TLS parameters exampleΒΆ
This examples demonstrates a TLS session with RabbitMQ using server authentication.
Note the use of ssl.PROTOCOL_TLSv1_2. The recent versions of RabbitMQ disable older versions of SSL due to security vulnerabilities.
See https://www.rabbitmq.com/ssl.html for certificate creation and rabbitmq SSL configuration instructions.
tls_example.py:
import ssl
import pika
import logging
logging.basicConfig(level=logging.INFO)
context = ssl.create_default_context(
cafile="/Users/me/tls-gen/basic/result/ca_certificate.pem")
context.verify_mode = ssl.CERT_REQUIRED
context.load_cert_chain("/Users/me/tls-gen/result/client_certificate.pem",
"/Users/me/tls-gen/result/client_key.pem")
ssl_options = pika.SSLOptions(context, "localhost")
conn_params = pika.ConnectionParameters(port=5671,
ssl_options=ssl_options)
with pika.BlockingConnection(conn_params) as conn:
ch = conn.channel()
print(ch.queue_declare("sslq"))
ch.publish("", "sslq", "abc")
print(ch.basic_get("sslq"))
rabbitmq.conf:
%% In this example, both the client and RabbitMQ server are assumed to be running on the same machine
%% with a self-signed set of certificates generated using https://github.com/rabbitmq/tls-gen.
%%
%% To find out the default rabbitmq.conf location, see https://www.rabbitmq.com/configure.html.
%%
%% The contents of the example config file are for demonstration purposes only.
%% See https://www.rabbitmq.com/ssl.html to learn how to use TLS for client connections in RabbitMQ.
%%
%% The example below allows clients without a certificate to connect
%% but performs peer verification on those that present a certificate chain.
listeners.ssl.default = 5671
ssl_options.cacertfile = /Users/me/tls-gen/basic/result/ca_certificate.pem
ssl_options.certfile = /Users/me/tls-gen/basic/result/server_certificate.pem
ssl_options.keyfile = /Users/me/tls-gen/basic/result/server_key.pem
ssl_options.verify = verify_peer
ssl_options.fail_if_no_peer_cert = false