[Openstack-operators] oslo_messaging, rabbit, ssl and mitaka and xenial
Sam Morrison
sorrison at gmail.com
Thu Jun 2 23:02:51 UTC 2016
Hi all,
We’ve been trying out some mitaka packages as well as some Xenial hosts and have been having some issues with rabbit and SSL.
If using rabbitMQ 3.6.x on Trusty I can’t get a mitaka host (oslo_messaging 4.6.1, python-amqp 1.4.9) to connect to rabbit over SSL.
If I use rabbitMQ 3.6.x on Xenial I can get it to work BUT I need to change some settings on rabbit to allow some weaker ciphers.
I had to add the following to rabbitmq.config (found on some random blog and haven’t investigated what exactly needed to change sorry)
{versions, ['tlsv1.2', 'tlsv1.1', tlsv1]},
{ciphers, ["ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-RSA-AES256-GCM-SHA384",
"ECDHE-ECDSA-AES256-SHA384","ECDHE-RSA-AES256-SHA384", "ECDHE-ECDSA-DES-CBC3-SHA",
"ECDH-ECDSA-AES256-GCM-SHA384","ECDH-RSA-AES256-GCM-SHA384","ECDH-ECDSA-AES256-SHA384",
"ECDH-RSA-AES256-SHA384","DHE-DSS-AES256-GCM-SHA384","DHE-DSS-AES256-SHA256",
"AES256-GCM-SHA384","AES256-SHA256","ECDHE-ECDSA-AES128-GCM-SHA256",
"ECDHE-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES128-SHA256","ECDHE-RSA-AES128-SHA256",
"ECDH-ECDSA-AES128-GCM-SHA256","ECDH-RSA-AES128-GCM-SHA256","ECDH-ECDSA-AES128-SHA256",
"ECDH-RSA-AES128-SHA256","DHE-DSS-AES128-GCM-SHA256","DHE-DSS-AES128-SHA256",
"AES128-GCM-SHA256","AES128-SHA256","ECDHE-ECDSA-AES256-SHA",
"ECDHE-RSA-AES256-SHA","DHE-DSS-AES256-SHA","ECDH-ECDSA-AES256-SHA",
"ECDH-RSA-AES256-SHA","AES256-SHA","ECDHE-ECDSA-AES128-SHA",
"ECDHE-RSA-AES128-SHA","DHE-DSS-AES128-SHA","ECDH-ECDSA-AES128-SHA",
"ECDH-RSA-AES128-SHA","AES128-SHA"]},
{honor_cipher_order, true},
Is anyone else had a play with this and got it working where a mitaka host can talk to a rabbitmq server running on trusty?
The version or erlang is the difference here and I’m pretty sure that is where the change is.
Cheers,
Sam
More information about the OpenStack-operators
mailing list