Last updated: 2026-06-25
RabbitMQ TLS/SSL Configuration Guide
This guide provides recommended TLS/SSL settings for RabbitMQ to encrypt AMQP client connections, inter-node cluster traffic, and the management plugin HTTP API. RabbitMQ uses Erlang's built-in TLS implementation, which relies on OpenSSL under the hood.
Prerequisites
- RabbitMQ 4.2 or later (4.3 current)
- Erlang/OTP 26 or later
- OpenSSL 1.1.1 or later
- SSL certificates (server certificate, private key, and CA certificate)
Installation note: RabbitMQ is not in the base repositories for RHEL, Debian, Ubuntu, or SLES. Install from the official RabbitMQ package repository or use the Erlang packages from Erlang Solutions.
Certificate Setup
RabbitMQ expects PEM-formatted certificates. Set appropriate permissions:
chmod 640 /etc/rabbitmq/ssl/server.key
chown rabbitmq:rabbitmq /etc/rabbitmq/ssl/*
AMQP Listener TLS Configuration
Configure TLS for the main AMQP listener in rabbitmq.conf (the new-style sysctl format).
Enable TLS Listener
Disable the plaintext listener and enable the TLS listener on port 5671 (the standard AMQPS port):
listeners.tcp = none
listeners.ssl.default = 5671
Certificate Files
ssl_options.cacertfile = /etc/rabbitmq/ssl/ca.pem
ssl_options.certfile = /etc/rabbitmq/ssl/server.crt
ssl_options.keyfile = /etc/rabbitmq/ssl/server.key
Protocol Versions
Restrict to TLS 1.2 and TLS 1.3:
ssl_options.versions.1 = tlsv1.3
ssl_options.versions.2 = tlsv1.2
Cipher Suites
RabbitMQ accepts OpenSSL cipher names in the configuration. Configure strong AEAD cipher suites:
ssl_options.ciphers.1 = ECDHE-ECDSA-AES256-GCM-SHA384
ssl_options.ciphers.2 = ECDHE-RSA-AES256-GCM-SHA384
ssl_options.ciphers.3 = ECDHE-ECDSA-AES128-GCM-SHA256
ssl_options.ciphers.4 = ECDHE-RSA-AES128-GCM-SHA256
ssl_options.ciphers.5 = ECDHE-ECDSA-CHACHA20-POLY1305
ssl_options.ciphers.6 = ECDHE-RSA-CHACHA20-POLY1305
Server Cipher Preference
The
honor_cipher_orderandhonor_ecc_orderoptions apply only to TLS 1.2 and must be omitted when TLS 1.3 is enabled.
Client Certificate Verification
To require clients to present a valid TLS certificate (mutual TLS):
ssl_options.verify = verify_peer
ssl_options.fail_if_no_peer_cert = true
For optional client certificates:
ssl_options.verify = verify_peer
ssl_options.fail_if_no_peer_cert = false
To skip client certificate verification entirely:
ssl_options.verify = verify_none
See RFC 8446 ยง4.3.2 for the TLS Certificate Request specification, and Wikipedia: Mutual authentication for a general overview.
Management Plugin HTTPS
The RabbitMQ management plugin (web UI and HTTP API) should also be served over HTTPS:
management.ssl.port = 15671
management.ssl.cacertfile = /etc/rabbitmq/ssl/ca.pem
management.ssl.certfile = /etc/rabbitmq/ssl/server.crt
management.ssl.keyfile = /etc/rabbitmq/ssl/server.key
management.ssl.versions.1 = tlsv1.3
management.ssl.versions.2 = tlsv1.2
management.ssl.ciphers.1 = ECDHE-ECDSA-AES256-GCM-SHA384
management.ssl.ciphers.2 = ECDHE-RSA-AES256-GCM-SHA384
management.ssl.ciphers.3 = ECDHE-ECDSA-AES128-GCM-SHA256
management.ssl.ciphers.4 = ECDHE-RSA-AES128-GCM-SHA256
management.ssl.ciphers.5 = ECDHE-ECDSA-CHACHA20-POLY1305
management.ssl.ciphers.6 = ECDHE-RSA-CHACHA20-POLY1305
To disable the plaintext management listener:
management.tcp.port = 0
Inter-Node (Cluster) TLS
To encrypt communication between RabbitMQ cluster nodes, configure the Erlang distribution to use TLS.
Create an Erlang inter_node_tls.config file:
[
{server, [
{cacertfile, "/etc/rabbitmq/ssl/ca.pem"},
{certfile, "/etc/rabbitmq/ssl/server.crt"},
{keyfile, "/etc/rabbitmq/ssl/server.key"},
{secure_renegotiate, true},
{versions, ['tlsv1.3', 'tlsv1.2']}
]},
{client, [
{cacertfile, "/etc/rabbitmq/ssl/ca.pem"},
{certfile, "/etc/rabbitmq/ssl/server.crt"},
{keyfile, "/etc/rabbitmq/ssl/server.key"},
{secure_renegotiate, true},
{versions, ['tlsv1.3', 'tlsv1.2']}
]}
].
Then enable TLS distribution by pointing the Erlang runtime at this file. Set the environment variable in rabbitmq-env.conf:
SERVER_ADDITIONAL_ERL_ARGS="-proto_dist inet_tls -ssl_dist_optfile /etc/rabbitmq/inter_node_tls.config"
Complete Configuration
In rabbitmq.conf:
# Disable plaintext AMQP, enable TLS
listeners.tcp = none
listeners.ssl.default = 5671
# Certificates
ssl_options.cacertfile = /etc/rabbitmq/ssl/ca.pem
ssl_options.certfile = /etc/rabbitmq/ssl/server.crt
ssl_options.keyfile = /etc/rabbitmq/ssl/server.key
# Protocol versions
ssl_options.versions.1 = tlsv1.3
ssl_options.versions.2 = tlsv1.2
# Cipher suites
ssl_options.ciphers.1 = ECDHE-ECDSA-AES256-GCM-SHA384
ssl_options.ciphers.2 = ECDHE-RSA-AES256-GCM-SHA384
ssl_options.ciphers.3 = ECDHE-ECDSA-AES128-GCM-SHA256
ssl_options.ciphers.4 = ECDHE-RSA-AES128-GCM-SHA256
ssl_options.ciphers.5 = ECDHE-ECDSA-CHACHA20-POLY1305
ssl_options.ciphers.6 = ECDHE-RSA-CHACHA20-POLY1305
# Client certificates
ssl_options.verify = verify_peer
ssl_options.fail_if_no_peer_cert = false
# Management HTTPS
management.ssl.port = 15671
management.ssl.cacertfile = /etc/rabbitmq/ssl/ca.pem
management.ssl.certfile = /etc/rabbitmq/ssl/server.crt
management.ssl.keyfile = /etc/rabbitmq/ssl/server.key
management.ssl.versions.1 = tlsv1.3
management.ssl.versions.2 = tlsv1.2
management.ssl.ciphers.1 = ECDHE-ECDSA-AES256-GCM-SHA384
management.ssl.ciphers.2 = ECDHE-RSA-AES256-GCM-SHA384
management.ssl.ciphers.3 = ECDHE-ECDSA-AES128-GCM-SHA256
management.ssl.ciphers.4 = ECDHE-RSA-AES128-GCM-SHA256
management.ssl.ciphers.5 = ECDHE-ECDSA-CHACHA20-POLY1305
management.ssl.ciphers.6 = ECDHE-RSA-CHACHA20-POLY1305
management.tcp.port = 0
Client Connection
Connect with TLS using the AMQPS URI scheme:
amqps://user:password@rabbitmq.example.com:5671/vhost
Example with Python (pika):
import pika
import ssl
context = ssl.create_default_context(cafile="/path/to/ca.pem")
parameters = pika.ConnectionParameters(
host="rabbitmq.example.com",
port=5671,
ssl_options=pika.SSLOptions(context)
)
connection = pika.BlockingConnection(parameters)
Security Notes
RabbitMQ uses Erlang/OTP's ssl application for TLS, which is an independent implementation not based on OpenSSL:
- POODLE (CVE-2014-3566, 2014): SSL 3.0 disabled by default since OTP 18.0 (June 2015). The recommended configuration explicitly excludes it.
- BEAST (CVE-2011-3389, 2011): TLS 1.0 excluded from the recommended configuration; AEAD-only ciphers eliminate the CBC padding oracle.
- FREAK (CVE-2015-0204, 2015): EXPORT-grade ciphers excluded from the recommended cipher list.
- LOGJAM (CVE-2015-4000, 2015): DHE with weak keys excluded; only ECDHE is recommended.
- Sweet32 (CVE-2016-2183, 2016): 3DES excluded from the recommended cipher list.
- ROBOT (2017): Static RSA key exchange excluded; only ECDHE is recommended.
- TLS 1.3 support: Available since OTP 22; RabbitMQ 4.x requires OTP 26 or later, so TLS 1.3 is always available.
- Downgrade attacks: TLS_FALLBACK_SCSV is supported in Erlang/OTP's TLS implementation.
The following are not addressable through TLS configuration alone:
- Heartbleed (CVE-2014-0160, 2014): Not applicable. Erlang/OTP's
sslapplication is an independent TLS implementation not based on OpenSSL and was never affected by Heartbleed. - BREACH (CVE-2013-3587, 2013): Not applicable. BREACH targets HTTP-level response compression; the AMQP and MQTT protocols do not involve HTTP response compression.
- DROWN (CVE-2016-0800, 2016): Not applicable. Erlang/OTP's
ssldoes not support SSLv2.
Verification
Restart RabbitMQ and check the TLS listener:
systemctl restart rabbitmq-server
rabbitmq-diagnostics listeners
You should see port 5671 listed as an SSL listener.
Test the TLS connection (port 5671 uses implicit TLS, no STARTTLS):
openssl s_client -connect rabbitmq.example.com:5671
Check the enabled TLS versions and ciphers:
rabbitmq-diagnostics tls_versions
rabbitmq-diagnostics cipher_suites --format openssl