Skip to content
  • There are no suggestions because the search field is empty.

Enable TLS1.3 for RabbitMQ

Issue

The following steps can be followed to enable TLS 1.3 in RabbitMQ. This will ensure that RabbitMQ server only accepts connections using TLS 1.3, enhancing security.

Important Note!!!
Enabling only TLS 1.3 is not supported out of the box (OOTB) for RabbitMQ in NetWitness and has not been fully functionally qualified. This configuration may impact functionality, and there is no guarantee that this configuration will not affect performance or functionality. Therefore, proceed with caution and always ensure to take backups of configuration before making any changes.

Step 1: Backup Configuration
Before making any changes, always back up existing RabbitMQ configuration file:

cp /etc/rabbitmq/rabbitmq.config /etc/rabbitmq/rabbitmq.config.bak

Step 2: Open the Configuration File
Edit the RabbitMQ configuration file, located at /etc/rabbitmq/rabbitmq.config:

sudo vi /etc/rabbitmq/rabbitmq.config

Step 3: Update SSL Options
Locate the sections for SSL options, which may include ssl_options, rabbitmq_management, and amqp_client. Here’s how to update the ciphers and versions:

  1. Specify Ciphers:
    Update the ciphers list to include strong cipher suites for TLSv1.3. For example:
    {ciphers, [
    "TLS_AES_256_GCM_SHA384",
    "TLS_AES_128_GCM_SHA256"
    ]},

    Refer for details regarding ciphersuites coming under each protocol versions openssl-ciphers - OpenSSL Documentation  

  2.  Set TLS Versions:
    Specify the versions of TLS that need to be enabled. For example, to allow both TLS 1.2 and 1.3, to enable TLS 1.3 alone - just mention tlsv1.3.

    {versions, ['tlsv1.3', 'tlsv1.2']}
    Example Configuration Snippet
    {ssl_options, [
    .....
    {ciphers, [
    "TLS_AES_256_GCM_SHA384",
    "TLS_AES_128_GCM_SHA256"
    ]},
    {versions, ['tlsv1.3', 'tlsv1.2']}
    ]},

Step 4: Restart RabbitMQ

After making changes, restart the RabbitMQ service to apply the new configuration:

sudo systemctl restart rabbitmq-server

Step 5: Verify Configuration

Check the RabbitMQ logs for any errors related to the SSL/TLS configuration. Logs are typically found in /var/log/rabbitmq/.

Status can also be verified with:

rabbitmq-diagnostics status

Step 6: Test Connections

Use OpenSSL to test the connection to RabbitMQ with the updated settings:

openssl s_client -connect <host_ip>:5671 -tls1_3

Product Details

NetWitness Product Set: NetWitness Platform
NetWitness Product/Service Type: All Nodes/ RabbitMQ
NetWitness Version/Condition: 12.4.x
Platform:  AlmaLinux


Approval Reviewer Queue

Technical approval queue