TLS alert: 'InsuffientSecurity' (Windows 10 client)

45 views
Skip to first unread message

Zoltán Zörgő

unread,
Jul 3, 2024, 11:46:09 AM (2 days ago) Jul 3
to rabbitmq-users
Hello,

I have an issue here: ssl - I am getting TLS error while trying to connet to RabbitMQ - Stack Overflow, I don't want to repeat all.

The last state of my investigation is, that although many articles are saying that the latest Win10 build (which I also have) has TLS1.3 support, it seems not to be available even after setting all necessary registry keys. But simply choosing Tls1.2 in the client does not solve the issue.

As far as I see, the server started from the latest docker image is supporting only Tls 1.3:

nmap --script ssl-enum-ciphers -p 5671 localhost
Starting Nmap 7.95 ( https://nmap.org ) at 2024-07-03 17:39 Central Europe Daylight Time
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0010s latency).
Other addresses for localhost (not scanned): ::1
rDNS record for 127.0.0.1: kubernetes.docker.internal

PORT     STATE SERVICE
5671/tcp open  amqps
| ssl-enum-ciphers:
|   TLSv1.3:
|     ciphers:
|       TLS_AKE_WITH_AES_128_CCM_8_SHA256 (ecdh_x25519) - A
|       TLS_AKE_WITH_AES_128_CCM_SHA256 (ecdh_x25519) - A
|       TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|     cipher preference: client
|_  least strength: A

I am using the latest RabbitMQ client for .NET (6.8.1), which relies on SCHANNEL, hence the fact that OpenSSL can connect without issues does not help...

The new question is: how can I enable to accept Tls v1.2? Eventually, how can I restrict it to only v1.2? 

I have looked in the documentation for such configuration parameter but found none

Thank you

Zoltán Zörgő

unread,
Jul 3, 2024, 11:52:50 AM (2 days ago) Jul 3
to rabbitmq-users
Hi,

I have tried adding  these to the configuration:
ssl_options.versions.1 = tlsv1.3
ssl_options.versions.2 = tlsv1.2
But makes no difference, as if the image did not support anything but 1.3

Vilius Šumskas

unread,
Jul 3, 2024, 4:47:59 PM (2 days ago) Jul 3
to rabbitm...@googlegroups.com

Hi,

 

first of all, you should not trust everything what is written on some random website looking for clicks. Always look at official documentation. TLS 1.3 is not supported on Windows 10 as explained here https://learn.microsoft.com/en-us/dotnet/framework/network-programming/tls#tls-support-in-net-framework and here https://learn.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp-#tls-protocol-version-support and here https://www.rabbitmq.com/docs/ssl#tls-version-support-in-jdk-and-net .

 

Second, RabbitMQ Docker image doesn’t come with TLS preconfigured so somebody configured that image for you, probably by just copy/pasting random configuration from here https://www.rabbitmq.com/docs/ssl#tls1.3 . If you want to allow TLS 1.2 setting:

ssl_options.versions.1 = tlsv1.3
ssl_options.versions.2 = tlsv1.2

should do the trick (though you will need to repeat this configuration for management plugin if used).

I’m guessing it doesn’t work for you because you also need to add proper ciphers which can be used by TLS 1.2. As explained on the same page, TLS 1.3 and TLS 1.2 do not share any ciphers.

 

And lastly, don’t mess around with SSL settings in the .NET app. Default configuration of “None” is enough in most cases. It will use the highest available TLS version from the OS.

 

Hope this helps.

 

--

    Vilius

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/7e2eddea-4644-4d2f-99b7-3112edb0ededn%40googlegroups.com.

Luke Bakken

unread,
Jul 3, 2024, 4:49:21 PM (2 days ago) Jul 3
to rabbitmq-users
Hello,

Team RabbitMQ recently adopted community support guidelines that exclude free support for TLS related questions - https://github.com/rabbitmq/rabbitmq-server/blob/main/COMMUNITY_SUPPORT.md

Having pointed that out, I would be willing to assist you, but you must provide everything I need to reproduce your issue:
  • A complete set of X509 certificates, server and client, including private keys and CA certificate.
  • Your complete RabbitMQ configuration file.
  • Exact details for how you are starting RabbitMQ.
  • A complete set of .NET code that I can run to connect to RabbitMQ and see this issue.
  • The exact Windows version and build number that you are using. Ideally, you would point to a Hyper-V compatible VHD or VHDX VM that I can run.
I maintain the .NET client, and I know that it works just  fine using TLS and RabbitMQ, including on Windows 10.

Thanks,
Luke

Zoltán Zörgő

unread,
Jul 4, 2024, 9:31:24 AM (22 hours ago) Jul 4
to rabbitmq-users
Hello, Luke,

I have prepared a repository for you instead:  zorgoz/rabbitmq-tsl-issue: Repository created to demonstrate the issue related to connecting without tsl1v.3 support (github.com) It contains a docker-compose setup to reproduce the issue. 
The readme contains all the details, but the summary is the following: 
  1. clone the repository on a Windows box with dotnet 8 sdk and and Docker Desktop
  2.  "docker-compose up", will start 4 containers
  3. the first container to start will generate certificates with openssl, hence you can inspect that as well - all other use the certs generated in this step
  4. in this stage the test client is running on alpine, and the connection is established as it should be and the server log shows that the user was authenticated based on its certificate - hence the certificate generation should be right
  5. when however the same test code runs on the windows box it will fail (the test code detects if it runs on linux inside docker or not, and adjusts the server host name)
  6. When you inspect the nmap container log, you won't see any TLSv1.2 reported at all for the server.
  7. There is an alternate configuration with only TLSv1.2 that uses the TLS settings and chyper settings from here. If that one is used, it fails both from linux and windows and the verification procedure described here for 1.2 also fails with and without client certificate passed. Likewise the nmap result is also empty.
It might be an issue of that specific version or I might be totally wrong and failing to properly enable TLS1.2 on the server, but to me it looks like the server does not support TLSv1.2 whatever configuration is given. 

I have just upgraded to RabbitMQ 3.13.4 + Erlang 26.2.5.1, but no change in the outcome.

Thank you for your support in advance.
Zoltán

Vilius Šumskas

unread,
Jul 4, 2024, 10:06:36 AM (21 hours ago) Jul 4
to rabbitm...@googlegroups.com

One more thing. If you want to keep just TLS 1.2 and TLS 1.3 (which is the default for recent Erlang versions), just remove ssl_options.versions completely. Enabling SSL listener and specifying certificates should be enough. More advanced TLS options are for… advanced specific configurations.

 

--

    Vilius

Message has been deleted

Luke Bakken

unread,
Jul 4, 2024, 12:27:09 PM (19 hours ago) Jul 4
to rabbitmq-users
Thanks. I should have time next week to investigate this.
Reply all
Reply to author
Forward
0 new messages