Skip to content

Commit a2d4215

Browse files
michaelklishinmichaelklishin
committed
Updates to CONTRIBUTING.md
1 parent 94591e9 commit a2d4215

File tree

1 file changed

+34
-16
lines changed

1 file changed

+34
-16
lines changed

CONTRIBUTING.md

Lines changed: 34 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -62,10 +62,8 @@ The test suite also requires the [x509 certificate authentication mechanism](htt
6262
plugin to be enabled:
6363

6464
``` shell
65-
brew install rabbitmq
66-
# target location will vary depending on how RabbitMQ was installed,
67-
# the Homebrew Cellar location and so on
68-
cp TestCertificates/* /usr/local/etc/rabbitmq/
65+
# target location will vary depending on how RabbitMQ was installed
66+
cp TestCertificates/* /path/to/rabbitmq-home/etc/rabbitmq/
6967
rabbitmq-plugins enable rabbitmq_auth_mechanism_ssl --offline
7068
```
7169

@@ -75,21 +73,41 @@ The following [RabbitMQ configuration file](https://www.rabbitmq.com/configure.h
7573
is used by CI and can be used as example:
7674

7775
``` ini
78-
listeners.tcp.1 = 0.0.0.0:5672
76+
auth_mechanisms.1 = PLAIN
77+
auth_mechanisms.2 = AMQPLAIN
78+
auth_mechanisms.3 = EXTERNAL
7979

80-
listeners.ssl.default = 5671
80+
listeners.ssl.default = 5671
8181

82-
# the paths must match those
83-
ssl_options.cacertfile = /usr/local/etc/rabbitmq/ca_certificate.pem
84-
ssl_options.certfile = /usr/local/etc/rabbitmq/server_certificate.pem
85-
ssl_options.keyfile = /usr/local/etc/rabbitmq/server_key.pem
86-
ssl_options.verify = verify_peer
87-
ssl_options.fail_if_no_peer_cert = false
82+
## These MUST be updated to point to actual tls-gen generated
83+
## certificates and private keys
84+
ssl_options.cacertfile = /path/to/ca_certificate.pem
85+
ssl_options.certfile = /path/to/server_certificate.pem
86+
ssl_options.keyfile = /path/to/server_key.pem
8887

8988

90-
auth_mechanisms.1 = PLAIN
91-
auth_mechanisms.2 = AMQPLAIN
92-
auth_mechanisms.3 = EXTERNAL
89+
ssl_options.versions.1 = tlsv1.2
90+
91+
ssl_options.verify = verify_peer
92+
ssl_options.fail_if_no_peer_cert = false
93+
94+
ssl_options.honor_cipher_order = true
95+
ssl_options.honor_ecc_order = true
96+
ssl_options.client_renegotiation = false
97+
ssl_options.secure_renegotiate = true
98+
99+
ssl_options.ciphers.1 = ECDHE-ECDSA-AES256-GCM-SHA384
100+
ssl_options.ciphers.2 = ECDHE-RSA-AES256-GCM-SHA384
101+
ssl_options.ciphers.3 = ECDH-ECDSA-AES256-GCM-SHA384
102+
ssl_options.ciphers.4 = ECDH-RSA-AES256-GCM-SHA384
103+
ssl_options.ciphers.5 = DHE-RSA-AES256-GCM-SHA384
104+
ssl_options.ciphers.6 = DHE-DSS-AES256-GCM-SHA384
105+
ssl_options.ciphers.7 = ECDHE-ECDSA-AES128-GCM-SHA256
106+
ssl_options.ciphers.8 = ECDHE-RSA-AES128-GCM-SHA256
107+
ssl_options.ciphers.9 = ECDH-ECDSA-AES128-GCM-SHA256
108+
ssl_options.ciphers.10 = ECDH-RSA-AES128-GCM-SHA256
109+
ssl_options.ciphers.11 = DHE-RSA-AES128-GCM-SHA256
110+
ssl_options.ciphers.12 = DHE-DSS-AES128-GCM-SHA256
93111
```
94112

95113
In case a different set of certificates is desired, it is highly recommended
@@ -123,7 +141,7 @@ To run the core test suite:
123141
gmake tests
124142

125143
# iOS only
126-
gmake tests_ios iOS_VERSION=14.4
144+
gmake tests_ios iOS_VERSION=15.4
127145

128146
# MacOS only
129147
gmake tests_macos

0 commit comments

Comments
 (0)