Open jaredledvina opened 6 years ago
This limitation is from EventMachine itself, the Ruby C++ reactor. The Jruby reactor (use by Sensu Enterprise) supports additional ciphers, due to its Java implementation.
Sensu 2.0 supports the following ecdhe ciphers, https://golang.org/pkg/crypto/tls/#pkg-constants 🎉
@portertech - Cool, I figured as such. I did just a bit more digging this morning, it looks like maybe Eventmachine v1.2.0 added some support here: https://github.com/eventmachine/eventmachine/releases/tag/v1.2.0 and then if I understand the dependancies correctly, Sensu is on eventmachine v1.2.5: https://github.com/sensu/sensu/blob/master/sensu.gemspec#L14
Is there any chance these ciphers can easily supported w/ Sensu 1.x?
any news ?
Just in case anyone else stumbles upon this post while looking for solution to the above mentioned rabbitmq error:
TLS server: In state hello at tls_handshake.erl:204 generated SERVER ALERT: Fatal - Insufficient Security - no_suitable_ciphers
Make sure to add the ciphers
block to the rabbitmq.config (thanks @jaredledvina for list):
[
{rabbit, [
{ssl_listeners, [5671]},
{ssl_options, [{cacertfile,"/etc/rabbitmq/ssl/cacert.pem"},
{certfile,"/etc/rabbitmq/ssl/cert.pem"},
{keyfile,"/etc/rabbitmq/ssl/key.pem"},
{verify,verify_peer},
{ciphers, [
{rsa,aes_256_cbc,sha256},
{rsa,aes_256_gcm,null,sha384}
]},
{fail_if_no_peer_cert,true}]}
]}
].
Expanding on @Igorshp comment, the rabbitmq docs have some good info on configuring ciphers and tls versions https://www.rabbitmq.com/ssl.html
For anyone using the new format on RabbitMQ, for the cipher changes you need to add:
ssl_options.ciphers.1 = AES256-SHA256
ssl_options.ciphers.2 = AES256-GCM-SHA384
ssl_options.honor_cipher_order = true
ssl_options.honor_ecc_order = true
That solved the issue for me on RabbitMQ 3.7.12
and Erlang 21.2.6
More info: https://www.rabbitmq.com/ssl.html#cipher-suites Cipher correspondence table: https://github.com/erlang/otp/wiki/Cipher-suite-correspondence-table
Currently, I can configure my RabbitMQ instances with TLS 1.2 and the cipher option
{rsa,aes_256_cbc,sha256}
and/or{rsa,aes_256_gcm,null,sha384}
and the Sensu server/client can connect without issue. However, when I attempt to use any of theecdhe
ciphers, while RabbitMQ starts up fine, the Sensu server/clients fail to connect and RabbitMQ logs:RabbitMQ: 3.7.4 Erlang: 20.2.3 (via the RabbitMQ RPM's here: https://packagecloud.io/rabbitmq/erlang) Sensu: 1.2.1 (using the embedded Ruby) OS: CentOS 7
I assume, the Sensu SSL support is coming from eventmachine itself? Although, maybe it's actually from https://github.com/ruby-amqp/amq. I could use some help/advice in pinning down what actually is determining which ciphers are supported. I've also dumped my server's available RabbitMQ & OpenSSL ciphers: https://gist.github.com/jaredledvina/cfa0be0ec5b598f0870e54fd29297c6a. My ideal goal here is to confirgure RabbitMQ for TLS 1.2 only and only have the cipher config
{ecdhe_rsa,aes_256_cbc,sha384,sha384}
enabled.As always, I'm more than happy to provide any additional information that might help here!