Added depth parameter in the templates to support the "Certificate Chains and Verification Depth" feature

AnuragPPPP commented 2 years ago

Proposed Changes

As per the following page about TLS support in RabbitMQ, a depth parameter is introduced some time back to support Certificate Chains and Verification using Depth.

https://www.rabbitmq.com/ssl.html#peer-verification-depth

The page says:  ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++  When using a client certificate signed by an intermediate CA, it may be necessary to configure RabbitMQ server to use a higher verification depth.

The depth is the maximum number of non-self-issued intermediate certificates that may follow the peer certificate in a valid certification path. So if depth is 0 the peer (e.g. client) certificate must be signed by the trusted CA directly, if 1 the path can be "peer, CA, trusted CA", if it is 2 "peer, CA, CA, trusted CA", and so on. The default depth is 1. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

At our organization, due to the way the certs are created here, we need to use depth = 0 or 2. The default value 1 is not working for us. We use this community chef cookbook to install and maintain rabbitmq. But in the current version, there is no way to set this "depth" parameter. Though all other ssl parameters are present.

I am submitting this Pull Request to include the depth parameter in the SSL/TLS config section in the cookbook attributes and the rabbitmq config templates file.

Types of Changes

What types of changes does your code introduce to this project? Put an x in the boxes that apply

[ ] Bug fix (non-breaking change which fixes issue #NNNN)
[x] New feature (non-breaking change which adds functionality)
[ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
[ ] Documentation (correction or otherwise)
[ ] Cosmetics (whitespace, appearance)

Checklist

Put an x in the boxes that apply. You can also fill these out after creating the PR. If you're unsure about any of them, don't hesitate to ask on the mailing list. We're here to help! This is simply a reminder of what we are going to look for before merging your code.

[x] I have read the CONTRIBUTING.md document
[x] I have signed the CA (see https://cla.pivotal.io/sign/rabbitmq)
[ ] All tests pass locally with my changes
[ ] I have added tests that prove my fix is effective or that my feature works
[ ] I have added necessary documentation (if appropriate)
[ ] Any dependent changes have been merged and published in related repositories

Further Comments

If this is a relatively large or complex change, kick off the discussion by explaining why you chose the solution you did and what alternatives you considered, etc.

AnuragPPPP commented 2 years ago

@michaelklishin - I have created this new PR after closing the prior one #596 as I was having hard time restoring the metadata.rb file and adding back to the original PR. I hope this one looks fine.

michaelklishin commented 2 years ago

Thank you!

rabbitmq / chef-cookbook