How to configure managment-3 docker image to enable SNI

[genehi]

Community Support Policy

• I have read RabbitMQ's Community Support Policy
• I run RabbitMQ 4.x, the only series currently covered by community support
• I promise to provide all relevant information (versions, logs from all nodes, rabbitmq-diagnostics output, detailed reproduction steps)

RabbitMQ version used

4.0.4

Erlang version used

26.2.x

Operating system (distribution) used

RHEL 8

How is RabbitMQ deployed?

Community Docker image

rabbitmq-diagnostics status output

N/A

Logs from node 1 (with sensitive values edited out)

N/A

Logs from node 2 (if applicable, with sensitive values edited out)

See https://www.rabbitmq.com/docs/logging to learn how to collect logs

# PASTE LOG HERE, BETWEEN BACKTICKS

Logs from node 3 (if applicable, with sensitive values edited out)

See https://www.rabbitmq.com/docs/logging to learn how to collect logs

# PASTE LOG HERE, BETWEEN BACKTICKS

rabbitmq.conf

See https://www.rabbitmq.com/docs/configure#config-location to learn how to find rabbitmq.conf file location

management.load_definitions = /etc/rabbitmq/definitions.json
management.ssl.port = 15671
management.ssl.cacertfile = /etc/rabbitmq/SF_SSN_Root_CA.cer
management.ssl.certfile = /etc/rabbitmq/rabbitmq.cer
management.ssl.keyfile = /etc/rabbitmq/rabbitmq.pem
auth_mechanisms.1 = PLAIN
auth_mechanisms.2 = AMQPLAIN
auth_mechanisms.3 = EXTERNAL
ssl_cert_login_from = common_name
ssl_options.cacertfile = /etc/rabbitmq/SF_SSN_Root_CA.cer
ssl_options.certfile = /etc/rabbitmq/rabbitmq.cer
ssl_options.keyfile = /etc/rabbitmq/rabbitmq.pem
ssl_options.verify = verify_peer
ssl_options.fail_if_no_peer_cert = true
listeners.tcp.default = 5672
listeners.ssl.default = 5671

Steps to deploy RabbitMQ cluster

N/A

Steps to reproduce the behavior in question

I tried adding ssl_options.server_name_indication = rabbitmq but that causes the image to not start

advanced.config

Not using one "yet". I see this is where to configure SNI, but I see multiple ways that are not consistent.

Application code

# PASTE CODE HERE, BETWEEN BACKTICKS

Kubernetes deployment file

# Relevant parts of K8S deployment that demonstrate how RabbitMQ is deployed
# PASTE YAML HERE, BETWEEN BACKTICKS

What problem are you trying to solve?

enable SNI, against CN and SAN values

[lukebakken]

What are you trying to accomplish with SNI? In general, it is client applications that connect to a RabbitMQ server over TLS that must enable SNI.

[genehi]

I have configured my client to send ClientHello with server_name. My “understanding” is that full SNI also requires that the server must “enforce” to only accept connections where the client has sent server_name in the ClientHello.

[genehi]

I will add to my previous response. The DISA RabbitMQ instance that I am a client of, refuses connections that do not have a Client Hello server_name extension included. That instance is what I am attempting to match in my development emulations.

[lukebakken]

The DISA RabbitMQ instance that I am a client of, refuses connections that do not have a Client Hello server_name extension included.

I don't believe that RabbitMQ / Erlang has the ability to reject TLS connections that lack the SNI extension, but I will double-check. Most likely, you are connecting to a load balancer in front of RabbitMQ that is configured to reject these sorts of client connections.

[lukebakken]

No, I don't see anything in the ssl Erlang docs that would suggest this sort of behavior is supported.

https://www.erlang.org/doc/apps/ssl/ssl.html#t:server_option/0

[genehi]

I do not quite "agree". Per https://www.rabbitmq.com/docs/ssl, server_name_indication - set this option to the host name of the server to which a TLS connection will be made to enable "Server Name Indication" verification of the certificate presented by the server. This ensures that the server certificate's CN= value will be verified during TLS connection establishment. But I do not fully understand the options between rabbitmq.conf and advance.config. What about {server_name_indication, "my.rmq-server.net"}],

[genehi]

Oh, BTW, I am using the Maven RabbitMQ Java client artifacts. The only way I could get server_name to be sent, was by overriding the socket factory passed to the API.I am going to verify with DISA if they are enforcing with a load balancer.

[lukebakken]

The doc section to which you refer is for the AMQP Erlang client, and server_name_indication is to set the SNI string for that AMQP CLIENT. The Erlang client is used for Shovel and Federation connections.

As I said, there is no way to configure the Erlang VM (and thus, RabbitMQ), to REQUIRE SNI for an incoming TLS connection.

If you disagree, it's up to you to figure it out. Both RabbitMQ and Erlang are 100% open-source.

[genehi]

I am good, just pretty confusing “how” DISA is enforcing this. Close it again, all good.