Option to set curves on port 5671

Lal

unread,

Feb 20, 2020, 3:54:09 PM2/20/20

to rabbitmq-users

We want to remove couple of unapproved curves for the port 5671. we want to restrict the curves to prime256v1,secp384r1,secp521r1 only.

prio  ciphersuite                  protocols  pfs                 curves
1     ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2    ECDH,B-571,570bits  sect163k1,sect163r1,sect163r2,sect193r1,sect193r2,sect233k1,sect233r1,sect239k1,sect283k1,sect283r1,sect409k1,sect409r1,sect571k1,sect571r1,secp160k1,secp160r1,secp160r2,secp192k1,prime192v1,secp224k1,secp224r1,secp256k1,prime256v1,secp384r1,secp521r1,brainpoolP256r1,brainpoolP384r1,brainpoolP512r1
2     ECDHE-RSA-AES256-SHA384      TLSv1.2    ECDH,B-571,570bits  sect163k1,sect163r1,sect163r2,sect193r1,sect193r2,sect233k1,sect233r1,sect239k1,sect283k1,sect283r1,sect409k1,sect409r1,sect571k1,sect571r1,secp160k1,secp160r1,secp160r2,secp192k1,prime192v1,secp224k1,secp224r1,secp256k1,prime256v1,secp384r1,secp521r1,brainpoolP256r1,brainpoolP384r1,brainpoolP512r1
3     ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2    ECDH,B-571,570bits  sect163k1,sect163r1,sect163r2,sect193r1,sect193r2,sect233k1,sect233r1,sect239k1,sect283k1,sect283r1,sect409k1,sect409r1,sect571k1,sect571r1,secp160k1,secp160r1,secp160r2,secp192k1,prime192v1,secp224k1,secp224r1,secp256k1,prime256v1,secp384r1,secp521r1,brainpoolP256r1,brainpoolP384r1,brainpoolP512r1
4     ECDHE-RSA-AES128-SHA256      TLSv1.2    ECDH,B-571,570bits  sect163k1,sect163r1,sect163r2,sect193r1,sect193r2,sect233k1,sect233r1,sect239k1,sect283k1,sect283r1,sect409k1,sect409r1,sect571k1,sect571r1,secp160k1,secp160r1,secp160r2,secp192k1,prime192v1,secp224k1,secp224r1,secp256k1,prime256v1,secp384r1,secp521r1,brainpoolP256r1,brainpoolP384r1,brainpoolP512r1

Certificate: untrusted, 2048 bits, sha256WithRSAEncryption signature
TLS ticket lifetime hint: None
NPN protocols: None
OCSP stapling: not supported
Cipher ordering: server
Curves ordering: client - fallback: no
Server supports secure renegotiation
Server supported compression methods: NONE
TLS Tolerance: yes

Intolerance to:
 SSL 3.254           : absent
 TLS 1.0             : PRESENT
 TLS 1.1             : PRESENT
 TLS 1.2             : absent
 TLS 1.3             : absent
 TLS 1.4             : absent

RabbitMQ version: 3.6.11

Erlang/OTP 20 [erts-9.2]

Do we any option to specify it through configuration?

Luke Bakken

unread,

Feb 20, 2020, 4:59:23 PM2/20/20

to rabbitmq-users

Hello,

First, ensure you're using the latest version of RabbitMQ and Erlang. The versions you have are old enough that whatever TLS bugs have been fixed are far more serious than what encryption algorithms / curves you use.

Then, after updating, read this - https://www.rabbitmq.com/ssl.html#cipher-suites

Thanks,

Luke

Peter Sutty

unread,

Jun 23, 2022, 5:56:29 AM6/23/22

to rabbitmq-users

Hey,

check this out:
{eccs, ['sect571k1','secp521r1','brainpoolP512r1']},

I have to admit, it was a loong search :)

Peter

Reply all

Reply to author

Forward