[rabbitmq-discuss] Securing Messages Over WAN Link

Emile Joubert emile at rabbitmq.com
Wed Jan 16 10:24:13 GMT 2013


Hi,

On 15/01/13 23:29, Richard Raseley wrote:
> Could anyone provide any guidance on what they use for securing traffic
> over the WAN? Is the built in SSL / TLS support in RabbitMQ (as outlined
> here http://www.rabbitmq.com/ssl.html) sufficient for such purposes?
> Should I be concerned about the additional overhead in processing
> requirements for an estimated 10 million+ messages per day?

I assume you want to secure the link between federated exchanges or a
shovel connection, because clustering over a WAN link is not
recommended. SSL will provide confidentiality and if you use certificate
verification then it can provide authentication. SSL also provides
integrity by hashing data.

If you care about performance then select an appropriate cipher (e.g.
avoid 3DES). If you have crypto hardware support then make sure that is
enabled.

SSL will not protect the data written to disk by the broker, or messages
held in RAM in the broker. Message producers should encrypt the message
payloads if that's what you need.

If you want to secure clustering links then the Erlang distribution
protocol must be set up with "inet_tls". This is not presently a rabbit
configuration option, but the Erlang documentation shows how to set that
up: http://www.erlang.org/doc/apps/ssl/ssl_distribution.html





-Emile









More information about the rabbitmq-discuss mailing list