +{%- endif %} {%- if ssl_client %} ssl_options.fail_if_no_peer_cert = true {% else %} diff --git a/unit_tests/test_rabbitmq_context.py b/unit_tests/test_rabbitmq_context.py index 1105df1f..7be96398 100644 --- a/unit_tests/test_rabbitmq_context.py +++ b/unit_tests/test_rabbitmq_context.py @@ -35,6 +35,7 @@ class TestRabbitMQSSLContext(unittest.TestCase): self.assertTrue(close_port.called) self.assertTrue(reconfig_ssl.called) + @mock.patch.object(rabbitmq_context, 'cmp_pkgrevno') @mock.patch("rabbitmq_context.open_port") @mock.patch("rabbitmq_context.os.chmod") @mock.patch("rabbitmq_context.os.chown") @@ -46,9 +47,12 @@ class TestRabbitMQSSLContext(unittest.TestCase): @mock.patch("rabbitmq_context.ssl_utils.reconfigure_client_ssl") @mock.patch("rabbitmq_context.ssl_utils.get_ssl_mode") def test_context_ssl_on(self, get_ssl_mode, reconfig_ssl, close_port, - config, gr, pw, exists, chown, chmod, open_port): + config, gr, pw, exists, chown, chmod, open_port, + cmp_pkgrevno): + exists.return_value = True get_ssl_mode.return_value = ("on", "on") + cmp_pkgrevno.return_value = 1 def config_get(n): return None @@ -75,10 +79,33 @@ class TestRabbitMQSSLContext(unittest.TestCase): "ssl_ca_file": "", "ssl_only": False, "ssl_mode": "on", + "tls13": True, }) self.assertTrue(reconfig_ssl.called) self.assertTrue(open_port.called) + cmp_pkgrevno.assert_has_calls([ + mock.call("erlang-base", "23.0"), + mock.call("rabbitmq-server", "3.8.11") + ]) + + # Check older erlang toggles tls13 flag off. + cmp_pkgrevno.return_value = -1 + m = mock.mock_open() + with mock.patch('rabbitmq_context.open', m, create=True): + self.assertEqual( + rabbitmq_context.RabbitMQSSLContext().__call__(), { + "ssl_port": None, + "ssl_cert_file": "/etc/rabbitmq/rabbit-server-cert.pem", + "ssl_key_file": '/etc/rabbitmq/rabbit-server-privkey.pem', + "ssl_client": False, + "ssl_ca_file": "", + "ssl_only": False, + "ssl_mode": "on", + "tls13": False, + }) + + cmp_pkgrevno.assert_called_with("erlang-base", "23.0") class TestRabbitMQClusterContext(unittest.TestCase):