openstack
/
openstack-ansible-rabbitmq_server
Code Issues Proposed changes

Merge "Modernise TLS configuration"

This commit is contained in:
Zuul 2021-05-13 01:54:41 +00:00 committed by Gerrit Code Review
parent 08ae98bd66 fa4135ad6e
commit 892615bbe3
2 changed files with 50 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
defaults/main.yml
View File

@ -118,6 +118,35 @@ rabbitmq_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ ansib
#rabbitmq_user_ssl_key: <path to cert on ansible deployment host>
#rabbitmq_user_ssl_ca_cert: <path to cert on ansible deployment host>
# These are highly recommended for TLSv1.2 but cannot be used
# with TLSv1.3. If TLSv1.3 is enabled, these lines will not be
# inserted into the config
rabbitmq_ssl_client_renegotiation: false
rabbitmq_ssl_secure_renegotiate: true
# Supported TLS protocol versions
rabbitmq_ssl_tls_versions:
- "tlsv1.2"
# Mutual TLS control
rabbitmq_ssl_verify: "verify_none"
rabbitmq_ssl_fail_if_no_peer_cert: False
# Recommended ciphers taken from https://www.rabbitmq.com/ssl.html
rabbitmq_ssl_ciphers:
- "ECDHE-ECDSA-AES256-GCM-SHA384"
- "ECDHE-RSA-AES256-GCM-SHA384"
- "ECDH-ECDSA-AES256-GCM-SHA384"
- "ECDH-RSA-AES256-GCM-SHA384"
- "DHE-RSA-AES256-GCM-SHA384"
- "DHE-DSS-AES256-GCM-SHA384"
- "ECDHE-ECDSA-AES128-GCM-SHA256"
- "ECDHE-RSA-AES128-GCM-SHA256"
- "ECDH-ECDSA-AES128-GCM-SHA256"
- "ECDH-RSA-AES128-GCM-SHA256"
- "DHE-RSA-AES128-GCM-SHA256"
- "DHE-DSS-AES128-GCM-SHA256"
# RabbitMQ erlang VM parameters
rabbitmq_async_threads: 128
rabbitmq_process_limit: 1048576

25
templates/rabbitmq.config.j2
View File

@ -14,16 +14,33 @@
{ ssl_options, [
{ certfile, "{{ rabbitmq_ssl_cert }}" },
{ keyfile, "{{ rabbitmq_ssl_key }}" },
{ honor_cipher_order, true},
{ honor_ecc_order, true},
{% if "tlsv1.3" not in rabbitmq_ssl_tls_versions %}
{ client_renegotiation, {{ rabbitmq_ssl_client_renegotiation | lower }} },
{ secure_renegotiate, {{ rabbitmq_ssl_secure_renegotiate | lower }} },
{% endif %}
{% if rabbitmq_user_ssl_ca_cert is defined -%}
{ cacertfile, "{{ rabbitmq_ssl_ca_cert }}" },
{% endif %}
{ versions, [
'tlsv1.2',
'tlsv1.1'
{% for version in rabbitmq_ssl_tls_versions %}
'{{ version }}'{% if not loop.last -%},{%- endif %}
{% endfor %}
]
},
{ verify, verify_none },
{ fail_if_no_peer_cert, false }
{% if rabbitmq_ssl_ciphers | length > 0 %}
{ ciphers, [
{% for cipher in rabbitmq_ssl_ciphers %}
"{{ cipher }}"{% if not loop.last -%},{%- endif %}
{% endfor %}
]
},
{% endif %}
{ verify, {{ rabbitmq_ssl_verify | lower }} },
{ fail_if_no_peer_cert, {{ rabbitmq_ssl_fail_if_no_peer_cert | lower }} }
]
},
{ vm_memory_high_watermark, {{ rabbitmq_memory_high_watermark }} }