From 4dcfdf510b60887db25eca48165125c4d6956198 Mon Sep 17 00:00:00 2001
From: Dale Smith <dale@catalyst-eu.net>
Date: Thu, 29 Jan 2015 16:12:26 +0000
Subject: [PATCH 1/2] Bugfix for ssl_versions in rabbitmq.config so
 Erlang/RabbitMQ respect them.

  The format reference example is given in https://www.rabbitmq.com/ssl.html#disabling-tls-versions
  Also add version list for rabbitmq_management config ssl_opts.
---
 templates/rabbitmq.config.erb | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/templates/rabbitmq.config.erb b/templates/rabbitmq.config.erb
index 75a7ca100..591a1cb17 100644
--- a/templates/rabbitmq.config.erb
+++ b/templates/rabbitmq.config.erb
@@ -1,6 +1,9 @@
 % This file managed by Puppet
 % Template Path: <%= @module_name %>/templates/rabbitmq.config
 [
+<%- if @ssl and @ssl_versions -%>
+  {ssl, [{versions, [<%= @ssl_versions.sort.map { |v| "'#{v}'" }.join(', ') %>]}]},
+<%- end -%>
   {rabbit, [
 <% if @ldap_auth -%>
     {auth_backends, [rabbit_auth_backend_internal, rabbit_auth_backend_ldap]},
@@ -16,9 +19,6 @@
     {tcp_listeners, []},
 <%- end -%>
 <%- if @ssl -%>
-    <%- if @ssl_versions -%>
-      {ssl, [{versions, [<%= @ssl_versions.sort.map { |v| "'#{v}'" }.join(', ') %>]}]},
-    <%- end -%>
     {ssl_listeners, [<%= @ssl_port %>]},
     {ssl_options, [<%- if @ssl_cacert != 'UNSET' -%>{cacertfile,"<%= @ssl_cacert %>"},<%- end -%>
                     {certfile,"<%= @ssl_cert %>"},
@@ -26,7 +26,7 @@
                     {verify,<%= @ssl_verify %>},
                     {fail_if_no_peer_cert,<%= @ssl_fail_if_no_peer_cert %>}
                     <%- if @ssl_versions -%>
-                      ,{ssl, [{versions, [<%= @ssl_versions.sort.map { |v| "'#{v}'" }.join(', ') %>]}]}
+                      ,{versions, [<%= @ssl_versions.sort.map { |v| "'#{v}'" }.join(', ') %>]}
                     <% end -%>]},
 <%- end -%>
 <% if @config_variables -%>
@@ -49,7 +49,10 @@
       {ssl, true},
       {ssl_opts, [<%- if @ssl_cacert != 'UNSET' -%>{cacertfile, "<%= @ssl_cacert %>"},<%- end -%>
                   {certfile, "<%= @ssl_cert %>"},
-                  {keyfile, "<%= @ssl_key %>"}]}
+                  {keyfile, "<%= @ssl_key %>"}
+                   <%- if @ssl_versions -%>
+                     ,{versions, [<%= @ssl_versions.sort.map { |v| "'#{v}'" }.join(', ') %>]}
+                   <% end -%>]}
 <%- else -%>
       {port, <%= @management_port %>}
 <%- end -%>

From ae66ee8307f1e563bc22c79949b527939c4aa0f0 Mon Sep 17 00:00:00 2001
From: Dale Smith <dale@catalyst-eu.net>
Date: Thu, 29 Jan 2015 18:17:09 +0000
Subject: [PATCH 2/2] Updating rspec tests for ssl_version changes, whitespace
 and rabbitmq_management version block

---
 spec/classes/rabbitmq_spec.rb | 28 ++++++++++++++++++++++++++--
 1 file changed, 26 insertions(+), 2 deletions(-)

diff --git a/spec/classes/rabbitmq_spec.rb b/spec/classes/rabbitmq_spec.rb
index 1d6e5946a..8429c98c4 100644
--- a/spec/classes/rabbitmq_spec.rb
+++ b/spec/classes/rabbitmq_spec.rb
@@ -519,6 +519,7 @@
           should contain_file('rabbitmq.config').with_content(%r{certfile,"/path/to/cert"})
           should contain_file('rabbitmq.config').with_content(%r{keyfile,"/path/to/key})
           should contain_file('rabbitmq.config').with_content(%r{ssl, \[\{versions, \['tlsv1.1', 'tlsv1.2'\]\}\]})
+          should contain_file('rabbitmq.config').with_content(%r{versions, \['tlsv1.1', 'tlsv1.2'\]})
         end
       end
 
@@ -552,6 +553,29 @@
         end
       end
 
+      describe 'ssl admin options with specific ssl versions' do
+        let(:params) {
+          { :ssl => true,
+            :ssl_management_port => 5926,
+            :ssl_cacert => '/path/to/cacert',
+            :ssl_cert => '/path/to/cert',
+            :ssl_key => '/path/to/key',
+            :ssl_versions => ['tlsv1.2', 'tlsv1.1'],
+            :admin_enable => true
+        } }
+
+        it 'should set admin ssl opts to specified values' do
+          should contain_file('rabbitmq.config').with_content(%r{rabbitmq_management, \[})
+          should contain_file('rabbitmq.config').with_content(%r{listener, \[})
+          should contain_file('rabbitmq.config').with_content(%r{port, 5926\}})
+          should contain_file('rabbitmq.config').with_content(%r{ssl, true\}})
+          should contain_file('rabbitmq.config').with_content(%r{ssl_opts, \[\{cacertfile, "/path/to/cacert"\},})
+          should contain_file('rabbitmq.config').with_content(%r{certfile, "/path/to/cert"\},})
+          should contain_file('rabbitmq.config').with_content(%r{keyfile, "/path/to/key"\}})
+          should contain_file('rabbitmq.config').with_content(%r{,\{versions, \['tlsv1.1', 'tlsv1.2'\]\}[\r\n ]*\]\}})
+        end
+      end
+
       describe 'ssl admin options' do
         let(:params) {
           { :ssl => true,
@@ -569,7 +593,7 @@
           should contain_file('rabbitmq.config').with_content(%r{ssl, true\}})
           should contain_file('rabbitmq.config').with_content(%r{ssl_opts, \[\{cacertfile, "/path/to/cacert"\},})
           should contain_file('rabbitmq.config').with_content(%r{certfile, "/path/to/cert"\},})
-          should contain_file('rabbitmq.config').with_content(%r{keyfile, "/path/to/key"\}\]\}})
+          should contain_file('rabbitmq.config').with_content(%r{keyfile, "/path/to/key"\}[\r\n ]*\]\}})
         end
       end
 
@@ -604,7 +628,7 @@
           should contain_file('rabbitmq.config').with_content(%r{ssl, true\},})
           should contain_file('rabbitmq.config').with_content(%r{ssl_opts, \[\{cacertfile, "/path/to/cacert"\},})
           should contain_file('rabbitmq.config').with_content(%r{certfile, "/path/to/cert"\},})
-          should contain_file('rabbitmq.config').with_content(%r{keyfile, "/path/to/key"\}\]\}})
+          should contain_file('rabbitmq.config').with_content(%r{keyfile, "/path/to/key"\}[\r\n ]*\]\}})
         end
       end