Skip to content

SSL Connection Issues on RHEL Centos6.5 RabbitMQ

Jump to bottom Edit New page
erasche edited this page Oct 29, 2014 · 3 revisions

Problem

On Centos 6.5, the SSL connection will fail to your message queue server for a specific set of ciphers:

  • {ecdhe_ecdsa,aes_256_cbc,sha384}
  • {ecdhe_rsa,aes_256_cbc,sha384}

EC appears to be broken or not fully implemented in openssl on this distribution. We're currently running openssl.x86_64 1.0.1e-30.el6_6.2 and have the following connection issue appear in our logs when connecting to an SSL enabled MQ:

ssl.SSLError: [Errno 1] _ssl.c:507: error:100AE081:elliptic curve routines:EC_GROUP_new_by_curve_name:unknown group

There is some documentation for why this is occurring here:

Solution

This is most often fixed by a yum update, however that is not always the case (We went through openssl versions 1.0.1e-16 and 1.0.1e-30 before settling on an alternate solution).

In the event that a yum update fails to fix the problem, you can simply disable the relevant ciphers on your RabbitMQ Server (other MQs will have different solutions, please add them!)

Find out SSL ciphers supported

esr@geiger:~/Projects/galaxy/pulsar⟫ sudo rabbitmqctl eval 'ssl:cipher_suites().' 
[{ecdhe_ecdsa,aes_256_cbc,sha384},
 {ecdhe_rsa,aes_256_cbc,sha384},
 {ecdh_ecdsa,aes_256_cbc,sha384},
 {ecdh_rsa,aes_256_cbc,sha384},
 {dhe_rsa,aes_256_cbc,sha256},
 {dhe_dss,aes_256_cbc,sha256},
 {rsa,aes_256_cbc,sha256},
...

Disable Selected Ciphers

At the top we see our two offenders, ecdhe_ecdsa and ecdhe_rsa. You'll want to copy that list (possibly removing some of the weaker ciphers supported while you're at it) and move it into /etc/rabbitmq/rabbitmq.config.

Ours looks like:

[
  {rabbit, [
    {tcp_listeners, []},
    {ssl_listeners, [5671]},
    {ssl_options, [{cacertfile,"/etc/ssl/certs/ca-bundle"},
                    {certfile,"/etc/ssl/certs/server.crt"},
                    {keyfile,"/etc/ssl/private/server.key"},
                    {verify,verify_none},
                    {fail_if_no_peer_cert,false},
                    {ciphers,[% {ecdhe_ecdsa,aes_256_cbc,sha384},
                              % {ecdhe_rsa,aes_256_cbc,sha384},•                                                                                                                          
                              % Disabled for use with Centos 6.5 which has a badly patched openssl thanks to RHEL
                              {ecdh_ecdsa,aes_256_cbc,sha384},
                              {ecdh_rsa,aes_256_cbc,sha384},
                              {dhe_rsa,aes_256_cbc,sha256},
                              {dhe_dss,aes_256_cbc,sha256},
                              {rsa,aes_256_cbc,sha256},
                              {ecdhe_ecdsa,aes_128_cbc,sha256},
                              {ecdhe_rsa,aes_128_cbc,sha256},
                              {ecdh_ecdsa,aes_128_cbc,sha256},
                              {ecdh_rsa,aes_128_cbc,sha256},
                              {dhe_rsa,aes_128_cbc,sha256},
                              {dhe_dss,aes_128_cbc,sha256},
                              {rsa,aes_128_cbc,sha256}
                              ]}]}
  ]},
  {kernel, [
••••
  ]}
].
Add a custom footer
Add a custom sidebar
Clone this wiki locally