-
Notifications
You must be signed in to change notification settings - Fork 19
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RabbitMQ Transport - Support for ciphers offering perfect forward secrecy #58
Comments
This limitation is from EventMachine itself, the Ruby C++ reactor. The Jruby reactor (use by Sensu Enterprise) supports additional ciphers, due to its Java implementation. |
Sensu 2.0 supports the following ecdhe ciphers, https://golang.org/pkg/crypto/tls/#pkg-constants 🎉 |
@portertech - Cool, I figured as such. I did just a bit more digging this morning, it looks like maybe Eventmachine v1.2.0 added some support here: https://github.com/eventmachine/eventmachine/releases/tag/v1.2.0 and then if I understand the dependancies correctly, Sensu is on eventmachine v1.2.5: https://github.com/sensu/sensu/blob/master/sensu.gemspec#L14 Is there any chance these ciphers can easily supported w/ Sensu 1.x? |
any news ? |
Just in case anyone else stumbles upon this post while looking for solution to the above mentioned rabbitmq error:
Make sure to add the
|
Expanding on @Igorshp comment, the rabbitmq docs have some good info on configuring ciphers and tls versions https://www.rabbitmq.com/ssl.html |
For anyone using the new format on RabbitMQ, for the cipher changes you need to add:
That solved the issue for me on RabbitMQ More info: https://www.rabbitmq.com/ssl.html#cipher-suites |
Currently, I can configure my RabbitMQ instances with TLS 1.2 and the cipher option
{rsa,aes_256_cbc,sha256}
and/or{rsa,aes_256_gcm,null,sha384}
and the Sensu server/client can connect without issue. However, when I attempt to use any of theecdhe
ciphers, while RabbitMQ starts up fine, the Sensu server/clients fail to connect and RabbitMQ logs:RabbitMQ: 3.7.4
Erlang: 20.2.3 (via the RabbitMQ RPM's here: https://packagecloud.io/rabbitmq/erlang)
Sensu: 1.2.1 (using the embedded Ruby)
OS: CentOS 7
I assume, the Sensu SSL support is coming from eventmachine itself? Although, maybe it's actually from https://github.com/ruby-amqp/amq. I could use some help/advice in pinning down what actually is determining which ciphers are supported. I've also dumped my server's available RabbitMQ & OpenSSL ciphers: https://gist.github.com/jaredledvina/cfa0be0ec5b598f0870e54fd29297c6a. My ideal goal here is to confirgure RabbitMQ for TLS 1.2 only and only have the cipher config
{ecdhe_rsa,aes_256_cbc,sha384,sha384}
enabled.As always, I'm more than happy to provide any additional information that might help here!
The text was updated successfully, but these errors were encountered: