Merge pull request voxpupuli#547 from xepa/feature/extra_ssl_options

Extra ssl options to harden rabbitmq listener
Slm0n87 · Aug 10, 2017 · 2b2c4ac · 2b2c4ac
2 parents 0af454f + 7b5afa9
commit 2b2c4ac
Show file tree

Hide file tree

Showing 5 changed files with 34 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -448,6 +448,22 @@ rabbitmq.config SSL verify setting.
 
 rabbitmq.config `fail_if_no_peer_cert` setting.
 
+####`ssl_secure_renegotiate`
+
+Use ssl secure renegotiate [boolean: default true]
+
+####`ssl_reuse_sessions`
+
+Reuse ssl sessions [boolean: default true]
+
+####`ssl_honor_cipher_order`
+
+Force use of server cipher order [boolean: default true]
+
+####`ssl_dhfile`
+
+Use this dhparam file [example: generate with `openssl dhparam -out /etc/rabbitmq/ssl/dhparam.pem 2048`, default empty]
+
 ####`ssl_versions`
 
 Choose which SSL versions to enable. Example: `['tlsv1.2', 'tlsv1.1']`.

diff --git a/manifests/config.pp b/manifests/config.pp
@@ -46,6 +46,10 @@
   $ssl_stomp_port             = $rabbitmq::ssl_stomp_port
   $ssl_verify                 = $rabbitmq::ssl_verify
   $ssl_fail_if_no_peer_cert   = $rabbitmq::ssl_fail_if_no_peer_cert
+  $ssl_secure_renegotiate     = $rabbitmq::ssl_secure_renegotiate
+  $ssl_reuse_sessions         = $rabbitmq::ssl_reuse_sessions
+  $ssl_honor_cipher_order     = $rabbitmq::ssl_honor_cipher_order
+  $ssl_dhfile                 = $rabbitmq::ssl_dhfile
   $ssl_versions               = $rabbitmq::ssl_versions
   $ssl_ciphers                = $rabbitmq::ssl_ciphers
   $stomp_port                 = $rabbitmq::stomp_port

diff --git a/manifests/init.pp b/manifests/init.pp
@@ -54,6 +54,10 @@
   $ssl_stomp_port                                = $rabbitmq::params::ssl_stomp_port,
   $ssl_verify                                    = $rabbitmq::params::ssl_verify,
   $ssl_fail_if_no_peer_cert                      = $rabbitmq::params::ssl_fail_if_no_peer_cert,
+  Boolean $ssl_secure_renegotiate                = $rabbitmq::params::ssl_secure_renegotiate,
+  Boolean $ssl_reuse_sessions                    = $rabbitmq::params::ssl_reuse_sessions,
+  Boolean $ssl_honor_cipher_order                = $rabbitmq::params::ssl_honor_cipher_order,
+  String $ssl_dhfile                             = $rabbitmq::params::ssl_dhfile,
   Optional[Array] $ssl_versions                  = $rabbitmq::params::ssl_versions,
   Array $ssl_ciphers                             = $rabbitmq::params::ssl_ciphers,
   Boolean $stomp_ensure                          = $rabbitmq::params::stomp_ensure,

diff --git a/manifests/params.pp b/manifests/params.pp
@@ -112,6 +112,10 @@
   $ssl_stomp_port              = '6164'
   $ssl_verify                  = 'verify_none'
   $ssl_fail_if_no_peer_cert    = false
+  $ssl_secure_renegotiate      = true
+  $ssl_reuse_sessions          = true
+  $ssl_honor_cipher_order      = true
+  $ssl_dhfile                  = 'UNSET'
   $ssl_versions                = undef
   $ssl_ciphers                 = []
   $stomp_ensure                = false

diff --git a/templates/rabbitmq.config.erb b/templates/rabbitmq.config.erb
@@ -65,6 +65,12 @@
                    <%- if @ssl_depth -%>
                    {depth,<%= @ssl_depth %>},
                    <%- end -%>
+                   <%- if @ssl_dhfile != 'UNSET' -%>
+                   {dhfile, "<%= @ssl_dhfile %>"},
+                   <%- end -%>
+                   {secure_renegotiate,<%= @ssl_secure_renegotiate %>},
+                   {reuse_sessions,<%= @ssl_reuse_sessions %>},
+                   {honor_cipher_order,<%= @ssl_honor_cipher_order %>},
                    {verify,<%= @ssl_verify %>},
                    {fail_if_no_peer_cert,<%= @ssl_fail_if_no_peer_cert %>}
                    <%- if @ssl_versions -%>