Enabling weak RSA ciphers in RabbitMQ not working
63 views
Skip to first unread message
Dan Thorson
Jul 31, 2023, 3:15:11 PM7/31/23
to rabbitmq-users
Hello,
I need to enable weak RSA-PSK support in RabbitMQ - we have older IoT devices that don't support the latest ciphers, which need to connect to RabbitMQ (via the MQTT Plugin). Setting the ssl_options.ciphers.X in rabbitmq.conf is not working. TLS/SSL is working fine with the available cipher_suites.
I have confirmed that the ciphers are available to RabbitMQ, but not enabled:
# diff <(rabbitmq-diagnostics cipher_suites --format openssl -q) <(rabbitmq-diagnostics cipher_suites --format openssl -q --all)|grep RSA-PSK
> RSA-PSK-AES256-GCM-SHA384
> RSA-PSK-AES256-CBC-SHA384
> RSA-PSK-AES128-GCM-SHA256
> RSA-PSK-AES128-CBC-SHA256
> RSA-PSK-AES256-CBC-SHA
> RSA-PSK-AES128-CBC-SHA
> RSA-PSK-RC4-SHA
Erlang also reports the ciphers as available:
> rp(ssl:cipher_suites(all,'tlsv1.2','openssl')).
["ECDHE-ECDSA-AES256-GCM-SHA384",
"ECDHE-RSA-AES256-GCM-SHA384","ECDHE-ECDSA-AES256-CCM",
"ECDHE-ECDSA-AES256-CCM8","ECDHE-ECDSA-AES256-SHA384",
"ECDHE-RSA-AES256-SHA384","ECDHE-ECDSA-CHACHA20-POLY1305",
"ECDHE-RSA-CHACHA20-POLY1305",
"ECDHE-ECDSA-AES128-GCM-SHA256",
"ECDHE-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES128-CCM",
"ECDHE-ECDSA-AES128-CCM8","ECDH-ECDSA-AES256-GCM-SHA384",
"ECDH-RSA-AES256-GCM-SHA384","ECDH-ECDSA-AES256-SHA384",
"ECDH-RSA-AES256-SHA384","ECDH-ECDSA-AES128-GCM-SHA256",
"ECDH-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES128-SHA256",
"ECDHE-RSA-AES128-SHA256","ECDH-ECDSA-AES128-SHA256",
"ECDH-RSA-AES128-SHA256","DHE-RSA-AES256-GCM-SHA384",
"DHE-DSS-AES256-GCM-SHA384","DHE-RSA-AES256-SHA256",
"DHE-DSS-AES256-SHA256","DHE-RSA-AES128-GCM-SHA256",
"DHE-DSS-AES128-GCM-SHA256","DHE-RSA-CHACHA20-POLY1305",
"DHE-RSA-AES128-SHA256","DHE-DSS-AES128-SHA256",
"ECDHE-ECDSA-AES256-SHA","ECDHE-RSA-AES256-SHA",
"ECDH-ECDSA-AES256-SHA","ECDH-RSA-AES256-SHA",
"ECDHE-ECDSA-AES128-SHA","ECDHE-RSA-AES128-SHA",
"ECDH-ECDSA-AES128-SHA","ECDH-RSA-AES128-SHA",
"DHE-RSA-AES256-SHA","DHE-DSS-AES256-SHA",
"DHE-RSA-AES128-SHA","DHE-DSS-AES128-SHA",
"RSA-PSK-AES256-GCM-SHA384","RSA-PSK-AES256-CBC-SHA384",
"RSA-PSK-AES128-GCM-SHA256","RSA-PSK-AES128-CBC-SHA256",
"RSA-PSK-AES256-CBC-SHA","RSA-PSK-AES128-CBC-SHA",
"RSA-PSK-RC4-SHA","SRP-RSA-AES-256-CBC-SHA",
"SRP-DSS-AES256-CBC-SHA","SRP-RSA-AES-128-CBC-SHA",
"SRP-DSS-AES128-CBC-SHA","AES256-GCM-SHA384",
"AES256-SHA256","AES128-GCM-SHA256","AES128-SHA256",
"AES256-SHA","AES128-SHA","DES-CBC3-SHA",
"ECDHE-ECDSA-DES-CBC3-SHA","ECDHE-RSA-DES-CBC3-SHA",
"EDH-RSA-DES-CBC3-SHA","DHE-DSS-DES-CBC3-SHA",
"ECDH-ECDSA-DES-CBC3-SHA","ECDH-RSA-DES-CBC3-SHA",
"EDH-RSA-DES-CBC-SHA","DES-CBC-SHA","ECDHE-ECDSA-RC4-SHA",
"ECDHE-RSA-RC4-SHA","ECDH-ECDSA-RC4-SHA","ECDH-RSA-RC4-SHA",
"RC4-SHA","RC4-MD5"]
I have tried to set the ciphers in rabbitmq.conf, but that is not working - the ciphers are not enabled when RabbitMQ is restarted - RabbitMQ reports (via the diagnostics/cipher_suites tool) the same list of cipher_suites regardless of the config file. I have confirmed the config file is being used, and can see other changes made in it take effect when restarting RabbitMQ. I have the log levels set to debug but can't see anything related to SSL, TLS, or ciphers in the logs.
Here are my ssl_options settings. The certificates and key were created using the tls_gen utility.
# grep ssl_options /etc/rabbitmq/rabbitmq.conf
ssl_options.cacertfile = /etc/pki/tls/ca_certificate.pem
ssl_options.certfile = /etc/pki/tls/server_certificate.pem
ssl_options.keyfile = /etc/pki/tls/server_key.pem
ssl_options.password = XXXXXXXXXX
ssl_options.verify = verify_peer
ssl_options.fail_if_no_peer_cert = false
ssl_options.versions.1 = tlsv1.2
ssl_options.ciphers.1 = RSA-PSK-AES256-GCM-SHA384
ssl_options.ciphers.2 = RSA-PSK-AES128-GCM-SHA256
ssl_options.ciphers.3 = RSA-PSK-AES128-CBC-SHA256
ssl_options.ciphers.4 = RSA-PSK-AES256-CBC-SHA
ssl_options.ciphers.5 = RSA-PSK-AES128-CBC-SHA
ssl_options.ciphers.6 = RSA-PSK-RC4-SHA
ssl_options.honor_cipher_order = true
ssl_options.honor_ecc_order = true
RabbitMQ version is 3.12.2
Erlang version is 25.3.2
OpenSSL version is 1.0.2
Has anyone here been able to enable weak RSA cipher support in RabbitMQ?
I need to enable weak RSA-PSK support in RabbitMQ - we have older IoT devices that don't support the latest ciphers, which need to connect to RabbitMQ (via the MQTT Plugin). Setting the ssl_options.ciphers.X in rabbitmq.conf is not working. TLS/SSL is working fine with the available cipher_suites.
I have confirmed that the ciphers are available to RabbitMQ, but not enabled:
# diff <(rabbitmq-diagnostics cipher_suites --format openssl -q) <(rabbitmq-diagnostics cipher_suites --format openssl -q --all)|grep RSA-PSK
> RSA-PSK-AES256-GCM-SHA384
> RSA-PSK-AES256-CBC-SHA384
> RSA-PSK-AES128-GCM-SHA256
> RSA-PSK-AES128-CBC-SHA256
> RSA-PSK-AES256-CBC-SHA
> RSA-PSK-AES128-CBC-SHA
> RSA-PSK-RC4-SHA
Erlang also reports the ciphers as available:
> rp(ssl:cipher_suites(all,'tlsv1.2','openssl')).
["ECDHE-ECDSA-AES256-GCM-SHA384",
"ECDHE-RSA-AES256-GCM-SHA384","ECDHE-ECDSA-AES256-CCM",
"ECDHE-ECDSA-AES256-CCM8","ECDHE-ECDSA-AES256-SHA384",
"ECDHE-RSA-AES256-SHA384","ECDHE-ECDSA-CHACHA20-POLY1305",
"ECDHE-RSA-CHACHA20-POLY1305",
"ECDHE-ECDSA-AES128-GCM-SHA256",
"ECDHE-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES128-CCM",
"ECDHE-ECDSA-AES128-CCM8","ECDH-ECDSA-AES256-GCM-SHA384",
"ECDH-RSA-AES256-GCM-SHA384","ECDH-ECDSA-AES256-SHA384",
"ECDH-RSA-AES256-SHA384","ECDH-ECDSA-AES128-GCM-SHA256",
"ECDH-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES128-SHA256",
"ECDHE-RSA-AES128-SHA256","ECDH-ECDSA-AES128-SHA256",
"ECDH-RSA-AES128-SHA256","DHE-RSA-AES256-GCM-SHA384",
"DHE-DSS-AES256-GCM-SHA384","DHE-RSA-AES256-SHA256",
"DHE-DSS-AES256-SHA256","DHE-RSA-AES128-GCM-SHA256",
"DHE-DSS-AES128-GCM-SHA256","DHE-RSA-CHACHA20-POLY1305",
"DHE-RSA-AES128-SHA256","DHE-DSS-AES128-SHA256",
"ECDHE-ECDSA-AES256-SHA","ECDHE-RSA-AES256-SHA",
"ECDH-ECDSA-AES256-SHA","ECDH-RSA-AES256-SHA",
"ECDHE-ECDSA-AES128-SHA","ECDHE-RSA-AES128-SHA",
"ECDH-ECDSA-AES128-SHA","ECDH-RSA-AES128-SHA",
"DHE-RSA-AES256-SHA","DHE-DSS-AES256-SHA",
"DHE-RSA-AES128-SHA","DHE-DSS-AES128-SHA",
"RSA-PSK-AES256-GCM-SHA384","RSA-PSK-AES256-CBC-SHA384",
"RSA-PSK-AES128-GCM-SHA256","RSA-PSK-AES128-CBC-SHA256",
"RSA-PSK-AES256-CBC-SHA","RSA-PSK-AES128-CBC-SHA",
"RSA-PSK-RC4-SHA","SRP-RSA-AES-256-CBC-SHA",
"SRP-DSS-AES256-CBC-SHA","SRP-RSA-AES-128-CBC-SHA",
"SRP-DSS-AES128-CBC-SHA","AES256-GCM-SHA384",
"AES256-SHA256","AES128-GCM-SHA256","AES128-SHA256",
"AES256-SHA","AES128-SHA","DES-CBC3-SHA",
"ECDHE-ECDSA-DES-CBC3-SHA","ECDHE-RSA-DES-CBC3-SHA",
"EDH-RSA-DES-CBC3-SHA","DHE-DSS-DES-CBC3-SHA",
"ECDH-ECDSA-DES-CBC3-SHA","ECDH-RSA-DES-CBC3-SHA",
"EDH-RSA-DES-CBC-SHA","DES-CBC-SHA","ECDHE-ECDSA-RC4-SHA",
"ECDHE-RSA-RC4-SHA","ECDH-ECDSA-RC4-SHA","ECDH-RSA-RC4-SHA",
"RC4-SHA","RC4-MD5"]
I have tried to set the ciphers in rabbitmq.conf, but that is not working - the ciphers are not enabled when RabbitMQ is restarted - RabbitMQ reports (via the diagnostics/cipher_suites tool) the same list of cipher_suites regardless of the config file. I have confirmed the config file is being used, and can see other changes made in it take effect when restarting RabbitMQ. I have the log levels set to debug but can't see anything related to SSL, TLS, or ciphers in the logs.
Here are my ssl_options settings. The certificates and key were created using the tls_gen utility.
# grep ssl_options /etc/rabbitmq/rabbitmq.conf
ssl_options.cacertfile = /etc/pki/tls/ca_certificate.pem
ssl_options.certfile = /etc/pki/tls/server_certificate.pem
ssl_options.keyfile = /etc/pki/tls/server_key.pem
ssl_options.password = XXXXXXXXXX
ssl_options.verify = verify_peer
ssl_options.fail_if_no_peer_cert = false
ssl_options.versions.1 = tlsv1.2
ssl_options.ciphers.1 = RSA-PSK-AES256-GCM-SHA384
ssl_options.ciphers.2 = RSA-PSK-AES128-GCM-SHA256
ssl_options.ciphers.3 = RSA-PSK-AES128-CBC-SHA256
ssl_options.ciphers.4 = RSA-PSK-AES256-CBC-SHA
ssl_options.ciphers.5 = RSA-PSK-AES128-CBC-SHA
ssl_options.ciphers.6 = RSA-PSK-RC4-SHA
ssl_options.honor_cipher_order = true
ssl_options.honor_ecc_order = true
RabbitMQ version is 3.12.2
Erlang version is 25.3.2
OpenSSL version is 1.0.2
Has anyone here been able to enable weak RSA cipher support in RabbitMQ?
Luke Bakken
Jul 31, 2023, 3:40:45 PM7/31/23
to rabbitmq-users
Hi Dan,
Thanks for the comprehensive report.
In situations like this, it's preferable for you to attach your full, unabridged configuration files to your messages rather than copy/paste. I've seen enough subtle errors in config files to not trust copy/paste.
Even better would be to save everything in a publicly-available source code repo (via GitHub / GitLab, for one example) that I can clone and use.
Feel free to obfuscate sensitive values, of course.
I can generate my own certs using tls-gen.
Can you give exact steps for how I can test whether the expected ciphers are available? Can I use https://testssl.sh/?
Thanks,
Luke
Reply all
Reply to author
Forward
0 new messages