Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Restart RabbitMQ TLS acceptors with new settings

Restarting RabbitMQ TLS Listeners with new TLS options

Connect via remsh

Be sure to use the correct path to the cookie - probably /var/lib/rabbitmq/.erlang.cookie:

erl -sname node@MESSIAEN -setcookie "$(< $HOME/.erlang.cookie)" -remsh 'rabbit@MESSIAEN'

Merge in new cipher options and save in environment

New TLS options will be in NewTlsOpts variable:

> {ok, TlsOpts} = application:get_env(rabbit, ssl_options).
{ok,[{cacertfile,"/Users/lbakken/development/src/tls-gen/basic/testca/cacert.pem"},
     {certfile,"/Users/lbakken/development/src/tls-gen/basic/server/cert.pem"},
     {keyfile,"/Users/lbakken/development/src/tls-gen/basic/server/key.pem"},
     {verify,verify_peer},
     {fail_if_no_peer_cert,false}]}
> {ok, [CipherOpt]} = file:consult("/PATH/TO/ciphers.config").
{ok,[{ciphers,[{rsa,'3des_ede_cbc',sha},
               {rsa,aes_128_cbc,sha256},
               {rsa,aes_128_cbc,sha},
               {rsa,aes_128_gcm,null,sha256},
               {rsa,aes_256_cbc,sha256},
               {rsa,aes_256_cbc,sha},
               {rsa,aes_256_gcm,null,sha384}]}]}
> NewTlsOpts = [CipherOpt | TlsOpts].
[{ciphers,[{rsa,'3des_ede_cbc',sha},
           {rsa,aes_128_cbc,sha256},
           {rsa,aes_128_cbc,sha},
           {rsa,aes_128_gcm,null,sha256},
           {rsa,aes_256_cbc,sha256},
           {rsa,aes_256_cbc,sha},
           {rsa,aes_256_gcm,null,sha384}]},
 {cacertfile,"/Users/lbakken/development/src/tls-gen/basic/testca/cacert.pem"},
 {certfile,"/Users/lbakken/development/src/tls-gen/basic/server/cert.pem"},
 {keyfile,"/Users/lbakken/development/src/tls-gen/basic/server/key.pem"},
 {verify,verify_peer},
 {fail_if_no_peer_cert,false}]

> application:set_env(rabbit, ssl_options, NewTlsOpts).

Stop current TLS listeners

7> [rabbit_networking:stop_tcp_listener(Port) || {listener,_,Type,_,_,Port,_} <- rabbit_networking:active_listeners(), Type =:= 'amqp/ssl'].
[ok]

Start new TLS listeners

> rabbit_networking:start_ssl_listener(5671, rabbit_networking:ensure_ssl(), 10).
ok
{ciphers, [
{ecdhe_ecdsa,aes_256_gcm,null,sha384},
{ecdhe_rsa,aes_256_gcm,null,sha384},
{ecdhe_ecdsa,aes_256_cbc,sha384,sha384},
{ecdhe_rsa,aes_256_cbc,sha384,sha384},
{ecdh_ecdsa,aes_256_gcm,null,sha384},
{ecdh_rsa,aes_256_gcm,null,sha384},
{ecdh_ecdsa,aes_256_cbc,sha384,sha384},
{ecdh_rsa,aes_256_cbc,sha384,sha384},
{dhe_rsa,aes_256_gcm,null,sha384},
{dhe_dss,aes_256_gcm,null,sha384},
{dhe_rsa,aes_256_cbc,sha256},
{dhe_dss,aes_256_cbc,sha256},
{rsa,aes_256_gcm,null,sha384},
{rsa,aes_256_cbc,sha256},
{ecdhe_ecdsa,aes_128_gcm,null,sha256},
{ecdhe_rsa,aes_128_gcm,null,sha256},
{ecdhe_ecdsa,aes_128_cbc,sha256,sha256},
{ecdhe_rsa,aes_128_cbc,sha256,sha256},
{ecdh_ecdsa,aes_128_gcm,null,sha256},
{ecdh_rsa,aes_128_gcm,null,sha256},
{ecdh_ecdsa,aes_128_cbc,sha256,sha256},
{ecdh_rsa,aes_128_cbc,sha256,sha256},
{dhe_rsa,aes_128_gcm,null,sha256},
{dhe_dss,aes_128_gcm,null,sha256},
{dhe_rsa,aes_128_cbc,sha256},
{dhe_dss,aes_128_cbc,sha256},
{rsa,aes_128_gcm,null,sha256},
{rsa,aes_128_cbc,sha256},
{ecdhe_ecdsa,aes_256_cbc,sha},
{ecdhe_rsa,aes_256_cbc,sha},
{dhe_rsa,aes_256_cbc,sha},
{dhe_dss,aes_256_cbc,sha},
{ecdh_ecdsa,aes_256_cbc,sha},
{ecdh_rsa,aes_256_cbc,sha},
{rsa,aes_256_cbc,sha},
{ecdhe_ecdsa,aes_128_cbc,sha},
{ecdhe_rsa,aes_128_cbc,sha},
{dhe_rsa,aes_128_cbc,sha},
{dhe_dss,aes_128_cbc,sha},
{ecdh_ecdsa,aes_128_cbc,sha},
{ecdh_rsa,aes_128_cbc,sha},
{rsa,aes_128_cbc,sha},
{ecdhe_ecdsa,'3des_ede_cbc',sha},
{ecdhe_rsa,'3des_ede_cbc',sha},
{dhe_rsa,'3des_ede_cbc',sha},
{dhe_dss,'3des_ede_cbc',sha},
{ecdh_ecdsa,'3des_ede_cbc',sha},
{ecdh_rsa,'3des_ede_cbc',sha},
{rsa,'3des_ede_cbc',sha}]}.
{ciphers,
[{rsa,'3des_ede_cbc',sha},
{rsa,aes_128_cbc,sha256},
{rsa,aes_128_cbc,sha},
{rsa,aes_128_gcm,null,sha256},
{rsa,aes_256_cbc,sha256},
{rsa,aes_256_cbc,sha},
{rsa,aes_256_gcm,null,sha384}]}.
[
{rabbit,
[
{ssl_listeners, [5671]},
{ssl_options, [{cacertfile, "/Users/lbakken/development/michaelklishin/tls-gen/basic/testca/cacert.pem"},
{certfile, "/Users/lbakken/development/michaelklishin/tls-gen/basic/server/cert.pem"},
{keyfile, "/Users/lbakken/development/michaelklishin/tls-gen/basic/server/key.pem"},
{verify, verify_peer},
{fail_if_no_peer_cert, false}
]}]}
].
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.