Disabling TLS1.1
144 views
Skip to first unread message
Gerrard Leach
Nov 8, 2023, 11:29:38 AM11/8/23
to rabbitmq-users
Hello,
We are hosting an application which uses RabbitMQ on a Windows system.
What am I missing?
We are hosting an application which uses RabbitMQ on a Windows system.
A vulnerability scanner found that on port 15671 that TLS1.1 is enabled.
In the rabbitmq.conf file we have the following.
#listeners.tcp.default = 5671
# logging to file and/or to an exchange
# log.dir = C:\\temp
log.file = rabbit.log
# log.file = false
log.file.level = error
# log.exchange = true
# log.exchange.level = error
listeners.ssl.default = 5671
ssl_options.versions.1 = tlsv1.2
#ssl_options.versions.2 = tlsv1.1
ssl_options.verify = verify_peer
ssl_options.fail_if_no_peer_cert = false
ssl_options.cacertfile = C:\\RabbitMq\\ca_2023.pem
ssl_options.certfile = C:\\RabbitMq\\cert_2023.pem
ssl_options.keyfile = C:\\RabbitMq\\cert_2023.key
management.ssl.port = 15671
management.ssl.cacertfile = C:\\RabbitMq\\ca_2023.pem
management.ssl.certfile = C:\\RabbitMq\\cert_2023.pem
management.ssl.keyfile = C:\\RabbitMq\\cert_2023.key
listeners.tcp = none
However, if I run
rabbitmq-diagnostics --silent tls_versions
I receive the following back
tlsv1.3
tlsv1.2
tlsv1.1
tlsv1
In the rabbitmq.conf file we have the following.
#listeners.tcp.default = 5671
# logging to file and/or to an exchange
# log.dir = C:\\temp
log.file = rabbit.log
# log.file = false
log.file.level = error
# log.exchange = true
# log.exchange.level = error
listeners.ssl.default = 5671
ssl_options.versions.1 = tlsv1.2
#ssl_options.versions.2 = tlsv1.1
ssl_options.verify = verify_peer
ssl_options.fail_if_no_peer_cert = false
ssl_options.cacertfile = C:\\RabbitMq\\ca_2023.pem
ssl_options.certfile = C:\\RabbitMq\\cert_2023.pem
ssl_options.keyfile = C:\\RabbitMq\\cert_2023.key
management.ssl.port = 15671
management.ssl.cacertfile = C:\\RabbitMq\\ca_2023.pem
management.ssl.certfile = C:\\RabbitMq\\cert_2023.pem
management.ssl.keyfile = C:\\RabbitMq\\cert_2023.key
listeners.tcp = none
However, if I run
rabbitmq-diagnostics --silent tls_versions
I receive the following back
tlsv1.3
tlsv1.2
tlsv1.1
tlsv1
also using OpenSSL I can connect using TLS1.1
openssl s_client -connect 10.142.189.180:15671 -tls1_1
openssl s_client -connect 10.142.189.180:15671 -tls1_1
What am I missing?
Michal Kuratczyk
Nov 8, 2023, 12:09:20 PM11/8/23
to rabbitm...@googlegroups.com
You are connecting with openssl on the management API/UI port, which has a separate configuration
management.ssl.versions.1 = tlsv1.2`rabbitmq-diagnostics --silent tls_versions` shows all supported versions, not what's configured.
--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/de5da5c1-7cc5-4139-ac7b-9fe0576e5974n%40googlegroups.com.
Michał
RabbitMQ teamGerrard Leach
Nov 8, 2023, 9:46:04 PM11/8/23
to rabbitmq-users
Sweet, thanks
Are all these settings documented somewhere? Haven't been able to find that one.
Michal Kuratczyk
Nov 9, 2023, 2:39:04 AM11/9/23
to rabbitm...@googlegroups.com
I'm not sure I understand - I shared a link to the documentation.
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/8530d4cd-7b08-4b46-9135-da568f3b0e2bn%40googlegroups.com.
Michał
RabbitMQ teamReply all
Reply to author
Forward
0 new messages