RabbitMQ Transport - Support for ciphers offering perfect forward secrecy

[jaredledvina]

Currently, I can configure my RabbitMQ instances with TLS 1.2 and the cipher option {rsa,aes_256_cbc,sha256} and/or {rsa,aes_256_gcm,null,sha384} and the Sensu server/client can connect without issue. However, when I attempt to use any of the ecdhe ciphers, while RabbitMQ starts up fine, the Sensu server/clients fail to connect and RabbitMQ logs:

TLS server: In state hello at tls_handshake.erl:204 generated SERVER ALERT: Fatal - Insufficient Security - no_suitable_ciphers

RabbitMQ: 3.7.4
Erlang: 20.2.3 (via the RabbitMQ RPM's here: https://packagecloud.io/rabbitmq/erlang)
Sensu: 1.2.1 (using the embedded Ruby)
OS: CentOS 7

I assume, the Sensu SSL support is coming from eventmachine itself? Although, maybe it's actually from https://github.com/ruby-amqp/amq. I could use some help/advice in pinning down what actually is determining which ciphers are supported. I've also dumped my server's available RabbitMQ & OpenSSL ciphers: https://gist.github.com/jaredledvina/cfa0be0ec5b598f0870e54fd29297c6a. My ideal goal here is to confirgure RabbitMQ for TLS 1.2 only and only have the cipher config {ecdhe_rsa,aes_256_cbc,sha384,sha384} enabled.

As always, I'm more than happy to provide any additional information that might help here!

[portertech]

This limitation is from EventMachine itself, the Ruby C++ reactor. The Jruby reactor (use by Sensu Enterprise) supports additional ciphers, due to its Java implementation.

[portertech]

Sensu 2.0 supports the following ecdhe ciphers, https://golang.org/pkg/crypto/tls/#pkg-constants 🎉

[jaredledvina]

@portertech - Cool, I figured as such. I did just a bit more digging this morning, it looks like maybe Eventmachine v1.2.0 added some support here: https://github.com/eventmachine/eventmachine/releases/tag/v1.2.0 and then if I understand the dependancies correctly, Sensu is on eventmachine v1.2.5: https://github.com/sensu/sensu/blob/master/sensu.gemspec#L14

Is there any chance these ciphers can easily supported w/ Sensu 1.x?

[obazoud]

any news ?

[Igorshp]

Just in case anyone else stumbles upon this post while looking for solution to the above mentioned rabbitmq error:

TLS server: In state hello at tls_handshake.erl:204 generated SERVER ALERT: Fatal - Insufficient Security - no_suitable_ciphers

Make sure to add the ciphers block to the rabbitmq.config (thanks @jaredledvina for list):

[
{rabbit, [
	{ssl_listeners, [5671]},
		{ssl_options, [{cacertfile,"/etc/rabbitmq/ssl/cacert.pem"},
			{certfile,"/etc/rabbitmq/ssl/cert.pem"},
			{keyfile,"/etc/rabbitmq/ssl/key.pem"},
			{verify,verify_peer},
			{ciphers, [
				{rsa,aes_256_cbc,sha256},
				{rsa,aes_256_gcm,null,sha384}
			]},
			{fail_if_no_peer_cert,true}]}
]}
].

[rwky]

Expanding on @Igorshp comment, the rabbitmq docs have some good info on configuring ciphers and tls versions https://www.rabbitmq.com/ssl.html

[wvidana]

For anyone using the new format on RabbitMQ, for the cipher changes you need to add:

ssl_options.ciphers.1  = AES256-SHA256
ssl_options.ciphers.2  = AES256-GCM-SHA384
ssl_options.honor_cipher_order = true
ssl_options.honor_ecc_order    = true

That solved the issue for me on RabbitMQ 3.7.12 and Erlang 21.2.6

More info: https://www.rabbitmq.com/ssl.html#cipher-suites
Cipher correspondence table: https://github.com/erlang/otp/wiki/Cipher-suite-correspondence-table