Modernise TLS configuration

Set up TLS1.2 as recommended in https://www.rabbitmq.com/ssl.html Change-Id: I634ffe7ed47b8670bd2aad029dac1313cebd2961
2021-05-05 11:21:39 +00:00 · 2021-05-05 11:21:39 +00:00 · fa4135ad6e
commit fa4135ad6e
parent fb93d2862d
2 changed files with 50 additions and 4 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -118,6 +118,35 @@ rabbitmq_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ ansib
 #rabbitmq_user_ssl_key: <path to cert on ansible deployment host>
 #rabbitmq_user_ssl_ca_cert: <path to cert on ansible deployment host>

+# These are highly recommended for TLSv1.2 but cannot be used
+# with TLSv1.3. If TLSv1.3 is enabled, these lines will not be
+# inserted into the config
+rabbitmq_ssl_client_renegotiation: false
+rabbitmq_ssl_secure_renegotiate: true
+
+# Supported TLS protocol versions
+rabbitmq_ssl_tls_versions:
+  - "tlsv1.2"
+
+# Mutual TLS control
+rabbitmq_ssl_verify: "verify_none"
+rabbitmq_ssl_fail_if_no_peer_cert: False
+
+# Recommended ciphers taken from https://www.rabbitmq.com/ssl.html
+rabbitmq_ssl_ciphers:
+  - "ECDHE-ECDSA-AES256-GCM-SHA384"
+  - "ECDHE-RSA-AES256-GCM-SHA384"
+  - "ECDH-ECDSA-AES256-GCM-SHA384"
+  - "ECDH-RSA-AES256-GCM-SHA384"
+  - "DHE-RSA-AES256-GCM-SHA384"
+  - "DHE-DSS-AES256-GCM-SHA384"
+  - "ECDHE-ECDSA-AES128-GCM-SHA256"
+  - "ECDHE-RSA-AES128-GCM-SHA256"
+  - "ECDH-ECDSA-AES128-GCM-SHA256"
+  - "ECDH-RSA-AES128-GCM-SHA256"
+  - "DHE-RSA-AES128-GCM-SHA256"
+  - "DHE-DSS-AES128-GCM-SHA256"
+
 # RabbitMQ erlang VM parameters
 rabbitmq_async_threads: 128
 rabbitmq_process_limit: 1048576
--- a/templates/rabbitmq.config.j2
+++ b/templates/rabbitmq.config.j2
@ -14,16 +14,33 @@
      { ssl_options, [
          { certfile, "{{ rabbitmq_ssl_cert }}" },
          { keyfile, "{{ rabbitmq_ssl_key }}" },
+          { honor_cipher_order, true},
+          { honor_ecc_order, true},
+{% if "tlsv1.3" not in rabbitmq_ssl_tls_versions %}
+          { client_renegotiation, {{ rabbitmq_ssl_client_renegotiation | lower }} },
+          { secure_renegotiate, {{ rabbitmq_ssl_secure_renegotiate | lower }} },
+{% endif %}
 {% if rabbitmq_user_ssl_ca_cert is defined -%}
          { cacertfile, "{{ rabbitmq_ssl_ca_cert }}" },
 {% endif %}
          { versions, [
-              'tlsv1.2',
-              'tlsv1.1'
+{% for version in rabbitmq_ssl_tls_versions %}
+              '{{ version }}'{% if not loop.last -%},{%- endif %}
+
+{% endfor %}
            ]
          },
-          { verify, verify_none },
-          { fail_if_no_peer_cert, false }
+{% if rabbitmq_ssl_ciphers | length > 0 %}
+          { ciphers, [
+{%   for cipher in rabbitmq_ssl_ciphers %}
+              "{{ cipher }}"{% if not loop.last -%},{%- endif %}
+
+{%   endfor %}
+            ]
+          },
+{% endif %}
+          { verify, {{ rabbitmq_ssl_verify | lower }} },
+          { fail_if_no_peer_cert, {{ rabbitmq_ssl_fail_if_no_peer_cert | lower }} }
        ]
      },
      { vm_memory_high_watermark, {{ rabbitmq_memory_high_watermark }} }