我正在尝试提高RabbitMQ服务器的TLS安全性。我在这里读到
http://ezgr.net/increasing-security-erlang-ssl-cowboy/
可以在RabbitMQ Erlang SSL配置中指定Diffie-Hellman参数文件 dhfile 。相应地调整我的RabbitMQ配置后,像这样
%% -*-erlang-*-
%% See http://ezgr.net/increasing-security-erlang-ssl-cowboy/
[{ssl,
[{versions, ['tlsv1.2', 'tlsv1.1', tlsv1]}]},
{rabbit,
[{ssl_listeners, [5671]},
{ssl_options,
[{cacertfile, "/opt/rabbitmq/etc/rabbitmq/ca.pem"},
{certfile, "/opt/rabbitmq/etc/rabbitmq/rabbitmq.pem"},
{keyfile, "/opt/rabbitmq/etc/rabbitmq/rabbitmq-key.pem"},
{verify, verify_peer},
{versions, ['tlsv1.2', 'tlsv1.1', tlsv1]},
{dhfile, "/opt/rabbitmq/etc/rabbitmq/dh-params.pem"},
{ciphers,
[
"ECDHE-ECDSA-AES256-GCM-SHA384",
"ECDHE-RSA-AES256-GCM-SHA384",
"ECDHE-ECDSA-AES256-SHA384",
"ECDHE-RSA-AES256-SHA384",
"ECDHE-ECDSA-DES-CBC3-SHA",
"ECDH-ECDSA-AES256-GCM-SHA384",
"ECDH-RSA-AES256-GCM-SHA384",
"ECDH-ECDSA-AES256-SHA384",
"ECDH-RSA-AES256-SHA384",
"DHE-DSS-AES256-GCM-SHA384",
"DHE-DSS-AES256-SHA256",
"AES256-GCM-SHA384",
"AES256-SHA256",
"ECDHE-ECDSA-AES128-GCM-SHA256",
"ECDHE-RSA-AES128-GCM-SHA256",
"ECDHE-ECDSA-AES128-SHA256",
"ECDHE-RSA-AES128-SHA256",
"ECDH-ECDSA-AES128-GCM-SHA256",
"ECDH-RSA-AES128-GCM-SHA256",
"ECDH-ECDSA-AES128-SHA256",
"ECDH-RSA-AES128-SHA256",
"DHE-DSS-AES128-GCM-SHA256",
"DHE-DSS-AES128-SHA256",
"AES128-GCM-SHA256",
"AES128-SHA256",
"ECDHE-ECDSA-AES256-SHA",
"ECDHE-RSA-AES256-SHA",
"DHE-DSS-AES256-SHA",
"ECDH-ECDSA-AES256-SHA",
"ECDH-RSA-AES256-SHA",
"AES256-SHA",
"ECDHE-ECDSA-AES128-SHA",
"ECDHE-RSA-AES128-SHA",
"DHE-DSS-AES128-SHA",
"ECDH-ECDSA-AES128-SHA",
"ECDH-RSA-AES128-SHA",
"AES128-SHA"
]
},
{honor_cipher_order, true},
{secure_renegotiate, true},
{fail_if_no_peer_cert, false}]}]},
{kernel,
[{net_ticktime, 120}]}
].
启动RabbitMQ并强制需要密码ECDHE的TLS连接,我希望服务器临时密钥为2048位。但是,这不是获得
的结果$ echo | openssl s_client -connect msgs01:5671 -tls1_2 -cipher ECDHE-RSA-AES256-GCM-SHA384
...
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3129 bytes and written 278 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 6DAAFE1D336206CFCE35D056427635B79F72B2D4E492C734CD6F0016EFE96F67
Session-ID-ctx:
Master-Key: 93CE3B03C2634CC1AA266DDFA2737B48EA949CA6A56E6FC785A813F649E5378118247C6C8A36A1D8CF1F8598B30A0464
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1464540032
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
为什么RabbitMQ服务器没有显示2048位的临时密钥大小?
结果是否取决于底层erlang运行时使用的openssl版本?我该如何了解这个版本是什么?
谢谢。
EDIT1:验证dhfile参数是正确的路径并包含格式正确的数据:
$ docker exec rabbit cat /opt/rabbitmq/etc/rabbitmq/dh-params.pem | openssl dhparam -text -noout
DH Parameters: (2048 bit)
prime:
00:eb:b5:46:30:28:43:dd:5d:31:6f:0e:94:00:19:
...
af:f3
generator: 2 (0x2)
EDIT2:RabbitMQ版本:3.6.2; Erlang版本:18.3