TLSv1.3 and TLSv1.2 support in one config file

[Kacper Nowakowski]

Is it possible to create one config file for RabbitMQ which will be connect with client use TLSv1.3 on Windows which suport this TLS (Windows Server 2022, Windows 11) and TLSv1.2 otherwise. I tryed do it and I can connect to RabbitMQ by TLSv1.3 on Windows which support this version of TLS but on older Windows version I don't connect to RabbitMQ. If I configure config file to suport TLSv1.2 with cyperhs suporting TLSv1.3 for connection on older version Windows I can connect but on new Windows i can't connect with TLSv1.3(I tested it by change order version {versions,   ['tlsv1.3', 'tlsv1.2']})

The example of options which I tested in config file based on: https://www.rabbitmq.com/ssl.html.

[

 {ssl, [{versions, ['tlsv1.3', 'tlsv1.2']}]},
 {rabbit, [
           {ssl_listeners, [5671]},
           {ssl_options, [{cacertfile, "/path/to/ca_certificate.pem"},
                          {certfile,   "/path/to/server_certificate.pem"},
                          {keyfile,    "/path/to/server_key.pem"},
                          {versions,   ['tlsv1.3', 'tlsv1.2']},
{ciphers, [
"TLS_AES_256_GCM_SHA384",
"TLS_AES_128_GCM_SHA256",
"TLS_CHACHA20_POLY1305_SHA256",
"TLS_AES_128_CCM_SHA256",
"TLS_AES_128_CCM_8_SHA256"
]},


                          {honor_cipher_order,   false},
                          {honor_ecc_order,      false},
                         ]}
          ]}
].

[Luke Bakken]

Hi  Kacper,

I think you answered your own question ... if you're limiting the ciphers that can be used, there's a good chance a TLS version will or won't work.

I suggest not limiting the ciphers that can be used and see if that resolves your issue. If not, let us know!

Thanks,

Luke

[Kacper Nowakowski]

Thanks you for the answear. It works for me but I have two additional question. I use RabbitMQ 13.1.3 and Erlang 25.

1. In my scenario when I configure RabbitMQ for tlsv1.3 and tlsv1.2, what is recommended values for honor_cipher_order and honor_ecc_order (and what these options means). I found in https://www.rabbitmq.com/ssl.html#configuring-cipher-suites, comment that this options must be disabled in tls1.3
but in my case when this option is enabled I still can connect client with RabbitMQ with tlsv1.2 on older Windows and tlsv1.3 when is Windows support it.

2.  Ciphers name format in advanced.config have meaning? If I used Erlang format it works but if I used openssl format i got crash:

"Slogan: Kernel pid terminated (application_controller) ({application_start_failure,rabbitmq_prelaunch,{{shutdown,{failed_to_start_child,prelaunch,failed_to_read_advanced_configuration_file}},{rabbit_prelaunch_app,start,[normal,[]]}}})"

Erlang format:
                                       {any,aes_256_gcm,aead,sha384},
                                      {any,aes_128_gcm,aead,sha256},
                                      {any,chacha20_poly1305,aead,sha256},
                                      {any,aes_128_ccm,aead,sha256},
                                      {any,aes_128_ccm_8,aead,sha256}
 
OpenSSL format:

"TLS_AES_256_GCM_SHA384",
                                      "TLS_AES_128_GCM_SHA256",
                                      "TLS_CHACHA20_POLY1305_SHA256",
                                      "TLS_AES_128_CCM_SHA256",
                                      "TLS_AES_128_CCM_8_SHA256"

[Luke Bakken]

Hi  Kacper,

For your second question, please attach the full configuration file using each cipher format. Often times the error is a formatting problem elsewhere in the file.

I'll respond to both questions once I get the files.

Thanks,

Luke

[Kacper Nowakowski]

Hi Luke,
About ciphers format: I tested it once again comparing the ciphers and I found the solution of issue. I  coped ciphers from another editor and it stared works. So I started compare these.  The older configuration file had tab characters instead of spaces.
My configuration files are in attachment if needed for first question.

Thanks,
Kacper

[Luke Bakken]

Hello,

Here are the official docs for those two settings:

https://www.erlang.org/doc/man/ssl.html#type-honor_cipher_order

https://www.erlang.org/doc/man/ssl.html#type-honor_ecc_order

If you set both to "true", you will be using the order specified in your RabbitMQ config files.

Thanks,

Luke

[Kacper Nowakowski]

Hello,

it looks good and clearly but the thing what stopped me to set two settings to true is the comment "#these MUST be disabled if TLSv1.3 is used "  from https://www.rabbitmq.com/ssl.html#configuring-cipher-suites
Do you know what this comment means?

Thanks,

Kacper

[Luke Bakken]

Hello,

Hmm I'm not sure why that comment was added in this commit - https://github.com/rabbitmq/rabbitmq-website/commit/4bb864c7b54f0fedd141980d73903090ced761e4

There's no harm in setting both to "true" to see what happens. Let us know if that works AND you can use TLS 1.3

Thanks,

Luke

[Kacper Nowakowski]

Hello,

based on RabbitMQ Management console, setting both options to true works, communications is established but I don't have confirmation that connections use expected Tls.
  


1. Client can connect to RabbitMQ server by Tlsv1.3 even when server working on Windows which don't support Tlsv1.3. RabbitMQ Management console say that communication is in Tlsv1.3 as on photo above. Please correct me If I am wrong but in this scenario communication should be establish by Tlsv1.2. By this case I started to wonder if the information was true in  RabbitMQ Management console and I tried confirm it by "Wireshark".

2.  I tried test connections by Wireshark and when in my network adapter was enabled ipv6 I didn't captured all packets in communication. When I disabled the ipv6 on network adapter Whireshark captured all packets and I can confirm that communication was set to Tlsv1.3. I don't know what is cause of this behavior. In both scenario RabbitMQ Management console say  that communication is in Tlsv1.3. I asked about it  Whireshark support too but maybe you know the answer about ipv6, RabbitMQ and Wireshark?


Captured packets when ipv6 is enabled:

Captured packets when ipv6 is disabled:

Regards,

Kacper

[Luke Bakken]

1. Client can connect to RabbitMQ server by Tlsv1.3 even when server working on Windows which don't support Tlsv1.3. RabbitMQ Management console say that communication is in Tlsv1.3 as on photo above. Please correct me If I am wrong but in this scenario communication should be establish by Tlsv1.2. By this case I started to wonder if the information was true in  RabbitMQ Management console and I tried confirm it by "Wireshark".

Why do you think Windows doesn't support TLS1.3? Erlang uses a statically-compiled OpenSSL which probably supports it.

 

2.  I tried test connections by Wireshark and when in my network adapter was enabled ipv6 I didn't captured all packets in communication. When I disabled the ipv6 on network adapter Whireshark captured all packets and I can confirm that communication was set to Tlsv1.3. I don't know what is cause of this behavior. In both scenario RabbitMQ Management console say  that communication is in Tlsv1.3. I asked about it  Whireshark support too but maybe you know the answer about ipv6, RabbitMQ and Wireshark?

I can't help with Wireshark and IPv6 since I have never used that combination.

Thanks,

Luke 

[Kacper Nowakowski]

Hello,

yes, Erlang support this Tlsv1.3. Based on Protocols in TLS/SSL and  TLS Version Support Table for JDK and .NET and Transport Layer Security protocol I thought that is needed run server on Windows which support tlsv1.3.  I read once again documentation and see that this table   refers to RabbitMQ client. Am I correct? 

Regards,

Kacper

[Luke Bakken]

Yes, that table is for the RabbitMQ .NET client.