[rabbitmq-discuss] Restriction to specific ciphers for ssl communications

Mark Dotson mastamark at gmail.com
Thu Jun 7 18:41:33 BST 2012


Humm, so for our specific setup we added the following options to
rabbitmq.config:

[
 {rabbit,[
 {tcp_listeners,[5672]},
 {ssl_listeners,[5671]},
 {ssl_options,[{cacertfile,"/
etc/rabbitmq/certs/ca-bundle.crt"},
 {certfile,"/etc/rabbitmq/certs/rabbitmq.crt"},
 {keyfile,"/etc/rabbitmq/certs/rabbitmq.key"},
 {verify,verify_none},
 {fail_if_no_peer_cert,false}]},
 {ciphers,[{dhe_rsa,aes_256_cbc,sha},
 {dhe_dss,aes_256_cbc,sha},
 {rsa,aes_256_cbc,sha}]}
 ]},
{rabbit, [{vm_memory_high_watermark, 0.5}]}
].

Our security compliance guy pointed his saint server at it and it returned
a whole bunch of extra ciphers it claimed to support.

Supported ciphers:
RC4-MD5:TLSv1/SSLv3:128-bit
RC4-SHA:TLSv1/SSLv3:128-bit
DES-CBC-SHA:TLSv1/SSLv3:*56-bit *
DES-CBC3-SHA:TLSv1/SSLv3:168-bit
EDH-RSA-DES-CBC-SHA:TLSv1/SSLv3:*56-bit *
EDH-RSA-DES-CBC3-SHA:TLSv1/SSLv3:168-bit
AES128-SHA:TLSv1/SSLv3:128-bit
DHE-RSA-AES128-SHA:TLSv1/SSLv3:128-bit
AES256-SHA:TLSv1/SSLv3:256-bit
DHE-RSA-AES256-SHA:TLSv1/SSLv3:256-bit

Does our rabbitmq.config look wrong to you?

Thanks a billion!


On Wed, Jun 6, 2012 at 10:46 AM, Emile Joubert <emile at rabbitmq.com> wrote:

> Hi Mark,
>
> On 06/06/12 18:23, Mark Dotson wrote:
> > log somewhere that X cipher was rejected.  In other words, is the only
> > way to really test this to do a full connection test and watch the logs
> > go by for cipher rejection or connection messages?
>
> The configured value should constrain the advertised ciphers during
> negotiation, so you should be able to determine the effect easily by
> observing the advertisement. The amount of testing you perform should be
> dictated by the desired level of confidence.
>
> -Emile
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20120607/b5ea6823/attachment.htm>


More information about the rabbitmq-discuss mailing list