The depend-on change switches rabbit's nodename to FQDN and adds
the CA in the config. This puppet change does the following:
1. Switches the default tls versions to 1.2 and 1.3
2. Drops the old hard-coded cipher list that used to be needed to avoid
falling back to tls 1.0
3. Introduce a verify_peer_{client,server} parameter. The former is set
to verify_peer by default, so that rabbitmq 3.9 does not emit
warnings (see original LP description)
4. Splits off all erlang ssl parameters to a separate file called
/etc/rabbitmq/ssl-dist.conf. Reason for this is that it is cleaner
and not all configurable items are supported by erlang as command
line arguments. (In particular the ssl versions)
5. Make sure we pass the custom CA inside the HA bundle (this had to
be split out to Ib0236f9c086d520d0a27e3aa8b41927bc7b50c26
(Bind mount the IPA crt when internal_tls is enabled) for CI to pass
on all reviews.
Tested as follows:
A. Deployed and run tempest against a TLS-E overcloud that uses as
rabbitmq 3.9 + erlang 24.1 stack
B. Made sure that only tls1.2 and/or tls1.3 are allowed on port 5672
and 25672
[root@controller-0 ~]# openssl s_client -connect controller-0.internalapi.home.arpa:5672 -CAfile /etc/ipa/ca.crt -verify_hostname controller-0.internalapi.home.arpa -tls1_1 |grep ^New
00CCA0CAB37F0000:error:0A00042E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:ssl/record/rec_layer_s3.c:1584:SSL alert number 70
New, (NONE), Cipher is (NONE)
[root@controller-0 ~]# openssl s_client -connect controller-0.internalapi.home.arpa:5672 -CAfile /etc/ipa/ca.crt -verify_hostname controller-0.internalapi.home.arpa -tls1_2 |grep ^New
depth=1 O = HOME.ARPA, CN = Certificate Authority
verify return:1
depth=0 O = HOME.ARPA, CN = controller-0.internalapi.home.arpa
verify return:1
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
[root@controller-0 ~]# openssl s_client -connect controller-0.internalapi.home.arpa:5672 -CAfile /etc/ipa/ca.crt -verify_hostname controller-0.internalapi.home.arpa -tls1_3 |grep ^New
depth=1 O = HOME.ARPA, CN = Certificate Authority
verify return:1
depth=0 O = HOME.ARPA, CN = controller-0.internalapi.home.arpa
verify return:1
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Closes-Bug: #1946374
Co-Authored-By: John Eckersberg <jeckersb@redhat.com>
Depends-On: I621557a037fbedc5c110f905dbe19290cc92b772
Change-Id: I4f853de3b532b3b5e71d29aa621a2925c3885393