does rabbitmq 3.7.14 support TLS_RSA_WITH_AES_256_CBC_SHA cipher suite?

[Vitaliy Zhiltsov]

Hello.

We have devices with gsm modem and the most secure cipher suite is supporting by modem is TLS_RSA_WITH_AES_256_CBC_SHA and I want to be sure that rabbitmq 3.7.14 supports it.

...

Listing Available Cipher Suites

To list cipher suites supported by the Erlang runtime of a running node, use rabbitmq-diagnostics cipher_suites --openssl-format:

rabbitmq-diagnostics cipher_suites --openssl-format -q

...

I've checked and found that rabbitmq:3.7.8 from official docker image has a needed cipher suite:

root@dd0b0d773218:/# rabbitmq-diagnostics cipher_suites -q --openssl-format=true
["ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-RSA-AES256-GCM-SHA384",
 "ECDHE-ECDSA-AES256-SHA384","ECDHE-RSA-AES256-SHA384",
 "ECDH-ECDSA-AES256-GCM-SHA384","ECDH-RSA-AES256-GCM-SHA384",
 "ECDH-ECDSA-AES256-SHA384","ECDH-RSA-AES256-SHA384",
 #{cipher => chacha20_poly1305,key_exchange => ecdhe_ecdsa,mac => aead,
   prf => sha256},
 #{cipher => chacha20_poly1305,key_exchange => ecdhe_rsa,mac => aead,
   prf => sha256},
 #{cipher => chacha20_poly1305,key_exchange => dhe_rsa,mac => aead,
   prf => sha256},
 "DHE-RSA-AES256-GCM-SHA384","DHE-DSS-AES256-GCM-SHA384",
 "DHE-RSA-AES256-SHA256","DHE-DSS-AES256-SHA256","AES256-GCM-SHA384",
 "AES256-SHA256","ECDHE-ECDSA-AES128-GCM-SHA256",
 "ECDHE-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES128-SHA256",
 "ECDHE-RSA-AES128-SHA256","ECDH-ECDSA-AES128-GCM-SHA256",
 "ECDH-RSA-AES128-GCM-SHA256","ECDH-ECDSA-AES128-SHA256",
 "ECDH-RSA-AES128-SHA256","DHE-RSA-AES128-GCM-SHA256",
 "DHE-DSS-AES128-GCM-SHA256","DHE-RSA-AES128-SHA256","DHE-DSS-AES128-SHA256",
 "AES128-GCM-SHA256","AES128-SHA256","ECDHE-ECDSA-AES256-SHA",
 "ECDHE-RSA-AES256-SHA","DHE-RSA-AES256-SHA","DHE-DSS-AES256-SHA",
 "ECDH-ECDSA-AES256-SHA","ECDH-RSA-AES256-SHA","AES256-SHA",
 "ECDHE-ECDSA-AES128-SHA","ECDHE-RSA-AES128-SHA","DHE-RSA-AES128-SHA",
 "DHE-DSS-AES128-SHA","ECDH-ECDSA-AES128-SHA","ECDH-RSA-AES128-SHA",
 "AES128-SHA","ECDHE-ECDSA-DES-CBC3-SHA","ECDHE-RSA-DES-CBC3-SHA",
 "EDH-RSA-DES-CBC3-SHA","EDH-DSS-DES-CBC3-SHA","ECDH-ECDSA-DES-CBC3-SHA",
 "ECDH-RSA-DES-CBC3-SHA","DES-CBC3-SHA"]

and begins with 3.7.9 version it doesn't have this cipher suite:

root@c0c410c2eeed:/# rabbitmq-diagnostics cipher_suites -q --openssl-format=true
["ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-RSA-AES256-GCM-SHA384",
 "ECDHE-ECDSA-AES256-SHA384","ECDHE-RSA-AES256-SHA384",
 "ECDH-ECDSA-AES256-GCM-SHA384","ECDH-RSA-AES256-GCM-SHA384",
 "ECDH-ECDSA-AES256-SHA384","ECDH-RSA-AES256-SHA384",
 "DHE-RSA-AES256-GCM-SHA384","DHE-DSS-AES256-GCM-SHA384",
 "DHE-RSA-AES256-SHA256","DHE-DSS-AES256-SHA256",
 "ECDHE-ECDSA-AES128-GCM-SHA256","ECDHE-RSA-AES128-GCM-SHA256",
 "ECDHE-ECDSA-AES128-SHA256","ECDHE-RSA-AES128-SHA256",
 "ECDH-ECDSA-AES128-GCM-SHA256","ECDH-RSA-AES128-GCM-SHA256",
 "ECDH-ECDSA-AES128-SHA256","ECDH-RSA-AES128-SHA256",
 "DHE-RSA-AES128-GCM-SHA256","DHE-DSS-AES128-GCM-SHA256",
 "DHE-RSA-AES128-SHA256","DHE-DSS-AES128-SHA256","ECDHE-ECDSA-AES256-SHA",
 "ECDHE-RSA-AES256-SHA","DHE-RSA-AES256-SHA","DHE-DSS-AES256-SHA",
 "ECDH-ECDSA-AES256-SHA","ECDH-RSA-AES256-SHA","ECDHE-ECDSA-AES128-SHA",
 "ECDHE-RSA-AES128-SHA","DHE-RSA-AES128-SHA","DHE-DSS-AES128-SHA",
 "ECDH-ECDSA-AES128-SHA","ECDH-RSA-AES128-SHA"]

but our test device still working with this version and can connects to 8883 port by mqtt protocol. 

Our currect configuration for SSL connection is:

%% Configuring SSL.

 {ssl_options, [{cacertfile, "/run/secrets/rabbit_cacert.pem"},
 {certfile, "/run/secrets/rabbit_cert.pem"},
 {keyfile, "/run/secrets/rabbit_key.pem"},
 {verify, verify_none},
 {versions, ['tlsv1.2', 'tlsv1.1', 'tlsv1']},
 {fail_if_no_peer_cert, false},
 {ciphers, ["AES256-SHA"]},
 {secure_renegotiate, true},
 {reuse_sessions, true},
 {honor_cipher_order, false}
 ]},
 {ssl_handshake_timeout, 20000}
...
 %% RabbitMQ MQTT Adapter
 {rabbitmq_mqtt,
 [
 {default_user, <<"guest">>},
 {default_pass, <<"guest">>},
 {allow_anonymous, true},
 {vhost, <<"/">>},
 {prefetch, 1},
 {tcp_listeners, [1883]},
 {ssl_listeners, [8883]},
 {num_ssl_acceptors, 4},
 {tcp_listen_options, [
 {backlog, 128},
 {nodelay, true},
 {linger, {true,0}},
 {exit_on_close, false},
 {sndbuf, 196608},
 {recbuf, 196608}
 ]}
 ]},

In rabbitmq.conf.example file and https://www.rabbitmq.com/ssl.html#cipher-suites list AES256-SHA (Name (OpenSSL)) OR TLS_RSA_WITH_AES_256_CBC_SHA  (Cipher Suite Name (IANA)) are absent 

Does it mean this cipher suite is not supported any more? Or it still fully supported and you just wrote in this list only the most safest cipher suites? 

[Luke Bakken]

Hi Vitaliy,

Cipher suite support depends on the version of Erlang you're using and the underlying SSL library, not RabbitMQ itself. Newer Erlang versions probably disable the cipher suite you're looking for and you must enable it explicitly.

The configuration examples do not reflect the full cipher suites that may be available because they are examples.

When you run rabbitmq_diagnostics cipher_suites, it will output the current set of ciphers that are enabled. If you wish to list all available cipher suites, you must run this command:

rabbitmqctl eval 'ssl:cipher_suites(all).'

That will display all available cipher suites, enabled or not. You can add a set of those ciphers to your configuration and they will be enabled.

I have opened the following issue to improve how this command behaves: https://github.com/rabbitmq/rabbitmq-cli/issues/342

Thanks,

Luke

On Friday, April 12, 2019 at 2:16:12 AM UTC-7, Vitaliy Zhiltsov wrote:

Hello.

We have devices with gsm modem and the most secure cipher suite is supporting by modem is TLS_RSA_WITH_AES_256_CBC_SHA and I want to be sure that rabbitmq 3.7.14 supports it.

...

Listing Available Cipher Suites

To list cipher suites supported by the Erlang runtime of a running node, use rabbitmq-diagnostics cipher_suites --openssl-format:

rabbitmq-diagnostics cipher_suites --openssl-format -q

...

[Vitaliy Zhiltsov]

Hi, Luke!

Thanks for explanation.

I found for myself https://testssl.sh/ tool and it was really helpefull to understood what are tunned on by default and which options are important for us.
and happily 

ssl_options.ciphers.1                 = AES256-SHA

is still supported in 3.7.14 version

пятница, 12 апреля 2019 г., 23:25:43 UTC+7 пользователь Luke Bakken написал:

[Luke Bakken]

Hi Vitaliy,

Thank you for reporting back to the list.

Luke

[Michael Klishin]

Note that [1] mentions just that ;)

1. https://www.rabbitmq.com/ssl.html#tls-evaluation-tools

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To post to this group, send email to rabbitm...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

MK

Staff Software Engineer, Pivotal/RabbitMQ