How to configure rabbitmq to use multiple certificate/private key pairs

Terry Lemons

unread,

Jul 24, 2019, 10:49:54 AM7/24/19

to rabbitmq-users

Hi

I want to configure our RabbitMQ server to support ciphers from several different 'families'. So, I need to provide the certificate/private key pair for each of these families. How can I do this in RabbitMQ?

Thanks

tl

Michael Klishin

unread,

Jul 25, 2019, 2:45:30 AM7/25/19

to rabbitmq-users

Erlang only supports a single certificate/key pair per listener. RabbitMQ

configuration assumes there is a single certificate/key pair, period (of course, a chain of certificates

can be of any reasonable length [2]). So your only option is finding a TLS terminating proxy that supports multiple keys [3].

I'm not sure why supporting a specific set of cipher suites [1] would require using multiple keys. Can you elaborate?

1. https://www.rabbitmq.com/ssl.html#cipher-suites

2. https://www.rabbitmq.com/ssl.html#peer-verification-depth

3. https://www.rabbitmq.com/ssl.html#tls-connectivity-options

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/e10f6ea4-ebf4-4e5e-96fb-e748ec1d262b%40googlegroups.com.

--

MK

Staff Software Engineer, Pivotal/RabbitMQ

Terry Lemons

unread,

Jul 25, 2019, 10:51:16 AM7/25/19

to rabbitmq-users

Hi Michael

Thanks for the reply. If I want/need to use the following cipher list with RabbitMQ:

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

I believe that I need to provide both an RSA certificate/private key pair and an ECDSA certificate/private key in order to use both of these ciphers.

When configuring nginx, for example, to use a similar cipher list, I used the nginx 'ssl_certificate' and 'ssl_certificate_key' options twice in order to accomplish this.

If erlang/rabbitmq only supports a single certificate/key pair per listener, this would seem to mean that erlang/rabbitmq can only support ciphers from a single key exchange algorithrm 'family' at one time.

True?

Thanks

tl

Michael Klishin

unread,

Jul 25, 2019, 3:53:29 PM7/25/19

to rabbitmq-users

I see. Yes, your understanding is correct. When a "family" of algorithms is "fixed" at key creation time,

multiple key pairs may be necessary and RabbitMQ assumes there is only one at the moment [1][2].

It's not just a matter of Erlang supporting multiple keys — you can provide different keys to different listeners (ports) today, for example —

but also RabbitMQ's acceptor library, Ranch, and own configuration.

I've filed [3] but can offer no ETA.

1. http://erlang.org/doc/apps/crypto/algorithm_details.html

2. https://security.stackexchange.com/questions/133409/link-between-cipher-suites-and-certificate-key

3. https://github.com/rabbitmq/rabbitmq-server/issues/2060

--

You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.

To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/98cc02ac-d684-4e76-a97b-4ae59de2562c%40googlegroups.com.

Terry Lemons

unread,

Jul 26, 2019, 8:45:23 AM7/26/19

to rabbitmq-users

Hi Michael

Thanks for filing https://github.com/rabbitmq/rabbitmq-server/issues/2060. I'll hope this gets addressed but, until then, we'll use a subset of our cipher list with RabbitMQ/Erlang.