How to disable SSL v3.0 in RabbitMQ
1,214 views
Skip to first unread message
Michael Klishin
Oct 19, 2014, 9:20:34 AM10/19/14
to rabbitm...@googlegroups.com
You probably have heard of the POODLE attack on SSL v3.0 [1]. The only short-term solution
is disabling SSL v3.0 support on the server end. For RabbitMQ, this can be done
with a little bit of configuration. We've put together an example that demonstrates
how that's done [2].
A future version will disable SSL v3.0 by default. The docs will updated shortly as well.
1. https://www.openssl.org/~bodo/ssl-poodle.pdf
2. https://gist.github.com/michaelklishin/3f47bae850bdd9f1a79a
--
MK
Staff Software Engineer, Pivotal/RabbitMQ
is disabling SSL v3.0 support on the server end. For RabbitMQ, this can be done
with a little bit of configuration. We've put together an example that demonstrates
how that's done [2].
A future version will disable SSL v3.0 by default. The docs will updated shortly as well.
1. https://www.openssl.org/~bodo/ssl-poodle.pdf
2. https://gist.github.com/michaelklishin/3f47bae850bdd9f1a79a
--
MK
Staff Software Engineer, Pivotal/RabbitMQ
jayashree gn
Nov 20, 2014, 3:48:44 PM11/20/14
to Michael Klishin, rabbitm...@googlegroups.com
Hey Guys,
I am going back and forth on the documentation, but i just want to double check to be sure before i update the version on production for RabbitMQ.
I have clusters running on version
RabbitMQ 3.3.1
erlang Erlang R14B04.
I am going to update the rabbiMQ version to 3.4.0. Which according to the change log has the sslv3 is disabled.
But i still have erlang version on : R14B04.
Is this Okay? or do i have to update the erlang version as well to get the poodle fix?
Thanks!
--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To post to this group, send an email to rabbitm...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Michael Klishin
Nov 20, 2014, 6:20:35 PM11/20/14
to jayashree gn, rabbitm...@googlegroups.com
On 20 November 2014 at 20:48:32, jayashree gn (jaish...@gmail.com) wrote:
> I have clusters running on version
> RabbitMQ 3.3.1
> erlang Erlang R14B04.
>
> I am going to update the rabbiMQ version to 3.4.0. Which according
> to the change log has the sslv3 is disabled.
> But i still have erlang version on : R14B04.
>
> Is this Okay? or do i have to update the erlang version as well to
> get the poodle fix?
We now require R16B03 for TLS, with 17.1 or 17.3 being highly recommended,
> I have clusters running on version
> RabbitMQ 3.3.1
> erlang Erlang R14B04.
>
> I am going to update the rabbiMQ version to 3.4.0. Which according
> to the change log has the sslv3 is disabled.
> But i still have erlang version on : R14B04.
>
> Is this Okay? or do i have to update the erlang version as well to
> get the poodle fix?
regardless of whether you upgrade to 3.4.x or not.
It may be easier to first upgrade Erlang.
jayashree gn
Nov 24, 2014, 4:25:21 PM11/24/14
to Michael Klishin, rabbitm...@googlegroups.com
Hi MK,
So i was trying to install erlang as you suggested, but i will not be able to do this on production with zero downtime.
And further reading on steps to install got me here, which seems like, the debian install of rabbitmq-server get R14* version of erlang by default. And because i use chef to install rabbitmq-server, the next consequent runs will overide the erlang version even when i update the erlang versions.
It would be really helpful if there was a reference in the documentation for security updates for poodle, which mentions the erlang update is a dependency for rabbitmq version update to turn of sslv3.
Or if i am missing this reference on the site, could you please point me to a right place?
Thank you!
Michael Klishin
Nov 24, 2014, 4:35:36 PM11/24/14
to jayashree gn, rabbitm...@googlegroups.com
On 25 November 2014 at 00:25:20, jayashree gn (jaish...@gmail.com) wrote:
> So i was trying to install erlang as you suggested, but i will
> not be able to do this on production with zero downtime.
> And further reading on steps to install got me here, which seems
> like, the debian install of rabbitmq-server get R14* version
> of erlang by default. And because i use chef to install rabbitmq-server,
> the next consequent runs will overide the erlang version even
> when i update the erlang versions.
> http://blog.eriksen.com.br/en/how-install-rabbitmq-latest-erlang-release-debian
RabbitMQ Debian package will use the version of Erlang you have, if it is above
> So i was trying to install erlang as you suggested, but i will
> not be able to do this on production with zero downtime.
> And further reading on steps to install got me here, which seems
> like, the debian install of rabbitmq-server get R14* version
> of erlang by default. And because i use chef to install rabbitmq-server,
> the next consequent runs will overide the erlang version even
> when i update the erlang versions.
> http://blog.eriksen.com.br/en/how-install-rabbitmq-latest-erlang-release-debian
a certain minimum requirements. You can get the newest one from
https://www.erlang-solutions.com/downloads/download-erlang-otp
> It would be really helpful if there was a reference in the documentation
> for security updates for poodle, which mentions the erlang update
> is a dependency for rabbitmq version update to turn of sslv3.
> Or if i am missing this reference on the site, could you please
> point me to a right place?
and SSLv3/POODLE mitigation options.
Simon MacMullen
Nov 25, 2014, 4:32:29 AM11/25/14
to Michael Klishin, jayashree gn, rabbitm...@googlegroups.com
On 24/11/2014 21:35, Michael Klishin wrote:
> http://www.rabbitmq.com/ssl.html should mentioned the minimum required version for TLS
> and SSLv3/POODLE mitigation options.
It does, here: http://www.rabbitmq.com/ssl.html#old-erlang
> http://www.rabbitmq.com/ssl.html should mentioned the minimum required version for TLS
> and SSLv3/POODLE mitigation options.
Cheers, Simon
Reply all
Reply to author
Forward
0 new messages