[rabbitmq-discuss] Restriction to specific ciphers for ssl communications
Mark Dotson
mastamark at gmail.com
Thu Jun 7 18:41:33 BST 2012
Humm, so for our specific setup we added the following options to
rabbitmq.config:
[
{rabbit,[
{tcp_listeners,[5672]},
{ssl_listeners,[5671]},
{ssl_options,[{cacertfile,"/
etc/rabbitmq/certs/ca-bundle.crt"},
{certfile,"/etc/rabbitmq/certs/rabbitmq.crt"},
{keyfile,"/etc/rabbitmq/certs/rabbitmq.key"},
{verify,verify_none},
{fail_if_no_peer_cert,false}]},
{ciphers,[{dhe_rsa,aes_256_cbc,sha},
{dhe_dss,aes_256_cbc,sha},
{rsa,aes_256_cbc,sha}]}
]},
{rabbit, [{vm_memory_high_watermark, 0.5}]}
].
Our security compliance guy pointed his saint server at it and it returned
a whole bunch of extra ciphers it claimed to support.
Supported ciphers:
RC4-MD5:TLSv1/SSLv3:128-bit
RC4-SHA:TLSv1/SSLv3:128-bit
DES-CBC-SHA:TLSv1/SSLv3:*56-bit *
DES-CBC3-SHA:TLSv1/SSLv3:168-bit
EDH-RSA-DES-CBC-SHA:TLSv1/SSLv3:*56-bit *
EDH-RSA-DES-CBC3-SHA:TLSv1/SSLv3:168-bit
AES128-SHA:TLSv1/SSLv3:128-bit
DHE-RSA-AES128-SHA:TLSv1/SSLv3:128-bit
AES256-SHA:TLSv1/SSLv3:256-bit
DHE-RSA-AES256-SHA:TLSv1/SSLv3:256-bit
Does our rabbitmq.config look wrong to you?
Thanks a billion!
On Wed, Jun 6, 2012 at 10:46 AM, Emile Joubert <emile at rabbitmq.com> wrote:
> Hi Mark,
>
> On 06/06/12 18:23, Mark Dotson wrote:
> > log somewhere that X cipher was rejected. In other words, is the only
> > way to really test this to do a full connection test and watch the logs
> > go by for cipher rejection or connection messages?
>
> The configured value should constrain the advertised ciphers during
> negotiation, so you should be able to determine the effect easily by
> observing the advertisement. The amount of testing you perform should be
> dictated by the desired level of confidence.
>
> -Emile
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20120607/b5ea6823/attachment.htm>
More information about the rabbitmq-discuss
mailing list