Support for ciphers list in ssl_config

[laurentluce]

I am using RabbitMQ 3.6.12 with the web-stomp interface and I am not able to apply a ciphers list.

Ciphers list was taken from the Erlang command line and pasted in the RabbitMQ configuration file.

{ssl_config, [{port,     9451},
                   {backlog,    1024},
                   {recbuf, 32768},
                   {sndbuf, 32768},
                   {cacertfile, "/etc/rabbitmq/ssl/cacert.pem"},
                   {certfile, "/etc/rabbitmq/ssl/server.pem"},
                   {keyfile, "/etc/rabbitmq/ssl/server.key"},
                   {versions, ['tlsv1.2', 'tlsv1.1']},
                   {dhfile, "/etc/rabbitmq/ssl/dh-params.pem"},
                   {ciphers,  [
                     {ecdhe_ecdsa,aes_256_gcm,null,sha384},
                     {ecdhe_rsa,aes_256_gcm,null,sha384},
                     {ecdhe_ecdsa,aes_256_cbc,sha384,sha384},
                     {ecdhe_rsa,aes_256_cbc,sha384,sha384},
                     {ecdh_ecdsa,aes_256_gcm,null,sha384},
                     {ecdh_rsa,aes_256_gcm,null,sha384},
                     {ecdh_ecdsa,aes_256_cbc,sha384,sha384},
                     {ecdh_rsa,aes_256_cbc,sha384,sha384},
                     {dhe_rsa,chacha20_poly1305,null,sha256},
                     {dhe_rsa,aes_256_gcm,null,sha384},
                     {dhe_dss,aes_256_gcm,null,sha384},
                     {dhe_rsa,aes_256_cbc,sha256},
                     {dhe_dss,aes_256_cbc,sha256},
                     {rsa,aes_256_gcm,null,sha384},
                     {rsa,aes_256_cbc,sha256},
                     {ecdhe_ecdsa,aes_128_gcm,null,sha256},
                     {ecdhe_rsa,aes_128_gcm,null,sha256},
                     {ecdhe_ecdsa,aes_128_cbc,sha256,sha256},
                     {ecdhe_rsa,aes_128_cbc,sha256,sha256},
                     {ecdh_ecdsa,aes_128_gcm,null,sha256},
                     {ecdh_rsa,aes_128_gcm,null,sha256},
                     {ecdh_ecdsa,aes_128_cbc,sha256,sha256},
                     {ecdh_rsa,aes_128_cbc,sha256,sha256},
                     {dhe_rsa,aes_128_gcm,null,sha256},
                     {dhe_dss,aes_128_gcm,null,sha256},
                     {dhe_rsa,aes_128_cbc,sha256},
                     {dhe_dss,aes_128_cbc,sha256},
                     {rsa,aes_128_gcm,null,sha256},
                     {rsa,aes_128_cbc,sha256},
                     {ecdhe_ecdsa,aes_256_cbc,sha},
                     {ecdhe_rsa,aes_256_cbc,sha},
                     {dhe_rsa,aes_256_cbc,sha},
                     {dhe_dss,aes_256_cbc,sha},
                     {ecdh_ecdsa,aes_256_cbc,sha},
                     {ecdh_rsa,aes_256_cbc,sha},
                     {rsa,aes_256_cbc,sha},
                     {ecdhe_ecdsa,aes_128_cbc,sha},
                     {ecdhe_rsa,aes_128_cbc,sha},
                     {dhe_rsa,aes_128_cbc,sha},
                     {dhe_dss,aes_128_cbc,sha},
                     {ecdh_ecdsa,aes_128_cbc,sha},
                     {ecdh_rsa,aes_128_cbc,sha},
                     {rsa,aes_128_cbc,sha}]}
                  ]}

When I try to use one of the supported ecdhe ciphers to connect to the web-stomp SSL port, it fails:

curl -v -k --ciphers ecdhe_rsa_aes_256_gcm_sha_384 https://cd3-sse-msg-rabbitmq:9451/ws
* About to connect() to cd3-sse-msg-rabbitmq port 9451 (#0)
*   Trying 10.254.30.140...
* Connected to cd3-sse-msg-rabbitmq (10.254.30.140) port 9451 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* NSS error -12189 (SSL_ERROR_INSUFFICIENT_SECURITY_ALERT)
* Server requires ciphers more secure than those supported by client.
* Closing connection 0
curl: (35) Server requires ciphers more secure than those supported by client.

I can only use few RSA ciphers.

RabbitMQ status

[{pid,353},
 {running_applications,
     [{rabbitmq_web_stomp,"Rabbit WEB-STOMP - WebSockets to Stomp adapter",
          "3.6.12"},
      {rabbitmq_stomp,"RabbitMQ STOMP plugin","3.6.12"},
      {rabbitmq_management,"RabbitMQ Management Console","3.6.12"},
      {amqp_client,"RabbitMQ AMQP Client","3.6.12"},
      {rabbitmq_web_dispatch,"RabbitMQ Web Dispatcher","3.6.12"},
      {rabbitmq_management_agent,"RabbitMQ Management Agent","3.6.12"},
      {autocluster,
          "Forms RabbitMQ clusters using a variety of backends (AWS EC2, DNS, Consul, Kubernetes, etc)",
          "0.8.0"},
      {rabbit,"RabbitMQ","3.6.12"},
      {mnesia,"MNESIA  CXC 138 12","4.14.3"},
      {rabbit_common,
          "Modules shared by rabbitmq-server and rabbitmq-erlang-client",
          "3.6.12"},
      {os_mon,"CPO  CXC 138 46","2.4.2"},
      {rabbitmq_aws,
          "A minimalistic AWS API interface used by rabbitmq-autocluster (3.6.x) and other RabbitMQ plugins",
          "3.6.11.milestone1"},
      {cowboy,"Small, fast, modular HTTP server.","1.0.4"},
      {ranch,"Socket acceptor pool for TCP protocols.","1.3.0"},
      {ssl,"Erlang/OTP SSL application","8.1.1"},
      {public_key,"Public key infrastructure","1.4"},
      {sockjs,"SockJS","0.3.4"},
      {xmerl,"XML parser","1.3.13"},
      {compiler,"ERTS  CXC 138 10","7.0.4"},
      {asn1,"The Erlang ASN1 compiler version 4.0.4","4.0.4"},
      {cowlib,"Support library for manipulating Web protocols.","1.0.2"},
      {crypto,"CRYPTO","3.7.3"},
      {syntax_tools,"Syntax tools","2.1.1"},
      {inets,"INETS  CXC 138 49","6.3.6"},
      {sasl,"SASL  CXC 138 11","3.0.3"},
      {stdlib,"ERTS  CXC 138 10","3.3"},
      {kernel,"ERTS  CXC 138 10","5.2"}]},
 {os,{unix,linux}},
 {erlang_version,
     "Erlang/OTP 19 [erts-8.3] [source] [64-bit] [smp:2:2] [async-threads:64] [kernel-poll:true]\n"},
 {memory,
     [{connection_readers,0},
      {connection_writers,0},
      {connection_channels,0},
      {connection_other,145656},
      {queue_procs,43784},
      {queue_slave_procs,78920},
      {plugins,1246256},
      {other_proc,21724888},
      {metrics,199152},
      {mgmt_db,209640},
      {mnesia,207944},
      {other_ets,2766856},
      {binary,358936},
      {msg_index,51880},
      {code,25426466},
      {atom,1041593},
      {other_system,9402333},
      {total,1024}]},
 {alarms,[]},
 {listeners,
     [{clustering,25672,"::"},
      {http,9450,"0.0.0.0"},
      {'http/web-stomp',15674,"0.0.0.0"},
      {'https/web-stomp',9451,"0.0.0.0"}]},
 {vm_memory_calculation_strategy,rss},
 {vm_memory_high_watermark,0.75},
 {vm_memory_limit,6277665792},
 {disk_free_limit,50000000},
 {disk_free,11928408064},
 {file_descriptors,
     [{total_limit,8092},
      {total_used,3},
      {sockets_limit,7280},
      {sockets_used,1}]},
 {processes,[{limit,1048576},{used,381}]},
 {run_queue,0},
 {uptime,2155},
 {kernel,{net_ticktime,60}}]

[michaelklishin]

Thank you for your time.

Team RabbitMQ uses GitHub issues for specific actionable items engineers can work on. This assumes two things:

1. GitHub issues are not used for questions, investigations, root cause analysis, discussions of potential issues, etc (as defined by this team)
2. We have a certain amount of information to work with

We get at least a dozen of questions through various venues every single day, often quite light on details. At that rate GitHub issues can very quickly turn into a something impossible to navigate and make sense of even for our team. Because of that questions, investigations, root cause analysis, discussions of potential features are all considered to be mailing list material by our team. Please post this to rabbitmq-users.

Getting all the details necessary to reproduce an issue, make a conclusion or even form a hypothesis about what's happening can take a fair amount of time. Our team is multiple orders of magnitude smaller than the RabbitMQ community. Please help others help you by providing a way to reproduce the behavior you're observing, or at least sharing as much relevant information as possible on the list:

• Server, client library and plugin (if applicable) versions used
• Server logs
• A code example or terminal transcript that can be used to reproduce
• Full exception stack traces (not a single line message)
• rabbitmqctl status (and, if possible, rabbitmqctl environment output)
• Other relevant things about the environment and workload, e.g. a traffic capture

Feel free to edit out hostnames and other potentially sensitive information.

When/if we have enough details and evidence we'd be happy to file a new issue.

Thank you.

[michaelklishin]

@laurentluce please post your questions to rabbitmq-users. Our team has asked for that several times in the past. Thank you.

[michaelklishin]

Server requires ciphers more secure than those supported by client

suggests that the issue is not on the server end. Either relax the list of cipher suites in the config or upgrade your clients/curl/OpenSSL.