Thank you!<br><br>Follow up question: Is the denial of anything other then the chosen ciphers after ssl negotiation? In other words, if I set up only 3 specific ciphers to be supported can, say, a compliance security guy come along and scan the box with a saint server or some such will he only see the 3 options, or will it spit out all of them as supported but log somewhere that X cipher was rejected. In other words, is the only way to really test this to do a full connection test and watch the logs go by for cipher rejection or connection messages?<br>
<br>-Mark<br><br><div class="gmail_quote">On Wed, Jun 6, 2012 at 1:28 AM, Emile Joubert <span dir="ltr"><<a href="mailto:emile@rabbitmq.com" target="_blank">emile@rabbitmq.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi Mark,<br>
<div><div class="h5"><br>
On 06/06/12 00:48, Mark Dotson wrote:<br>
> I'd like to specifically restrict specific ssl ciphers acceptable to<br>
> communicate via and reject all others. Is adding the specific ciphers<br>
> in the rabbitmq.config file as an ssl_option the right way to go about<br>
> doing this?<br>
<br>
</div></div>Yes, you can find the available ciphers by running<br>
rabbitmqctl eval 'ssl:cipher_suites().'<br>
and adding specifying you selection as the "ciphers" parameter.<br>
Make sure that clients and broker have at least one cipher in common.<br>
<br>
The Erlang SSL page has more details:<br>
<a href="http://www.erlang.org/doc/man/ssl.html" target="_blank">http://www.erlang.org/doc/man/ssl.html</a><br>
<span class="HOEnZb"><font color="#888888"><br>
<br>
-Emile<br>
<br>
<br>
</font></span></blockquote></div><br>