puppet-tripleo/templates/rabbitmq
Michele Baldessari 7892097e8f Modernize rabbitmq's TLS support
The depend-on change switches rabbit's nodename to FQDN and adds
the CA in the config. This puppet change does the following:
1. Switches the default tls versions to 1.2 and 1.3
2. Drops the old hard-coded cipher list that used to be needed to avoid
   falling back to tls 1.0
3. Introduce a verify_peer_{client,server} parameter. The former is set
   to verify_peer by default, so that rabbitmq 3.9 does not emit
   warnings (see original LP description)
4. Splits off all erlang ssl parameters to a separate file called
   /etc/rabbitmq/ssl-dist.conf. Reason for this is that it is cleaner
   and not all configurable items are supported by erlang as command
   line arguments. (In particular the ssl versions)
5. Make sure we pass the custom CA inside the HA bundle (this had to
   be split out to Ib0236f9c086d520d0a27e3aa8b41927bc7b50c26
   (Bind mount the IPA crt when internal_tls is enabled) for CI to pass
   on all reviews.

Tested as follows:
A. Deployed and run tempest against a TLS-E overcloud that uses as
   rabbitmq 3.9 + erlang 24.1 stack
B. Made sure that only tls1.2 and/or tls1.3 are allowed on port 5672
   and 25672

[root@controller-0 ~]# openssl s_client -connect controller-0.internalapi.home.arpa:5672 -CAfile /etc/ipa/ca.crt -verify_hostname controller-0.internalapi.home.arpa -tls1_1 |grep ^New
00CCA0CAB37F0000:error:0A00042E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:ssl/record/rec_layer_s3.c:1584:SSL alert number 70
New, (NONE), Cipher is (NONE)

[root@controller-0 ~]# openssl s_client -connect controller-0.internalapi.home.arpa:5672 -CAfile /etc/ipa/ca.crt -verify_hostname controller-0.internalapi.home.arpa -tls1_2 |grep ^New
depth=1 O = HOME.ARPA, CN = Certificate Authority
verify return:1
depth=0 O = HOME.ARPA, CN = controller-0.internalapi.home.arpa
verify return:1
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384

[root@controller-0 ~]# openssl s_client -connect controller-0.internalapi.home.arpa:5672 -CAfile /etc/ipa/ca.crt -verify_hostname controller-0.internalapi.home.arpa -tls1_3 |grep ^New
depth=1 O = HOME.ARPA, CN = Certificate Authority
verify return:1
depth=0 O = HOME.ARPA, CN = controller-0.internalapi.home.arpa
verify return:1
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384

Closes-Bug: #1946374

Co-Authored-By: John Eckersberg <jeckersb@redhat.com>

Depends-On: I621557a037fbedc5c110f905dbe19290cc92b772

Change-Id: I4f853de3b532b3b5e71d29aa621a2925c3885393
2021-10-12 07:19:52 +02:00
..
ssl-dist.conf.erb Modernize rabbitmq's TLS support 2021-10-12 07:19:52 +02:00