Merge "Restrict TLS versions"

hooks/rabbitmq_context.py

@@ -120,6 +120,10 @@ class RabbitMQSSLContext(object):
             "ssl_client": ssl_client,
             "ssl_ca_file": "",
             "ssl_only": ssl_only,
+            "tls13": (
+                cmp_pkgrevno('erlang-base', '23.0') >= 0 and
+                cmp_pkgrevno('rabbitmq-server', '3.8.11') >= 0
+            ),
         }
 
         if ssl_ca:

templates/rabbitmq.conf

@@ -13,6 +13,12 @@ listeners.ssl.1 = {{ ssl_port }}
 {%- endif %}
 {%- if ssl_mode == "on" or ssl_mode == "only" %}
 ssl_options.verify = verify_peer
+{%- if tls13 %}
+ssl_options.versions.1 = tlsv1.3
+ssl_options.versions.2 = tlsv1.2
+{% else %}
+ssl_options.versions.1 = tlsv1.2
+{%- endif %}
 {%- if ssl_client %}
 ssl_options.fail_if_no_peer_cert = true
 {% else %}

unit_tests/test_rabbitmq_context.py

@@ -35,6 +35,7 @@ class TestRabbitMQSSLContext(unittest.TestCase):
         self.assertTrue(close_port.called)
         self.assertTrue(reconfig_ssl.called)
 
+    @mock.patch.object(rabbitmq_context, 'cmp_pkgrevno')
     @mock.patch("rabbitmq_context.open_port")
     @mock.patch("rabbitmq_context.os.chmod")
     @mock.patch("rabbitmq_context.os.chown")
@@ -46,9 +47,12 @@ class TestRabbitMQSSLContext(unittest.TestCase):
     @mock.patch("rabbitmq_context.ssl_utils.reconfigure_client_ssl")
     @mock.patch("rabbitmq_context.ssl_utils.get_ssl_mode")
     def test_context_ssl_on(self, get_ssl_mode, reconfig_ssl, close_port,
-                            config, gr, pw, exists, chown, chmod, open_port):
+                            config, gr, pw, exists, chown, chmod, open_port,
+                            cmp_pkgrevno):
+
         exists.return_value = True
         get_ssl_mode.return_value = ("on", "on")
+        cmp_pkgrevno.return_value = 1
 
         def config_get(n):
             return None
@@ -75,10 +79,33 @@ class TestRabbitMQSSLContext(unittest.TestCase):
                     "ssl_ca_file": "",
                     "ssl_only": False,
                     "ssl_mode": "on",
+                    "tls13": True,
                 })
 
         self.assertTrue(reconfig_ssl.called)
         self.assertTrue(open_port.called)
+        cmp_pkgrevno.assert_has_calls([
+            mock.call("erlang-base", "23.0"),
+            mock.call("rabbitmq-server", "3.8.11")
+        ])
+
+        # Check older erlang toggles tls13 flag off.
+        cmp_pkgrevno.return_value = -1
+        m = mock.mock_open()
+        with mock.patch('rabbitmq_context.open', m, create=True):
+            self.assertEqual(
+                rabbitmq_context.RabbitMQSSLContext().__call__(), {
+                    "ssl_port": None,
+                    "ssl_cert_file": "/etc/rabbitmq/rabbit-server-cert.pem",
+                    "ssl_key_file": '/etc/rabbitmq/rabbit-server-privkey.pem',
+                    "ssl_client": False,
+                    "ssl_ca_file": "",
+                    "ssl_only": False,
+                    "ssl_mode": "on",
+                    "tls13": False,
+                })
+
+        cmp_pkgrevno.assert_called_with("erlang-base", "23.0")
 
 
 class TestRabbitMQClusterContext(unittest.TestCase):