Add SSL listener to RabbitMQ

If I understand correctly, rabbit does not listen publicly, only on the container network. I agree with the idea of adding security everywhere we can, but if someone can listen on the container network, isn't it a bit pointless by then to be encrypting traffic?

Encrypted communication is required in PCI environments as required by sections 2 and 4 of PCI DSS 3.1. Although cardholder data doesn't pass through RabbitMQ directly, an attacker could use data that may appear in RabbitMQ messages to gain additional access to systems on the network.

My goal here is to do something *additive*. Fixing this bug should allow RabbitMQ to use TLS-encrypted connections but it shouldn't have any impact on existing plaintext connections.

Fix proposed to branch: master
Review: https://review.openstack.org/223717

Reviewed: https://review.openstack.org/223717
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible/commit/?id=4a1d412f8cd715f2829867026b64edabf97ad521
Submitter: Jenkins
Branch: master

commit 4a1d412f8cd715f2829867026b64edabf97ad521
Author: Major Hayden <email address hidden>
Date: Tue Sep 15 09:52:19 2015 -0500

    Add SSL/TLS listener to RabbitMQ

    This patch adds a SSL/TLS listener to RabbitMQ without disrupting the existing
    plaintext TCP listener. Various services that use RabbitMQ will have the
    option to encrypt messaging traffic with this change. Documentation is
    included for this change.

    By default, it will create a self-signed certificate for the user, but users
    have the option to specify their own existing certificates as well.

    This makes it easier to bring RabbitMQ (and the services which talk to it)
    into compliance with PCI DSS 3.1's Requirement 2.2.3.

    In addition, this change is recommended within the OpenStack Security Guide.

    Closes-bug: 1496001

    Change-Id: I0d29cbb6e963b24f77a8375eba8a8c6a558aaf81

Fix proposed to branch: kilo
Review: https://review.openstack.org/228562

Reviewed: https://review.openstack.org/228562
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible/commit/?id=cdc33bc295366f155df6a17d0f438cdac419a624
Submitter: Jenkins
Branch: kilo

commit cdc33bc295366f155df6a17d0f438cdac419a624
Author: Major Hayden <email address hidden>
Date: Tue Sep 15 09:52:19 2015 -0500

    Add SSL/TLS listener to RabbitMQ

    This patch adds a SSL/TLS listener to RabbitMQ without disrupting the existing
    plaintext TCP listener. Various services that use RabbitMQ will have the
    option to encrypt messaging traffic with this change. Documentation is
    included for this change.

    By default, it will create a self-signed certificate for the user, but users
    have the option to specify their own existing certificates as well.

    This makes it easier to bring RabbitMQ (and the services which talk to it)
    into compliance with PCI DSS 3.1's Requirement 2.2.3.

    In addition, this change is recommended within the OpenStack Security Guide.

    Closes-bug: 1496001

    Change-Id: I0d29cbb6e963b24f77a8375eba8a8c6a558aaf81

This issue was fixed in the openstack/openstack-ansible 11.2.14 release.