[rabbitmq-discuss] Restriction to specific ciphers for ssl communications
Mark Dotson
mastamark at gmail.com
Wed Jun 6 18:23:16 BST 2012
Thank you!
Follow up question: Is the denial of anything other then the chosen ciphers
after ssl negotiation? In other words, if I set up only 3 specific ciphers
to be supported can, say, a compliance security guy come along and scan the
box with a saint server or some such will he only see the 3 options, or
will it spit out all of them as supported but log somewhere that X cipher
was rejected. In other words, is the only way to really test this to do a
full connection test and watch the logs go by for cipher rejection or
connection messages?
-Mark
On Wed, Jun 6, 2012 at 1:28 AM, Emile Joubert <emile at rabbitmq.com> wrote:
> Hi Mark,
>
> On 06/06/12 00:48, Mark Dotson wrote:
> > I'd like to specifically restrict specific ssl ciphers acceptable to
> > communicate via and reject all others. Is adding the specific ciphers
> > in the rabbitmq.config file as an ssl_option the right way to go about
> > doing this?
>
> Yes, you can find the available ciphers by running
> rabbitmqctl eval 'ssl:cipher_suites().'
> and adding specifying you selection as the "ciphers" parameter.
> Make sure that clients and broker have at least one cipher in common.
>
> The Erlang SSL page has more details:
> http://www.erlang.org/doc/man/ssl.html
>
>
> -Emile
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20120606/69a5304f/attachment.htm>
More information about the rabbitmq-discuss
mailing list