Some organizations may have security standards that require them to disable some Elliptic-curve algorithms. For instance, a standard security scan may report that RabbitMQ supports TLS key exchanges that are cryptographically weaker than recommended. This article explains a method to explicitly restrict the available Elliptic-curve algorithms independent of the list of cipher suites.

Product Version: 3.10

You can configure the available Elliptic-curve algorithms by adding an "eccs" entry containing a list of the allowed algorithms to the ssl options section of your configuration. Unfortunately, this can currently only be done using the classic config format, typically placed into the advanced.config file. Moreover, once you add this entry, any ssl_options configuration you have in your rabbitmq.conf file will need to be converted to the classic format and moved to the advanced.config file as the configurations will not merge (this affects ssl_options only, other settings can remain in the rabbitmq.conf).

By example, if your base ssl options configuration (in the new style) looks like:

ssl_options.cacertfile = /path/to/ca_certificate.pem
ssl_options.certfile   = /path/to/server_certificate.pem
ssl_options.keyfile    = /path/to/server_key.pem
ssl_options.verify     = verify_peer
ssl_options.fail_if_no_peer_cert = true

You would add something like the following to the advanced.config file:

[
 {rabbit, [
    {ssl_options, [
      {cacertfile, "/path/to/ca_certificate.pem"},
      {certfile,   "/path/to/server_certificate.pem"},
      {keyfile,    "/path/to/server_key.pem"},
      {verify,     verify_peer},
      {fail_if_no_peer_cert, true},
      {eccs, ['sect571k1','secp521r1','brainpoolP512r1']}
    ]}
  ]}
].

The list above is just an example and you should determine an appropriate list given your security requirement. You can find the full list of available ECC algorithms by executing either:

  $ rabbitmqctl eval 'ssl:eccs().'

against one of your running RabbitMQ nodes or, without a running node, the following should work with a most shells:

  $ erl <<< 'ssl:eccs().'

Note: the list output by those commands will simply list the algorithm names while in the list you configure the algorithms must be enclosed in single quotes.