Disable client initiated renegotiation
299 views
Skip to first unread message
kelan...@vmware.com
Jan 7, 2016, 3:07:09 PM1/7/16
to rabbitmq-users
Hi,
For security reasons, we need to turn off client initiated renegotiation in rabbitMQ.
There was an SSL option "client_renegotiation" in Erlang. But setting client_renegotiation to false in the rabbitmq.config file doesn't seem to take effect.
Erlang version: Erlang/OTP 17
RabbitMQ: 3.5.1
RabbitMQ config:
{
ssl, [{versions, ['tlsv1.2', 'tlsv1.1', tlsv1]}]
},
{
rabbit, [
{ssl_listeners, [5671]},
{ssl_options, [ {cacertfile, "/home/.rabbitmq_cacert.pem"},
{certfile, "/home/.rabbitmq_cert.pem"},
{keyfile, "/home/.rabbitmq_key.pem"},
{verify, verify_none},
{fail_if_no_peer_cert, false},
{ciphers, [{ecdh_rsa, aes_256_cbc, sha},
{ecdh_ecdsa, aes_256_cbc, sha},
{rsa, aes_256_cbc, sha},
{ecdh_rsa, aes_128_cbc, sha},
{ecdh_ecdsa, aes_128_cbc, sha},
{rsa, aes_128_cbc, sha}
]
},
{client_renegotiation, false},
{versions, ['tlsv1.2', 'tlsv1.1', tlsv1]}
]
....
Output of sslyze:
> sslyze.py --regular 127.0.0.1:5671
* Deflate Compression:
OK - Compression disabled
* Session Renegotiation:
Client-initiated Renegotiations: VULNERABLE - Server honors client-initiated renegotiations
Secure Renegotiation: OK - Supported
Any help to turn off client initiated renegotiation is greatly appreciated.
Thanks,
Kavitha
For security reasons, we need to turn off client initiated renegotiation in rabbitMQ.
There was an SSL option "client_renegotiation" in Erlang. But setting client_renegotiation to false in the rabbitmq.config file doesn't seem to take effect.
Erlang version: Erlang/OTP 17
RabbitMQ: 3.5.1
RabbitMQ config:
{
ssl, [{versions, ['tlsv1.2', 'tlsv1.1', tlsv1]}]
},
{
rabbit, [
{ssl_listeners, [5671]},
{ssl_options, [ {cacertfile, "/home/.rabbitmq_cacert.pem"},
{certfile, "/home/.rabbitmq_cert.pem"},
{keyfile, "/home/.rabbitmq_key.pem"},
{verify, verify_none},
{fail_if_no_peer_cert, false},
{ciphers, [{ecdh_rsa, aes_256_cbc, sha},
{ecdh_ecdsa, aes_256_cbc, sha},
{rsa, aes_256_cbc, sha},
{ecdh_rsa, aes_128_cbc, sha},
{ecdh_ecdsa, aes_128_cbc, sha},
{rsa, aes_128_cbc, sha}
]
},
{client_renegotiation, false},
{versions, ['tlsv1.2', 'tlsv1.1', tlsv1]}
]
....
Output of sslyze:
> sslyze.py --regular 127.0.0.1:5671
* Deflate Compression:
OK - Compression disabled
* Session Renegotiation:
Client-initiated Renegotiations: VULNERABLE - Server honors client-initiated renegotiations
Secure Renegotiation: OK - Supported
Any help to turn off client initiated renegotiation is greatly appreciated.
Thanks,
Kavitha
Michael Klishin
Jan 7, 2016, 3:45:43 PM1/7/16
to rabbitm...@googlegroups.com, kelan...@vmware.com
On 7 January 2016 at 23:08:02, kelan...@vmware.com (kelan...@vmware.com) wrote:
> For security reasons, we need to turn off client initiated renegotiation
> in rabbitMQ.
> There was an SSL option "client_renegotiation" in Erlang. But
> setting client_renegotiation to false in the rabbitmq.config
> file doesn't seem to take effect.
All those options are passed to the TLS implementation and are not controlled
> For security reasons, we need to turn off client initiated renegotiation
> in rabbitMQ.
> There was an SSL option "client_renegotiation" in Erlang. But
> setting client_renegotiation to false in the rabbitmq.config
> file doesn't seem to take effect.
by RabbitMQ in any way.
I'd recommend asking on erlang-questions. Likely it is something that depends on the runtime version
more than anything else (and yes, 3.5.1 cannot run on Erlang 18.x but 3.5.6+ can).
--
MK
Staff Software Engineer, Pivotal/RabbitMQ
Reply all
Reply to author
Forward
0 new messages