Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use modern SSLContext API #629

Merged
merged 1 commit into from
Mar 22, 2022
Merged

Use modern SSLContext API #629

merged 1 commit into from
Mar 22, 2022

Conversation

michaelklishin
Copy link
Member

@michaelklishin michaelklishin commented Mar 22, 2022
edited
Loading

It's already possible to post-configure TLS context using
Bunny::Connection#transport and Bunny::Transport#configure_tls_context
but since we already require Ruby 2.5, using a more modern
API makes sense. It also allows the user to set TLS version to 1.3 [1].

Note that TLS 1.3 support is an all-or-nothing proposition
because there are no shared cipher suites with earlier versions,
by design.

While at it, drop SSLv3 support because it's been compromised and deprecated for so many years,
many runtimes no longer support it as an option.

References #628.

  1. https://rabbitmq.com/ssl.html#tls1.3

@michaelklishin
Use modern SSLContext API
1cb7810 
It's already possible to post-configure TLS context using
Bunny::Connection#transport and Bunny::Transport#configure_tls_context
but since we already require Ruby 2.5, using a more modern
API makes sense. It also allows the user to set TLS version to 1.3 [1].

Note that TLS 1.3 support is an all-or-nothing proposition
because there are no shared cipher suites with earlier versions,
by design.

References #628.

1. https://rabbitmq.com/ssl.html#tls1.3
@michaelklishin michaelklishin added this to the 2.20 milestone Mar 22, 2022
@michaelklishin
Copy link
Member Author

With a RabbitMQ 3.9 node on Erlang 24.3 with the following rabbitmq.conf:

#
# TLS
#

listeners.ssl.default  = 5671
ssl_options.cacertfile = /path/to/tls-gen.git/basic/result/ca_certificate.pem
ssl_options.certfile   = /path/to/tls-gen.git/basic/result/server_certificate.pem
ssl_options.keyfile    = /path/to/tls-gen.git/basic/result/server_key.pem

I could not make one Bunny TLS test example modified to use TLS 1.3. The node kept logging

[notice] <0.1324.0> TLS server: In state start at tls_handshake_1_3.erl:2964 generated SERVER ALERT: Fatal - Illegal Parameter

and it's not obvious what that "illegal parameter" is without a traffic dump and extra digging I cannot do right now.

But all existing TLS 1.2 tests pass, so that's a step in the right direction.

@michaelklishin michaelklishin merged commit e2f3c99 into master Mar 22, 2022
@michaelklishin michaelklishin deleted the use-modern-sslcontext-api branch March 22, 2022 07:48
@michaelklishin michaelklishin mentioned this pull request Mar 22, 2022
Closed
@michaelklishin michaelklishin removed this from the 2.20 milestone Mar 22, 2022
@michaelklishin michaelklishin mentioned this pull request Jan 25, 2023
Closed
michaelklishin added a commit that referenced this pull request Jan 25, 2023
@michaelklishin
Conditionally add aliases for TLS 1.3 constants
aeadf47 
so that the module does not fail to load on/with older OpenSSL
versions that do not support TLS 1.3.

References #629, #646.

Closes #652.
@michaelklishin michaelklishin mentioned this pull request Jan 25, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@michaelklishin