Humm, so for our specific setup we added the following options to rabbitmq.config:<br><br>[<br>�{rabbit,[<br>�{tcp_listeners,[5672]},<br>�{ssl_listeners,[5671]},<br>�{ssl_options,[{cacertfile,"/<div id=":j">etc/rabbitmq/certs/ca-bundle.crt"},<br>
�{certfile,"/etc/rabbitmq/certs/rabbitmq.crt"},<br>�{keyfile,"/etc/rabbitmq/certs/rabbitmq.key"},<br>�{verify,verify_none},<br>�{fail_if_no_peer_cert,false}]},<br>�{ciphers,[{dhe_rsa,aes_256_cbc,sha},<br>
�{dhe_dss,aes_256_cbc,sha},<br>�{rsa,aes_256_cbc,sha}]}<br>�]},<br>{rabbit, [{vm_memory_high_watermark, 0.5}]}<br>].<br><br>Our security compliance guy pointed his saint server at it and it returned a whole bunch of extra ciphers it claimed to support.<br>
<br><div><span style="color:rgb(120,114,112);font-family:Verdana,sans-serif;font-size:13px;background-color:rgb(246,247,247)">Supported ciphers:�</span></div>
<div><span style="color:rgb(120,114,112);font-family:Verdana,sans-serif;font-size:13px;background-color:rgb(246,247,247)">RC4-MD5:TLSv1/SSLv3:128-bit�</span></div><div><span style="color:rgb(120,114,112);font-family:Verdana,sans-serif;font-size:13px;background-color:rgb(246,247,247)">RC4-SHA:TLSv1/SSLv3:128-bit�</span></div>
<div><span style="color:rgb(120,114,112);font-family:Verdana,sans-serif;font-size:13px;background-color:rgb(246,247,247)">DES-CBC-SHA:TLSv1/SSLv3:<b>56-bit�</b></span></div><div><span style="color:rgb(120,114,112);font-family:Verdana,sans-serif;font-size:13px;background-color:rgb(246,247,247)">DES-CBC3-SHA:TLSv1/SSLv3:168-bit�</span></div>
<div><span style="color:rgb(120,114,112);font-family:Verdana,sans-serif;font-size:13px;background-color:rgb(246,247,247)">EDH-RSA-DES-CBC-SHA:TLSv1/SSLv3:<b>56-bit�</b></span></div><div><span style="color:rgb(120,114,112);font-family:Verdana,sans-serif;font-size:13px;background-color:rgb(246,247,247)">EDH-RSA-DES-CBC3-SHA:TLSv1/SSLv3:168-bit�</span></div>
<div><span style="color:rgb(120,114,112);font-family:Verdana,sans-serif;font-size:13px;background-color:rgb(246,247,247)">AES128-SHA:TLSv1/SSLv3:128-bit�</span></div><div><span style="color:rgb(120,114,112);font-family:Verdana,sans-serif;font-size:13px;background-color:rgb(246,247,247)">DHE-RSA-AES128-SHA:TLSv1/SSLv3:128-bit�</span></div>
<div><span style="color:rgb(120,114,112);font-family:Verdana,sans-serif;font-size:13px;background-color:rgb(246,247,247)">AES256-SHA:TLSv1/SSLv3:256-bit�</span></div><div><span style="color:rgb(120,114,112);font-family:Verdana,sans-serif;font-size:13px;background-color:rgb(246,247,247)">DHE-RSA-AES256-SHA:TLSv1/SSLv3:256-bit<br>
<br><span style="background-color:rgb(255,255,255);color:rgb(0,0,0)">Does our rabbitmq.config look wrong to you?<br><br>Thanks a billion!</span></span></div></div><br><br><div class="gmail_quote">On Wed, Jun 6, 2012 at 10:46 AM, Emile Joubert <span dir="ltr"><<a href="mailto:emile@rabbitmq.com" target="_blank">emile@rabbitmq.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Mark,<br>
<div class="im"><br>
On 06/06/12 18:23, Mark Dotson wrote:<br>
> log somewhere that X cipher was rejected. �In other words, is the only<br>
> way to really test this to do a full connection test and watch the logs<br>
> go by for cipher rejection or connection messages?<br>
<br>
</div>The configured value should constrain the advertised ciphers during<br>
negotiation, so you should be able to determine the effect easily by<br>
observing the advertisement. The amount of testing you perform should be<br>
dictated by the desired level of confidence.<br>
<span class="HOEnZb"><font color="#888888"><br>
-Emile<br>
<br>
<br>
</font></span></blockquote></div><br>