RMQ 3.7.8 TLS support for legacy clients

[Jacob S]

Hi, I have many legacy amqp clients that I currently cant update, they are connecting to my RMQ using SSL and this works fine when using 3.5.7 but after updating to 3.7.8 they can connect and the exception I get is : "javax.net.ssl.SSLException: java.lang.RuntimeException: Could not generate DH keypair" , is there a way I can configure my new 3.7.8 server to back support these clients ?

When connecting them to 3.5.7 the connection details is :

Protocol Version: tlsv1

Key Exchange Algorithm: rsa

Cipher Algorithm: aes_256_cbc

Hash Algorithm: sha

Thanks

[Arnaud Cogoluègnes]

This is documented in the TLS guide [1]. You can tell RabbitMQ to use
TLS v1 to let your clients connect. A better solution would be to
upgrade your clients to be able to use TLS v1.2 or at least v1.1. Even
Java 1.6 (with latest updates IIRC) should be able to use TLS v1.1.
Note this is not related to the RabbitMQ Java client version itself,
but to the version of Java you're using.

[1] https://www.rabbitmq.com/ssl.html#tls-versions

> --
> You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
> To post to this group, send email to rabbitm...@googlegroups.com.
> To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/793314be-d487-4ee7-8dea-c7fec6438dca%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Jacob S]

Thanks for the quick response. 

I did tell rabbit to use TLS v1, this is my config:

[

  {ssl, [{versions, ['tlsv1.2', 'tlsv1.1', tlsv1]}]},

  {rabbit, [

           { vm_memory_high_watermark, 0.6 },

           { cluster_partition_handling ,[autoheal] },

{tcp_listen_options, [

                          {backlog,       4096},

                          {nodelay,       true},

                          {linger,        {true,0}},

                          {exit_on_close, false},

                          {sndbuf,        4096},

                          {recbuf,        4096}

                         ]},

     {ssl_listeners, [5671]},

{collect_statistics_interval, 60000},

{collect_statistics, none},

{background_gc_enabled, true},

        {ssl_options, [

{versions, ['tlsv1.2', 'tlsv1.1', tlsv1]},

{cacertfile,"/etc/rabbitmq/ssl/cacert.pem"},

                    {certfile,"/etc/rabbitmq/ssl/server.crt"},

                    {keyfile,"/etc/rabbitmq/ssl/server.key"},

                    {verify,verify_none},

                    {fail_if_no_peer_cert,false}]}

   ]},

        {rabbitmq_management,

          [

                {rates_mode, none}

          ]

        }

]

Also , I cant change the client, so I have to add back support in the server

On Tuesday, July 9, 2019 at 6:54:09 PM UTC+3, Arnaud Cogoluègnes wrote:

This is documented in the TLS guide [1]. You can tell RabbitMQ to use
TLS v1 to let your clients connect. A better solution would be to
upgrade your clients to be able to use TLS v1.2 or at least v1.1. Even
Java 1.6 (with latest updates IIRC) should be able to use TLS v1.1.
Note this is not related to the RabbitMQ Java client version itself,
but to the version of Java you're using.

[1] https://www.rabbitmq.com/ssl.html#tls-versions

On Tue, Jul 9, 2019 at 5:44 PM Jacob S <jacobh...@gmail.com> wrote:
>
> Hi, I have many legacy amqp clients that I currently cant update, they are connecting to my RMQ using SSL and this works fine when using 3.5.7 but after updating to 3.7.8 they can connect and the exception I get is : "javax.net.ssl.SSLException: java.lang.RuntimeException: Could not generate DH keypair" , is there a way I can configure my new 3.7.8 server to back support these clients ?
> When connecting them to 3.5.7 the connection details is :
> Protocol Version: tlsv1
> Key Exchange Algorithm: rsa
> Cipher Algorithm: aes_256_cbc
> Hash Algorithm: sha
>
> Thanks
>
> --
> You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.

> To unsubscribe from this group and stop receiving emails from it, send an email to rabbitm...@googlegroups.com.

[Arnaud Cogoluègnes]

Could you please provide the exact version of Erlang and Java you are using?

You can also use the system property javax.net.debug=all to get some
logs on the Java client side.

Quick search on the error suggests upgrading Java or forcing the
cipher suite could help, but this is just guessing at this stage.

> To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.

> To post to this group, send email to rabbitm...@googlegroups.com.

> To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/a7a45a34-fcf2-411a-91a2-beb41f0fca13%40googlegroups.com.

[Jacob S]

My erlang version is 21.1.1.

My client is not java, its using .net with ikvm - this generates .net assemblies from java jars.

I cant change anything on the clients side only the server, these are many clients already deployed and unreachable at the moment

Our old server used to work with these clients  ( RabbitMQ 3.5.7 erlang 18.3 ) , so I am trying to figure out if there is some ssl defaults that have changed and can be configured to support older clients. by forcing the
cipher suite, you mean in the client ?

[Arnaud Cogoluègnes]

You can "force" the cipher suites on the server side [1].
Unfortunately this would impact all the clients, even those which can
use more secure ciphers.

Nevertheless, this is just guessing, the error suggests the client
cannot handle DH prime sizes higher from 1024. So a solution would be
to find a cipher suite that avoids this issue.

You can list the ciphers available on the server side [2] and do the
same on the client side (with
SSLContext#getDefaultSSLParameters#getCipherSuites) and try to find
something that both understand.

[1] https://www.rabbitmq.com/ssl.html#cipher-suites
[2] https://www.rabbitmq.com/ssl.html#available-cipher-suites

> To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.

> To post to this group, send email to rabbitm...@googlegroups.com.

> To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/4207242f-72be-4a9b-8082-5e1fedc74266%40googlegroups.com.

[Jacob S]

hi , seems that rabbitmq-diagnostics doesnt exist in 3.5.7 , how can I check the supported cipher-suites in older servers  ?

cipher-suites 

[Arnaud Cogoluègnes]

You can try:

rabbitmqctl eval 'ssl:cipher_suites().'

or:

rabbitmqctl eval 'ssl:cipher_suites(all, tlsv1).'

if the function is available.

> To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.

> To post to this group, send email to rabbitm...@googlegroups.com.

> To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/d2527564-28ff-45bc-be3a-31f8f33e4414%40googlegroups.com.