From 35bb069bb77bc770fbd29edfc0070b41a0d92a85 Mon Sep 17 00:00:00 2001 From: Joe Topjian Date: Fri, 16 Jan 2015 04:49:21 +0000 Subject: [PATCH 1/2] Added ssl_versions parameter This commit adds the ssl_versions parameter. This allows users to choose which versions of SSL that RabbitMQ should accept. --- README.md | 6 +++- manifests/config.pp | 1 + manifests/init.pp | 9 ++++++ manifests/params.pp | 1 + spec/classes/rabbitmq_spec.rb | 57 ++++++++++++++++++++++++++++++++--- templates/rabbitmq.config.erb | 8 ++++- 6 files changed, 76 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index daec12a6d..44110aeb2 100644 --- a/README.md +++ b/README.md @@ -34,7 +34,7 @@ all features against earlier versions. * rabbitmq configuration file. * rabbitmq service. -###Beginning with rabbitmq +###Beginning with rabbitmq ```puppet @@ -350,6 +350,10 @@ rabbitmq.config SSL verify setting. rabbitmq.config `fail_if_no_peer_cert` setting. +####`ssl_versions` + +Choose which SSL versions to enable. Example: `['tlsv1.2', 'tlsv1.1']` + ####`stomp_port` The port to use for Stomp. diff --git a/manifests/config.pp b/manifests/config.pp index b13b63a77..e13ce9980 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -31,6 +31,7 @@ $ssl_stomp_port = $rabbitmq::ssl_stomp_port $ssl_verify = $rabbitmq::ssl_verify $ssl_fail_if_no_peer_cert = $rabbitmq::ssl_fail_if_no_peer_cert + $ssl_versions = $rabbitmq::ssl_versions $stomp_port = $rabbitmq::stomp_port $wipe_db_on_cookie_change = $rabbitmq::wipe_db_on_cookie_change $config_variables = $rabbitmq::config_variables diff --git a/manifests/init.pp b/manifests/init.pp index 3d25e5078..1ac3f6d61 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -39,6 +39,7 @@ $ssl_stomp_port = $rabbitmq::params::ssl_stomp_port, $ssl_verify = $rabbitmq::params::ssl_verify, $ssl_fail_if_no_peer_cert = $rabbitmq::params::ssl_fail_if_no_peer_cert, + $ssl_versions = $rabbitmq::params::ssl_versions, $stomp_ensure = $rabbitmq::params::stomp_ensure, $ldap_auth = $rabbitmq::params::ldap_auth, $ldap_server = $rabbitmq::params::ldap_server, @@ -117,6 +118,14 @@ warning('$ssl_stomp_port requires that $ssl => true and will be ignored') } + if $ssl_versions { + if $ssl { + validate_array($ssl_versions) + } else { + fail('$ssl_versions requires that $ssl => true') + } + } + # This needs to happen here instead of params.pp because # $package_source needs to override the constructed value in params.pp if $package_source { # $package_source was specified by user so use that one diff --git a/manifests/params.pp b/manifests/params.pp index 6f1e94d85..4e4ba3221 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -73,6 +73,7 @@ $ssl_stomp_port = '6164' $ssl_verify = 'verify_none' $ssl_fail_if_no_peer_cert = false + $ssl_versions = undef $stomp_ensure = false $ldap_auth = false $ldap_server = 'ldap' diff --git a/spec/classes/rabbitmq_spec.rb b/spec/classes/rabbitmq_spec.rb index a24c01ff8..ea7fd75fa 100644 --- a/spec/classes/rabbitmq_spec.rb +++ b/spec/classes/rabbitmq_spec.rb @@ -39,7 +39,7 @@ context 'on Debian' do let(:params) {{ :manage_repos => true }} let(:facts) {{ :osfamily => 'Debian', :lsbdistid => 'Debian', :lsbdistcodename => 'squeeze' }} - + it 'includes rabbitmq::repo::apt' do should contain_class('rabbitmq::repo::apt') end @@ -69,7 +69,7 @@ context 'on Debian' do let(:params) {{ :repos_ensure => true }} let(:facts) {{ :osfamily => 'Debian', :lsbdistid => 'Debian', :lsbdistcodename => 'squeeze' }} - + it 'includes rabbitmq::repo::apt' do should contain_class('rabbitmq::repo::apt') end @@ -89,7 +89,7 @@ context 'on Debian' do let(:params) {{ :manage_repos => true, :repos_ensure => false }} let(:facts) {{ :osfamily => 'Debian', :lsbdistid => 'Debian', :lsbdistcodename => 'squeeze' }} - + it 'includes rabbitmq::repo::apt' do should contain_class('rabbitmq::repo::apt') end @@ -106,7 +106,7 @@ context 'on Debian' do let(:params) {{ :manage_repos => true, :repos_ensure => true }} let(:facts) {{ :osfamily => 'Debian', :lsbdistid => 'Debian', :lsbdistcodename => 'squeeze' }} - + it 'includes rabbitmq::repo::apt' do should contain_class('rabbitmq::repo::apt') end @@ -503,6 +503,55 @@ end end + describe 'ssl options with specific ssl versions' do + let(:params) { + { :ssl => true, + :ssl_port => 3141, + :ssl_cacert => '/path/to/cacert', + :ssl_cert => '/path/to/cert', + :ssl_key => '/path/to/key', + :ssl_versions => ['tlsv1.2', 'tlsv1.1'] + } } + + it 'should set ssl options to specified values' do + should contain_file('rabbitmq.config').with_content(%r{ssl_listeners, \[3141\]}) + should contain_file('rabbitmq.config').with_content(%r{ssl_options, \[\{cacertfile,"/path/to/cacert"}) + should contain_file('rabbitmq.config').with_content(%r{certfile,"/path/to/cert"}) + should contain_file('rabbitmq.config').with_content(%r{keyfile,"/path/to/key}) + should contain_file('rabbitmq.config').with_content(%r{ssl, \[\{versions, \['tlsv1.1', 'tlsv1.2'\]\}\]}) + end + end + + describe 'ssl options with invalid ssl_versions type' do + let(:params) { + { :ssl => true, + :ssl_port => 3141, + :ssl_cacert => '/path/to/cacert', + :ssl_cert => '/path/to/cert', + :ssl_key => '/path/to/key', + :ssl_versions => 'tlsv1.2, tlsv1.1' + } } + + it 'fails' do + expect{subject}.to raise_error(/is not an Array/) + end + end + + describe 'ssl options with ssl_versions and not ssl' do + let(:params) { + { :ssl => false, + :ssl_port => 3141, + :ssl_cacert => '/path/to/cacert', + :ssl_cert => '/path/to/cert', + :ssl_key => '/path/to/key', + :ssl_versions => ['tlsv1.2', 'tlsv1.1'] + } } + + it 'fails' do + expect{subject}.to raise_error(/^\$ssl_versions requires that \$ssl => true/) + end + end + describe 'ssl admin options' do let(:params) { { :ssl => true, diff --git a/templates/rabbitmq.config.erb b/templates/rabbitmq.config.erb index 9cd82426f..75a7ca100 100644 --- a/templates/rabbitmq.config.erb +++ b/templates/rabbitmq.config.erb @@ -16,12 +16,18 @@ {tcp_listeners, []}, <%- end -%> <%- if @ssl -%> + <%- if @ssl_versions -%> + {ssl, [{versions, [<%= @ssl_versions.sort.map { |v| "'#{v}'" }.join(', ') %>]}]}, + <%- end -%> {ssl_listeners, [<%= @ssl_port %>]}, {ssl_options, [<%- if @ssl_cacert != 'UNSET' -%>{cacertfile,"<%= @ssl_cacert %>"},<%- end -%> {certfile,"<%= @ssl_cert %>"}, {keyfile,"<%= @ssl_key %>"}, {verify,<%= @ssl_verify %>}, - {fail_if_no_peer_cert,<%= @ssl_fail_if_no_peer_cert %>}]}, + {fail_if_no_peer_cert,<%= @ssl_fail_if_no_peer_cert %>} + <%- if @ssl_versions -%> + ,{ssl, [{versions, [<%= @ssl_versions.sort.map { |v| "'#{v}'" }.join(', ') %>]}]} + <% end -%>]}, <%- end -%> <% if @config_variables -%> <%- @config_variables.keys.sort.each do |key| -%> From 5675b38fbdc0d13c3d3a9b4ed6bb67091cad2ca6 Mon Sep 17 00:00:00 2001 From: Joe Topjian Date: Sat, 17 Jan 2015 02:39:17 +0000 Subject: [PATCH 2/2] Revised SSL versions documentation --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 44110aeb2..3255fd3cc 100644 --- a/README.md +++ b/README.md @@ -352,7 +352,9 @@ rabbitmq.config `fail_if_no_peer_cert` setting. ####`ssl_versions` -Choose which SSL versions to enable. Example: `['tlsv1.2', 'tlsv1.1']` +Choose which SSL versions to enable. Example: `['tlsv1.2', 'tlsv1.1']`. + +Note that it is recommended to disable `sslv3` and `tlsv1` to prevent against POODLE and BEAST attacks. Please see the [RabbitMQ SSL](https://www.rabbitmq.com/ssl.html) documentation for more information. ####`stomp_port`