Humm, so for our specific setup we added the following options to rabbitmq.config:<br><br>[<br> {rabbit,[<br> {tcp_listeners,[5672]},<br> {ssl_listeners,[5671]},<br> {ssl_options,[{cacertfile,&quot;/<div id=":j">etc/rabbitmq/certs/ca-bundle.crt&quot;},<br>

 {certfile,&quot;/etc/rabbitmq/certs/rabbitmq.crt&quot;},<br> {keyfile,&quot;/etc/rabbitmq/certs/rabbitmq.key&quot;},<br> {verify,verify_none},<br> {fail_if_no_peer_cert,false}]},<br> {ciphers,[{dhe_rsa,aes_256_cbc,sha},<br>

 {dhe_dss,aes_256_cbc,sha},<br> {rsa,aes_256_cbc,sha}]}<br> ]},<br>{rabbit, [{vm_memory_high_watermark, 0.5}]}<br>].<br><br>Our security compliance guy pointed his saint server at it and it returned a whole bunch of extra ciphers it claimed to support.<br>

<br><div><span style="color:rgb(120,114,112);font-family:Verdana,sans-serif;font-size:13px;background-color:rgb(246,247,247)">Supported ciphers: </span></div>
<div><span style="color:rgb(120,114,112);font-family:Verdana,sans-serif;font-size:13px;background-color:rgb(246,247,247)">RC4-MD5:TLSv1/SSLv3:128-bit </span></div><div><span style="color:rgb(120,114,112);font-family:Verdana,sans-serif;font-size:13px;background-color:rgb(246,247,247)">RC4-SHA:TLSv1/SSLv3:128-bit </span></div>


<div><span style="color:rgb(120,114,112);font-family:Verdana,sans-serif;font-size:13px;background-color:rgb(246,247,247)">DES-CBC-SHA:TLSv1/SSLv3:<b>56-bit </b></span></div><div><span style="color:rgb(120,114,112);font-family:Verdana,sans-serif;font-size:13px;background-color:rgb(246,247,247)">DES-CBC3-SHA:TLSv1/SSLv3:168-bit </span></div>


<div><span style="color:rgb(120,114,112);font-family:Verdana,sans-serif;font-size:13px;background-color:rgb(246,247,247)">EDH-RSA-DES-CBC-SHA:TLSv1/SSLv3:<b>56-bit </b></span></div><div><span style="color:rgb(120,114,112);font-family:Verdana,sans-serif;font-size:13px;background-color:rgb(246,247,247)">EDH-RSA-DES-CBC3-SHA:TLSv1/SSLv3:168-bit </span></div>


<div><span style="color:rgb(120,114,112);font-family:Verdana,sans-serif;font-size:13px;background-color:rgb(246,247,247)">AES128-SHA:TLSv1/SSLv3:128-bit </span></div><div><span style="color:rgb(120,114,112);font-family:Verdana,sans-serif;font-size:13px;background-color:rgb(246,247,247)">DHE-RSA-AES128-SHA:TLSv1/SSLv3:128-bit </span></div>


<div><span style="color:rgb(120,114,112);font-family:Verdana,sans-serif;font-size:13px;background-color:rgb(246,247,247)">AES256-SHA:TLSv1/SSLv3:256-bit </span></div><div><span style="color:rgb(120,114,112);font-family:Verdana,sans-serif;font-size:13px;background-color:rgb(246,247,247)">DHE-RSA-AES256-SHA:TLSv1/SSLv3:256-bit<br>

<br><span style="background-color:rgb(255,255,255);color:rgb(0,0,0)">Does our rabbitmq.config look wrong to you?<br><br>Thanks a billion!</span></span></div></div><br><br><div class="gmail_quote">On Wed, Jun 6, 2012 at 10:46 AM, Emile Joubert <span dir="ltr">&lt;<a href="mailto:emile@rabbitmq.com" target="_blank">emile@rabbitmq.com</a>&gt;</span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Mark,<br>
<div class="im"><br>
On 06/06/12 18:23, Mark Dotson wrote:<br>
&gt; log somewhere that X cipher was rejected.  In other words, is the only<br>
&gt; way to really test this to do a full connection test and watch the logs<br>
&gt; go by for cipher rejection or connection messages?<br>
<br>
</div>The configured value should constrain the advertised ciphers during<br>
negotiation, so you should be able to determine the effect easily by<br>
observing the advertisement. The amount of testing you perform should be<br>
dictated by the desired level of confidence.<br>
<span class="HOEnZb"><font color="#888888"><br>
-Emile<br>
<br>
<br>
</font></span></blockquote></div><br>