[rabbitmq-discuss] RabbitMQ shovel with SSL

Simon MacMullen simon at rabbitmq.com
Tue May 24 11:28:24 BST 2011


On 24/05/11 07:11, Mihir Mone wrote:
> I have a problem with configuring RabbitMQ shovel over SSL.
>
> On our internal network the exact same configuration works. But when I
> try to connect from outside the office, I get “insufficient security”
> errors !

Hi Mihir.

We haven't seen this error before. However, looking at the OTP source 
this appears to mean that client and server were unable to negotiate an 
acceptable cipher suite to use. The fact that it works from inside the 
office makes me wonder if you have some dubious proxy that is 
intercepting SSL connections and re-establishing them (with worse 
security?). I think you could provoke this error without a proxy by 
changing the 'ciphers' option in ssl_options to incomaptible settings at 
both ends, but I assume you're not doing that.

I'm afraid you need to get WireShark out to see what cipher suites are 
being offered by the client - we don't get to see what happens during 
negotiation. For reference, you can check the agreed suite after 
successful negotiation by adding the ssl_* columns to rabbitmqctl 
list_connections or looking at the management plugin connection details 
page.

Cheers, Simon

-- 
Simon MacMullen
Staff Engineer, RabbitMQ
SpringSource, a division of VMware



More information about the rabbitmq-discuss mailing list