Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
%% Disable SSLv3.0 support
{ssl, [{versions, ['tlsv1.2', 'tlsv1.1', tlsv1]}]},
{rabbit, [
{ssl_listeners, [5671]},
{ssl_options, [{cacertfile,"/path/to/ca_certificate.pem"},
{certfile, "/path/to/server_certificate.pem"},
{keyfile, "/path/to/server_key.pem"},
{versions, ['tlsv1.2', 'tlsv1.1', tlsv1]}
%% to verify, use openssl s_client:
%% openssl s_client -connect -ssl3
%% to test with TLSv1:
%% openssl s_client -connect -tls1
%% and look for the following in the output:
%% SSL-Session:
%% Protocol : TLSv1

This comment has been minimized.

Copy link
Owner Author

commented Oct 20, 2014

Note that due to OTP-10905, to disable SSLv3 you need Erlang/OTP R16B01 or later. In other versions, the list of protocol versions is ignored by ssl:listen/2.


This comment has been minimized.

Copy link

commented Oct 22, 2014

Just to make it clear on this page: only needed for RabbitMQ 3.3.5 and earlier; 3.4.0 and later does this for you.


This comment has been minimized.

Copy link

commented Nov 14, 2014

Simon, Michael, just in case someone specifies {versions, [...]} for the management plugin (or other web contexts), you might want to add something like the following to rabbit_mgmt_external_stats.erl to stop it barfing with "badarg":

format_mochiweb_option(versions, V) ->
    list_to_binary(rabbit_misc:format("~w", [V]));
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.