Modernise TLS configuration
Set up TLS1.2 as recommended in https://www.rabbitmq.com/ssl.html Change-Id: I634ffe7ed47b8670bd2aad029dac1313cebd2961
This commit is contained in:
Jonathan Rosser
@@ -118,6 +118,35 @@ rabbitmq_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ ansib
|
|||||||
#rabbitmq_user_ssl_key: <path to cert on ansible deployment host>
|
#rabbitmq_user_ssl_key: <path to cert on ansible deployment host>
|
||||||
#rabbitmq_user_ssl_ca_cert: <path to cert on ansible deployment host>
|
#rabbitmq_user_ssl_ca_cert: <path to cert on ansible deployment host>
|
||||||
|
|
||||||
|
# These are highly recommended for TLSv1.2 but cannot be used
|
||||||
|
# with TLSv1.3. If TLSv1.3 is enabled, these lines will not be
|
||||||
|
# inserted into the config
|
||||||
|
rabbitmq_ssl_client_renegotiation: false
|
||||||
|
rabbitmq_ssl_secure_renegotiate: true
|
||||||
|
|
||||||
|
# Supported TLS protocol versions
|
||||||
|
rabbitmq_ssl_tls_versions:
|
||||||
|
- "tlsv1.2"
|
||||||
|
|
||||||
|
# Mutual TLS control
|
||||||
|
rabbitmq_ssl_verify: "verify_none"
|
||||||
|
rabbitmq_ssl_fail_if_no_peer_cert: False
|
||||||
|
|
||||||
|
# Recommended ciphers taken from https://www.rabbitmq.com/ssl.html
|
||||||
|
rabbitmq_ssl_ciphers:
|
||||||
|
- "ECDHE-ECDSA-AES256-GCM-SHA384"
|
||||||
|
- "ECDHE-RSA-AES256-GCM-SHA384"
|
||||||
|
- "ECDH-ECDSA-AES256-GCM-SHA384"
|
||||||
|
- "ECDH-RSA-AES256-GCM-SHA384"
|
||||||
|
- "DHE-RSA-AES256-GCM-SHA384"
|
||||||
|
- "DHE-DSS-AES256-GCM-SHA384"
|
||||||
|
- "ECDHE-ECDSA-AES128-GCM-SHA256"
|
||||||
|
- "ECDHE-RSA-AES128-GCM-SHA256"
|
||||||
|
- "ECDH-ECDSA-AES128-GCM-SHA256"
|
||||||
|
- "ECDH-RSA-AES128-GCM-SHA256"
|
||||||
|
- "DHE-RSA-AES128-GCM-SHA256"
|
||||||
|
- "DHE-DSS-AES128-GCM-SHA256"
|
||||||
|
|
||||||
# RabbitMQ erlang VM parameters
|
# RabbitMQ erlang VM parameters
|
||||||
rabbitmq_async_threads: 128
|
rabbitmq_async_threads: 128
|
||||||
rabbitmq_process_limit: 1048576
|
rabbitmq_process_limit: 1048576
|
||||||
|
|||||||
@@ -14,16 +14,33 @@
|
|||||||
{ ssl_options, [
|
{ ssl_options, [
|
||||||
{ certfile, "{{ rabbitmq_ssl_cert }}" },
|
{ certfile, "{{ rabbitmq_ssl_cert }}" },
|
||||||
{ keyfile, "{{ rabbitmq_ssl_key }}" },
|
{ keyfile, "{{ rabbitmq_ssl_key }}" },
|
||||||
|
{ honor_cipher_order, true},
|
||||||
|
{ honor_ecc_order, true},
|
||||||
|
{% if "tlsv1.3" not in rabbitmq_ssl_tls_versions %}
|
||||||
|
{ client_renegotiation, {{ rabbitmq_ssl_client_renegotiation | lower }} },
|
||||||
|
{ secure_renegotiate, {{ rabbitmq_ssl_secure_renegotiate | lower }} },
|
||||||
|
{% endif %}
|
||||||
{% if rabbitmq_user_ssl_ca_cert is defined -%}
|
{% if rabbitmq_user_ssl_ca_cert is defined -%}
|
||||||
{ cacertfile, "{{ rabbitmq_ssl_ca_cert }}" },
|
{ cacertfile, "{{ rabbitmq_ssl_ca_cert }}" },
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{ versions, [
|
{ versions, [
|
||||||
'tlsv1.2',
|
{% for version in rabbitmq_ssl_tls_versions %}
|
||||||
'tlsv1.1'
|
'{{ version }}'{% if not loop.last -%},{%- endif %}
|
||||||
|
|
||||||
|
{% endfor %}
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
{ verify, verify_none },
|
{% if rabbitmq_ssl_ciphers | length > 0 %}
|
||||||
{ fail_if_no_peer_cert, false }
|
{ ciphers, [
|
||||||
|
{% for cipher in rabbitmq_ssl_ciphers %}
|
||||||
|
"{{ cipher }}"{% if not loop.last -%},{%- endif %}
|
||||||
|
|
||||||
|
{% endfor %}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{% endif %}
|
||||||
|
{ verify, {{ rabbitmq_ssl_verify | lower }} },
|
||||||
|
{ fail_if_no_peer_cert, {{ rabbitmq_ssl_fail_if_no_peer_cert | lower }} }
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
{ vm_memory_high_watermark, {{ rabbitmq_memory_high_watermark }} }
|
{ vm_memory_high_watermark, {{ rabbitmq_memory_high_watermark }} }
|
||||||
|
|||||||
Reference in New Issue
Block a user