Modernize rabbitmq's TLS support

The depend-on change switches rabbit's nodename to FQDN and adds the CA in the config. This puppet change does the following: 1. Switches the default tls versions to 1.2 and 1.3 2. Drops the old hard-coded cipher list that used to be needed to avoid falling back to tls 1.0 3. Introduce a verify_peer_{client,server} parameter. The former is set to verify_peer by default, so that rabbitmq 3.9 does not emit warnings (see original LP description) 4. Splits off all erlang ssl parameters to a separate file called /etc/rabbitmq/ssl-dist.conf. Reason for this is that it is cleaner and not all configurable items are supported by erlang as command line arguments. (In particular the ssl versions) 5. Make sure we pass the custom CA inside the HA bundle (this had to be split out to Ib0236f9c086d520d0a27e3aa8b41927bc7b50c26 (Bind mount the IPA crt when internal_tls is enabled) for CI to pass on all reviews. Tested as follows: A. Deployed and run tempest against a TLS-E overcloud that uses as rabbitmq 3.9 + erlang 24.1 stack B. Made sure that only tls1.2 and/or tls1.3 are allowed on port 5672 and 25672 [root@controller-0 ~]# openssl s_client -connect controller-0.internalapi.home.arpa:5672 -CAfile /etc/ipa/ca.crt -verify_hostname controller-0.internalapi.home.arpa -tls1_1 |grep ^New 00CCA0CAB37F0000:error:0A00042E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:ssl/record/rec_layer_s3.c:1584:SSL alert number 70 New, (NONE), Cipher is (NONE) [root@controller-0 ~]# openssl s_client -connect controller-0.internalapi.home.arpa:5672 -CAfile /etc/ipa/ca.crt -verify_hostname controller-0.internalapi.home.arpa -tls1_2 |grep ^New depth=1 O = HOME.ARPA, CN = Certificate Authority verify return:1 depth=0 O = HOME.ARPA, CN = controller-0.internalapi.home.arpa verify return:1 New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384 [root@controller-0 ~]# openssl s_client -connect controller-0.internalapi.home.arpa:5672 -CAfile /etc/ipa/ca.crt -verify_hostname controller-0.internalapi.home.arpa -tls1_3 |grep ^New depth=1 O = HOME.ARPA, CN = Certificate Authority verify return:1 depth=0 O = HOME.ARPA, CN = controller-0.internalapi.home.arpa verify return:1 New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Closes-Bug: #1946374 Co-Authored-By: John Eckersberg <jeckersb@redhat.com> Depends-On: I621557a037fbedc5c110f905dbe19290cc92b772 Change-Id: I4f853de3b532b3b5e71d29aa621a2925c3885393
2021-10-04 21:33:40 +02:00 · 2021-10-04 21:33:40 +02:00 · 7892097e8f
commit 7892097e8f
parent 28135309d9
2 changed files with 52 additions and 23 deletions
--- a/manifests/profile/base/rabbitmq.pp
+++ b/manifests/profile/base/rabbitmq.pp
@ -41,16 +41,24 @@
 # [*ssl_versions*]
 #   (Optional) When enable_internal_tls is in use, list the enabled
 #   TLS protocol version.
-#   Defaults to undef
+#   Defaults to ['tlsv1.2', 'tlsv1.3']
 #
 # [*inter_node_ciphers*]
 #   (Optional) When enable_internal_tls is in use, list the allowed ciphers
 #   for the encrypted inter-node communication.
-# lint:ignore:140chars
-#   Defaults to "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:AES256-GCM-SHA384:AES256-SHA256:AES128-GCM-SHA256:AES128-SHA256:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256"
-# lint:endignore
-#   which is the list of ciphers enabled out of the openssl cipher list format
-#   !SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES:!SSLv3:!TLSv1
+#   Defaults to ''
+#
+# [*rabbitmq_cacert*]
+#   (Optional) When internal tls is enabled this should point to the CA file
+#   Defaults to hiera('rabbitmq::ssl_cacert')
+#
+# [*verify_server_peer*]
+#   (Optional) Server verify peer
+#   Defaults to 'verify_none'
+#
+# [*verify_client_peer*]
+#   (Optional) Client verify peer
+#   Defaults to 'verify_peer'
 #
 # [*environment*]
 #   (Optional) RabbitMQ environment.
@ -120,10 +128,11 @@ class tripleo::profile::base::rabbitmq (
  $enable_internal_tls           = undef,
  $environment                   = hiera('rabbitmq_environment'),
  $additional_erl_args           = undef,
-  $ssl_versions                  = undef,
-  # lint:ignore:140chars
-  $inter_node_ciphers            = 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:AES256-GCM-SHA384:AES256-SHA256:AES128-GCM-SHA256:AES128-SHA256:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256',
-  # lint:endignore
+  $ssl_versions                  = ['tlsv1.2', 'tlsv1.3'],
+  $inter_node_ciphers            = '',
+  $rabbitmq_cacert               = hiera('rabbitmq::ssl_cacert'),
+  $verify_server_peer            = 'verify_none',
+  $verify_client_peer            = 'verify_peer',
  $inet_dist_interface           = hiera('rabbitmq::interface', undef),
  $ipv6                          = str2bool(hiera('rabbit_ipv6', false)),
  $kernel_variables              = hiera('rabbitmq_kernel_variables'),
@ -151,10 +160,6 @@ class tripleo::profile::base::rabbitmq (
  if $enable_internal_tls {
    $tls_certfile = $certificate_specs['service_certificate']
    $tls_keyfile = $certificate_specs['service_key']
-    $cert_option = "-ssl_dist_opt server_certfile ${tls_certfile}"
-    $key_option = "-ssl_dist_opt server_keyfile ${tls_keyfile}"
-    $ciphers_option = "-ssl_dist_opt server_ciphers ${inter_node_ciphers}"
-    $secure_renegotiate = '-ssl_dist_opt server_secure_renegotiate true -ssl_dist_opt client_secure_renegotiate true'

    # Historically in THT the default value of RabbitAdditionalErlArgs was "'+sbwt none'", we
    # want to strip leading and trailing ' chars.
@ -163,20 +168,15 @@ class tripleo::profile::base::rabbitmq (
    } else {
      $additional_erl_args_real = ''
    }
-    $rabbitmq_additional_erl_args = "\"${cert_option} ${key_option} ${ciphers_option} ${secure_renegotiate} ${additional_erl_args_real}\""
+    $rabbitmq_additional_erl_args = "\"${additional_erl_args_real} -ssl_dist_optfile /etc/rabbitmq/ssl-dist.conf\""
+    $rabbitmq_client_additional_erl_args = "\"${additional_erl_args_real}\""
    $environment_real = merge($environment, {
      'RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS' => $rabbitmq_additional_erl_args,
      'RABBITMQ_CTL_ERL_ARGS' => $rabbitmq_additional_erl_args,
-      'LANG' => 'en_US.UTF-8',
+      'LANG'   => 'en_US.UTF-8',
      'LC_ALL' => 'en_US.UTF-8'
    })
-    # Configure a list of secure transport protocols, unless the
-    # user explicitly sets one
-    if !defined(ssl_versions) {
-      $configured_ssl_versions = ['tlsv1.2', 'tlsv1.1']
-    } else {
-      $configured_ssl_versions = $ssl_versions
-    }
+    $configured_ssl_versions = $ssl_versions
  } else {
    $tls_certfile = undef
    $tls_keyfile = undef
@ -206,6 +206,13 @@ class tripleo::profile::base::rabbitmq (

  $manage_service = hiera('rabbitmq::service_manage', true)
  if $step >= 1 {
+    file { '/etc/rabbitmq/ssl-dist.conf':
+      ensure  => file,
+      content => template('tripleo/rabbitmq/ssl-dist.conf.erb'),
+      owner   => 'rabbitmq',
+      group   => 'rabbitmq',
+      mode    => '0640',
+    }
    # Specific configuration for multi-nodes or when running with Pacemaker.
    if count($nodes) > 1 or ! $manage_service {
      class { 'rabbitmq':
@ -218,6 +225,7 @@ class tripleo::profile::base::rabbitmq (
        ssl_cert                => $tls_certfile,
        ssl_key                 => $tls_keyfile,
        ssl_versions            => $configured_ssl_versions,
+        ssl_verify              => $verify_server_peer,
        ipv6                    => $ipv6,
      }

--- a/templates/rabbitmq/ssl-dist.conf.erb
+++ b/templates/rabbitmq/ssl-dist.conf.erb
@ -0,0 +1,21 @@
+% This file managed by Puppet
+% Template Path: <%= @module_name %>/templates/rabbitmq/ssl-dist.conf
+[{server,
+  [{certfile, "<%= @tls_certfile %>"},
+   {keyfile, "<%= @tls_keyfile %>"},
+   {cacertfile, "<%= @rabbitmq_cacert %>"},
+   {verify, <%= @verify_server_peer %>},
+<%- if @inter_node_ciphers and @inter_node_ciphers != '' -%>
+   {server_ciphers, "<%= @inter_node_ciphers %>"},
+<%- end -%>
+   {versions, [<%= @ssl_versions.sort.map { |v| "'#{v}'" }.join(', ') %>]},
+   {secure_renegotiate, true}
+  ]},
+ {client,
+  [{cacertfile, "<%= @rabbitmq_cacert %>"},
+   {verify, <%= @verify_client_peer %>},
+   {secure_renegotiate, true},
+   {versions, [<%= @ssl_versions.sort.map { |v| "'#{v}'" }.join(', ') %>]}
+  ]}
+].
+% EOF