7892097e8f
The depend-on change switches rabbit's nodename to FQDN and adds the CA in the config. This puppet change does the following: 1. Switches the default tls versions to 1.2 and 1.3 2. Drops the old hard-coded cipher list that used to be needed to avoid falling back to tls 1.0 3. Introduce a verify_peer_{client,server} parameter. The former is set to verify_peer by default, so that rabbitmq 3.9 does not emit warnings (see original LP description) 4. Splits off all erlang ssl parameters to a separate file called /etc/rabbitmq/ssl-dist.conf. Reason for this is that it is cleaner and not all configurable items are supported by erlang as command line arguments. (In particular the ssl versions) 5. Make sure we pass the custom CA inside the HA bundle (this had to be split out to Ib0236f9c086d520d0a27e3aa8b41927bc7b50c26 (Bind mount the IPA crt when internal_tls is enabled) for CI to pass on all reviews. Tested as follows: A. Deployed and run tempest against a TLS-E overcloud that uses as rabbitmq 3.9 + erlang 24.1 stack B. Made sure that only tls1.2 and/or tls1.3 are allowed on port 5672 and 25672 [root@controller-0 ~]# openssl s_client -connect controller-0.internalapi.home.arpa:5672 -CAfile /etc/ipa/ca.crt -verify_hostname controller-0.internalapi.home.arpa -tls1_1 |grep ^New 00CCA0CAB37F0000:error:0A00042E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:ssl/record/rec_layer_s3.c:1584:SSL alert number 70 New, (NONE), Cipher is (NONE) [root@controller-0 ~]# openssl s_client -connect controller-0.internalapi.home.arpa:5672 -CAfile /etc/ipa/ca.crt -verify_hostname controller-0.internalapi.home.arpa -tls1_2 |grep ^New depth=1 O = HOME.ARPA, CN = Certificate Authority verify return:1 depth=0 O = HOME.ARPA, CN = controller-0.internalapi.home.arpa verify return:1 New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384 [root@controller-0 ~]# openssl s_client -connect controller-0.internalapi.home.arpa:5672 -CAfile /etc/ipa/ca.crt -verify_hostname controller-0.internalapi.home.arpa -tls1_3 |grep ^New depth=1 O = HOME.ARPA, CN = Certificate Authority verify return:1 depth=0 O = HOME.ARPA, CN = controller-0.internalapi.home.arpa verify return:1 New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Closes-Bug: #1946374 Co-Authored-By: John Eckersberg <jeckersb@redhat.com> Depends-On: I621557a037fbedc5c110f905dbe19290cc92b772 Change-Id: I4f853de3b532b3b5e71d29aa621a2925c3885393 |
||
---|---|---|
.. | ||
ssl-dist.conf.erb |