Error with SSL

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

Error with SSL

Jeffrey Becker
I'm attempting to configure RabbitMQ with SSL using client certificates for authentication on a windows server 2012 x64 box.  The Erlang version installed is OTP 17.0 for Windows x64, 
Configuration is as such:
 {rabbit,  [ 
    {ssl_listeners, [5671]},
    {auth_mechanisms, ['EXTERNAL']},
    {auth_backends, [rabbit_auth_backend_ldap, rabbit_auth_backend_internal]},
    {ssl_options, [{cacertfile,"D:\\RabbitMQ\\certs\\cacert.pem"},
                  {certfile,"D:\\RabbitMQ\certs\\rabbit.pem"},
                  {keyfile,"D:\\RabbitMQ\\certs\\rabbit.key"},
                  {verify,verify_peer},
  {ssl_cert_login_from, common_name},
                  {fail_if_no_peer_cert,true}]}

  ]},

Whenever I connect, the client throws an error and the log file gets an entry like:

error on AMQP connection <0.310.0>: {ssl_upgrade_error,{options,{certfile,[68,58,92...

I've gone through the SSL Trouble shooting guide and confirmed that:
  • The certs are in the PEM format
  • The Broker is listening on the correct ports

The last bit of the trouble shooting guide indicates that "This is a generic error that could have many causes. Make sure you are using the recommended version of Erlang." Is there a version of Erlang I should be using other than OTP 17.0?

_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
Reply | Threaded
Open this post in threaded view
|

Re: Error with SSL

Michael Klishin-2
On 20 May 2014 at 20:19:12, Jeffrey Becker ([hidden email]) wrote:
> > Whenever I connect, the client throws an error and the log file  
> gets an entry like:
>  
> error on AMQP connection <0.310.0>: {ssl_upgrade_error,{options,{certfile,[68,58,92...  

Is the cert file readable by RabbitMQ process? 
--  
MK  

Software Engineer, Pivotal/RabbitMQ
_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
Reply | Threaded
Open this post in threaded view
|

Re: Error with SSL

Jeffrey Becker

Yes.

On May 20, 2014 3:34 PM, "Michael Klishin" <[hidden email]> wrote:
On 20 May 2014 at 20:19:12, Jeffrey Becker ([hidden email]) wrote:
> > Whenever I connect, the client throws an error and the log file
> gets an entry like:
>
> error on AMQP connection <0.310.0>: {ssl_upgrade_error,{options,{certfile,[68,58,92...

Is the cert file readable by RabbitMQ process? 
--
MK

Software Engineer, Pivotal/RabbitMQ

_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
Reply | Threaded
Open this post in threaded view
|

Re: Error with SSL

Michael Klishin-2
On 20 May 2014 at 23:41:17, Jeffrey Becker ([hidden email]) wrote:
> > Yes.

Please try openssl s_client and openssl s_server and see if they work with your certificates/keys.
I understand that this is not convenient to do on Windows but they are the easiest way to
see more informative error messages when debugging SSL issues. 
--  
MK  

Software Engineer, Pivotal/RabbitMQ
_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
Reply | Threaded
Open this post in threaded view
|

Re: Error with SSL

Jeffrey Becker

I've tried this and don't see any obvious error message in the output of the commands. Can we resume this discussion on the google group or my work email? Writing on a phone kinda sucks.

On May 20, 2014 11:25 PM, "Michael Klishin" <[hidden email]> wrote:
On 20 May 2014 at 23:41:17, Jeffrey Becker ([hidden email]) wrote:
> > Yes.

Please try openssl s_client and openssl s_server and see if they work with your certificates/keys.
I understand that this is not convenient to do on Windows but they are the easiest way to
see more informative error messages when debugging SSL issues. 
--
MK

Software Engineer, Pivotal/RabbitMQ

_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
Reply | Threaded
Open this post in threaded view
|

Re: Error with SSL

Jeffrey Becker
In reply to this post by Jeffrey Becker
The error being thrown by the C# client code is:

None of the specified endpoints were reachable
connection.start was never received, likely due to a network timeout

On Tuesday, May 20, 2014 12:16:42 PM UTC-4, Jeffrey Becker wrote:
I'm attempting to configure RabbitMQ with SSL using client certificates for authentication on a windows server 2012 x64 box.  The Erlang version installed is OTP 17.0 for Windows x64, 
Configuration is as such:
 {rabbit,  [ 
    {ssl_listeners, [5671]},
    {auth_mechanisms, ['EXTERNAL']},
    {auth_backends, [rabbit_auth_backend_ldap, rabbit_auth_backend_internal]},
    {ssl_options, [{cacertfile,"D:\\RabbitMQ\\certs\\cacert.pem"},
                  {certfile,"D:\\RabbitMQ\certs\\rabbit.pem"},
                  {keyfile,"D:\\RabbitMQ\\certs\\rabbit.key"},
                  {verify,verify_peer},
  {ssl_cert_login_from, common_name},
                  {fail_if_no_peer_cert,true}]}

  ]},

Whenever I connect, the client throws an error and the log file gets an entry like:

error on AMQP connection <0.310.0>: {ssl_upgrade_error,{options,{certfile,[68,58,92...

I've gone through the SSL Trouble shooting guide and confirmed that:
  • The certs are in the PEM format
  • The Broker is listening on the correct ports

The last bit of the trouble shooting guide indicates that "This is a generic error that could have many causes. Make sure you are using the recommended version of Erlang." Is there a version of Erlang I should be using other than OTP 17.0?

_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
Reply | Threaded
Open this post in threaded view
|

Re: Error with SSL

Jeffrey Becker
After some further debugging with openssl s_client I've produced the error 

write:errno=104

On Wednesday, May 21, 2014 1:14:43 PM UTC-4, Jeffrey Becker wrote:
The error being thrown by the C# client code is:

None of the specified endpoints were reachable
connection.start was never received, likely due to a network timeout

On Tuesday, May 20, 2014 12:16:42 PM UTC-4, Jeffrey Becker wrote:
I'm attempting to configure RabbitMQ with SSL using client certificates for authentication on a windows server 2012 x64 box.  The Erlang version installed is OTP 17.0 for Windows x64, 
Configuration is as such:
 {rabbit,  [ 
    {ssl_listeners, [5671]},
    {auth_mechanisms, ['EXTERNAL']},
    {auth_backends, [rabbit_auth_backend_ldap, rabbit_auth_backend_internal]},
    {ssl_options, [{cacertfile,"D:\\RabbitMQ\\certs\\cacert.pem"},
                  {certfile,"D:\\RabbitMQ\certs\\rabbit.pem"},
                  {keyfile,"D:\\RabbitMQ\\certs\\rabbit.key"},
                  {verify,verify_peer},
  {ssl_cert_login_from, common_name},
                  {fail_if_no_peer_cert,true}]}

  ]},

Whenever I connect, the client throws an error and the log file gets an entry like:

error on AMQP connection <0.310.0>: {ssl_upgrade_error,{options,{certfile,[68,58,92...

I've gone through the SSL Trouble shooting guide and confirmed that:
  • The certs are in the PEM format
  • The Broker is listening on the correct ports

The last bit of the trouble shooting guide indicates that "This is a generic error that could have many causes. Make sure you are using the recommended version of Erlang." Is there a version of Erlang I should be using other than OTP 17.0?

_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
Reply | Threaded
Open this post in threaded view
|

Re: Error with SSL

Michael Klishin-2
 On 22 May 2014 at 12:33:14, Jeffrey Becker ([hidden email]) wrote:
> > write:errno=104

Can you please post full openssl s_client output? If there's an error, there should
be some extra info in the output.
--  
MK  

Software Engineer, Pivotal/RabbitMQ
_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
Reply | Threaded
Open this post in threaded view
|

Re: Error with SSL

Michael Klishin-2
In reply to this post by Jeffrey Becker
On 22 May 2014 at 12:33:14, Jeffrey Becker ([hidden email]) wrote:
> > Configuration is as such:

Also, in this tutorial that configures Rabbit with SSL on Windows, slashes are
used in paths instead of double backslashes:
http://blog.johnruiz.com/2011/12/establishing-ssl-connection-to-rabbitmq.html

I'm not a  Windows user, so maybe this sounds silly but can you try using slashes
as in the post above?
--  
MK  

Software Engineer, Pivotal/RabbitMQ
_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
Reply | Threaded
Open this post in threaded view
|

Re: Error with SSL

Becker, Jeffrey

It seems as if I missed escaping a backslash on one of my paths.  I’ve changed them all over to forward slashes per your recommendation.  This doesn’t fix the issue but at least my error messages are different.

When I run the C# client I see the following exceptions:

 

None of the specified endpoints were reachable

    Inner Exception:

    A call to SSPI failed, see inner exception.

        Inner Exception:

        The message received was unexpected or badly formatted

 

When I run openssl s_client I see:

 

    CONNECTED(00000003)

    depth=1 /CN=JanneyDevCA

    verify return:1

    depth=0 /CN=svcbus-app03-dv.dev.jmsonline.com/ST=PA/C=US/O=Janney, Montgomery, Scott LLC

    verify return:1

    3020:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1053:SSL alert number 40

    3020:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:

 

Either way the server log gets a message:

    =INFO REPORT==== 22-May-2014::08:42:20 ===

    accepting AMQP connection <0.327.0> (172.23.68.48:50220 -> 172.31.2.46:5671)

 

    =ERROR REPORT==== 22-May-2014::08:42:20 ===

    SSL: certify: ssl_handshake.erl:1358:Fatal error: handshake failure

 

    =ERROR REPORT==== 22-May-2014::08:42:25 ===

    error on AMQP connection <0.327.0>: {ssl_upgrade_error,{tls_alert,[104,97,110,100,115,104,97,107,101,32,102,97,105,108,117,114,101]}}...

 

 

From: Jeffrey Becker [mailto:[hidden email]]
Sent: Thursday, May 22, 2014 8:47 AM
To: Becker, Jeffrey
Subject: Fwd: Re: [rabbitmq-discuss] Error with SSL

 

---------- Forwarded message ----------
From: "Michael Klishin" <[hidden email]>
Date: May 22, 2014 4:44 AM
Subject: Re: [rabbitmq-discuss] Error with SSL
To: "Jeffrey Becker" <[hidden email]>
Cc: "Discussions about RabbitMQ" <[hidden email]>

On 22 May 2014 at 12:33:14, Jeffrey Becker ([hidden email]) wrote:
> > Configuration is as such:

Also, in this tutorial that configures Rabbit with SSL on Windows, slashes are
used in paths instead of double backslashes:
http://blog.johnruiz.com/2011/12/establishing-ssl-connection-to-rabbitmq.html

I'm not a  Windows user, so maybe this sounds silly but can you try using slashes
as in the post above?
--
MK

Software Engineer, Pivotal/RabbitMQ



Janney: The Highest Standard of Success in Financial Relationships.



Janney Montgomery Scott LLC (Janney) will not accept orders and/or instructions for the purchase or sale of a security or other product via an e-mail transmission. This electronic communication is intended only for the person or entity to which it is addressed and may contain confidential, proprietary or privileged material. Any review, re-transmission, dissemination or other use of this information by persons or entities other than the intended recipient is prohibited. No confidentiality or privilege is waived by any accidental or unintentional transmission. If you received this electronic communication in error, please contact the sender immediately and delete the material from your computer. Janney cannot guarantee the confidentiality of the material transmitted and reserves the right to monitor all e-mail communications through its networks. Please go to http://www.janney.com for additional terms and disclosures relating to this electronic communication.


_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
Reply | Threaded
Open this post in threaded view
|

Re: Error with SSL

Matthias Radestock-3
On 22/05/14 14:00, Becker, Jeffrey wrote:

> It seems as if I missed escaping a backslash on one of my paths.  I’ve
> changed them all over to forward slashes per your recommendation.  This
> doesn’t fix the issue but at least my error messages are different.
> [...]
> When I run openssl s_client I see:
>      CONNECTED(00000003)
>      depth=1 /CN=JanneyDevCA
>      verify return:1
>      depth=0 /CN=svcbus-app03-dv.dev.jmsonline.com/ST=PA/C=US/O=Janney,
> Montgomery, Scott LLC
>      verify return:1
>      3020:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert
> handshake failure:s3_pkt.c:1053:SSL alert number 40
>      3020:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
> failure:s23_lib.c:188:
>
> Either way the server log gets a message:
> [...]
>      =ERROR REPORT==== 22-May-2014::08:42:20 ===
>      SSL: certify: ssl_handshake.erl:1358:Fatal error: handshake failure
>      =ERROR REPORT==== 22-May-2014::08:42:25 ===
>      error on AMQP connection <0.327.0>:
> {ssl_upgrade_error,{tls_alert,[104,97,110,100,115,104,97,107,101,32,102,97,105,108,117,114,101]}}...

It is failing in the certificate validation.

Matthias.
_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss