New RabbitMQ 3.3.0 Web_stomp SSL problems

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

New RabbitMQ 3.3.0 Web_stomp SSL problems

Sebastien Dubois

Hi all,

  Up to recently we've been using RabbitMQ 3.2.3/Erlang R15B01 with the web_Stomp plugin over SSL.  Since this was not supported, we had to rebuilt the web_stomp plugin using a patched branch as described at https://gist.github.com/berico-rclayton/5475365 (also see https://github.com/rabbitmq/rabbitmq-web-stomp/pull/3).  This has been working fine for months.

  We recently realized that the fix for SSL support in web_stomp was systemized in RabbitMQ 3.3.0/Erlang R16B03.  So we installed it and updated our configuration.  However, using the exact same setup and self-signed keys/certificates, we cannot get the new version to work properly while using SSL over stomp.  Connecting to https://<rabbit server IP>:15678/stomp just fails, although from the log web_stomp seems to be listening correctly on port 15678.  We tried to regenerate a new set of keys, but it did not do anything.

Our old rabbitMQ config (patched 3.2.3 web_stomp) was:

  {rabbitmq_web_stomp, [

        {ssl_enabled, true},

        {https_port, 15678},

        {ssl_key_file, "/usr/local/ssl/private/server.key"},

        {ssl_key_password, "password"},

        {ssl_ca_certificate_file, "/usr/local/ssl/crt/public.crt"},

        {ssl_certificate_file, "/usr/local/ssl/crt/public.crt"}

   ] },


And the corresponding new config on RabbitMQ 3.3.0 is

  {rabbitmq_web_stomp,

      [{ssl_config, [{port,       15678},

                     {backlog,    1024},

                     {certfile,   "/usr/local/ssl/crt/public.crt"},

                     {keyfile,    "/usr/local/ssl/private/server.key"},

                     {cacertfile, "/usr/local/ssl/crt/public.crt"},

{password, "password"}

      ]}

  ]},

Is our config ok?  does anybody experienced similar problems or have any idea what we could be doing wrong?


Thanks in advance,

/Sebas


_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
Reply | Threaded
Open this post in threaded view
|

Re: New RabbitMQ 3.3.0 Web_stomp SSL problems

Michael Klishin-2
 On 26 April 2014 at 01:36:37, Sebastien Dubois ([hidden email]) wrote:
> Is our config ok? 

Seems fine.

> does anybody experienced similar problems  
> or have any idea what we could be doing wrong?

And there is nothing in both RabbitMQ logs?

Have you tried with a non-password protected key, just out of curiosity?
--  
MK  

Software Engineer, Pivotal/RabbitMQ
_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
Reply | Threaded
Open this post in threaded view
|

Re: New RabbitMQ 3.3.0 Web_stomp SSL problems

Michael Klishin-2
In reply to this post by Sebastien Dubois
On 26 April 2014 at 01:36:37, Sebastien Dubois ([hidden email]) wrote:
> > Connecting to https://:15678/stomp just
> fails, although from the log web_stomp seems to be listening
> correctly on port 15678(tel://port%2015678). We tried to regenerate
> a new set of keys, but it did not do anything.

Have you tried connecting with openssl s_client?
--
MK

Software Engineer, Pivotal/RabbitMQ
_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
Reply | Threaded
Open this post in threaded view
|

Re: New RabbitMQ 3.3.0 Web_stomp SSL problems

Michael Klishin-2
please keep rabbitmq-discuss in CC. 

On April 26, 2014 at 3:52:44 AM, Sebastien Dubois ([hidden email]) wrote:
> > No we did not, 

openssl s_client should be one of the first tools you use in investigating SSL-related issues.

> However our setup used to work before on the patched  
> 3.2.3 as I said. The only difference being rabbitMQ and Erlang  
> versions.

Sorry but your patched plugin never shipped with RabbitMQ so I’m not sure how
this is relevant to investigating an SSL problem with 3.3.0.
--  
MK  

Software Engineer, Pivotal/RabbitMQ
_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
Reply | Threaded
Open this post in threaded view
|

Re: New RabbitMQ 3.3.0 Web_stomp SSL problems

Sebastien Dubois
openssl s_client should be one of the first tools you use in investigating SSL-related issues.

Fair enough.  We'll do more tests here.  It's just that the patched solution (over 3.2.4) was working so well that we did not expect any problems with the systemized solution.  Since you say that our config seems fine, we'll investigate more here

> Sorry but your patched plugin never shipped with RabbitMQ so I’m not sure how
> this is relevant to investigating an SSL problem with 3.3.0.

We were using jshiell's solution, which in my understanding was the patch that was systemized in RMQ3.3.0.

Best Regards,
/Sebastien


On Sat, Apr 26, 2014 at 10:58 AM, Michael Klishin <[hidden email]> wrote:
please keep rabbitmq-discuss in CC. 

On April 26, 2014 at 3:52:44 AM, Sebastien Dubois ([hidden email]) wrote:
> > No we did not, 

openssl s_client should be one of the first tools you use in investigating SSL-related issues.

> However our setup used to work before on the patched
> 3.2.3 as I said. The only difference being rabbitMQ and Erlang
> versions.

Sorry but your patched plugin never shipped with RabbitMQ so I’m not sure how
this is relevant to investigating an SSL problem with 3.3.0.
--
MK

Software Engineer, Pivotal/RabbitMQ


_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
Reply | Threaded
Open this post in threaded view
|

Re: New RabbitMQ 3.3.0 Web_stomp SSL problems

michaelklishin
2014-04-28 7:08 GMT+04:00 Sebastien Dubois <[hidden email]>:
We were using jshiell's solution, which in my understanding was the patch that was systemized in RMQ3.3.0.

It wasn't exactly the same patch. Here's the key commit:


Can you post a small HTML/JS example that replicates the issue? I can compare it
with what we've used to QA WebSTOMP SSL support.
--
MK

http://github.com/michaelklishin
http://twitter.com/michaelklishin

_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
Reply | Threaded
Open this post in threaded view
|

Re: New RabbitMQ 3.3.0 Web_stomp SSL problems

brad
In reply to this post by Sebastien Dubois
I'm having a similar, or possibly the same, problem.  My config is basically the same as yours.  I'm running version 3.3.1.  When starting up, a message is logged that says "rabbit_web_stomp: listening for HTTPS connections on 0.0.0.0:15675", but netstat shows that nothing is listening on port 15675 and connections to my server on port 15675 fail.  There aren't any other interesting log messages in any of the rabbit log files.  I have tried changing the port several time but the same message is logged and nothing listens on the new port.  I know the certificates are good since we're using the on our live sites.  If I change the config to point to files that do not exist for the certificates, the same thing happens.

rabbitmq.config:

[
  {rabbit, [
    {auth_backends, [rabbit_auth_backend_internal]},
    {log_levels, [
      {connection, info},
      {mirroring, info}
    ]},
    {heartbeat, 10},
    {collect_statistics_interval, 1000},
    {delegate_count, 32},
    {cluster_partition_handling, pause_minority}
  ]},
  {rabbitmq_management, [
    {sample_retention_policies, [
      {global, [{3600, 5}, {86400, 60}, {604800, 600}]},
      {basic, [{60, 5}, {3600, 60}]},
      {detailed, [{30, 1}]}
    ]},
    {http_log_dir, "/tmp/rabbit-mgmt"}
  ]},
  {kernel, [
    {net_ticktime, 5}
  ]},
  {rabbitmq_web_stomp, [
    {ssl_config, [
      {port,       15674},
      {backlog,    1024},
      {certfile,   "/etc/pki/tls/certs/dpp.crt"},
      {keyfile,    "/etc/pki/tls/private/dpp.key"}
    ]}
  ]}
].


status:

 {running_applications,
     [{rabbitmq_web_stomp,"Rabbit WEB-STOMP - WebSockets to Stomp adapter",
          "3.3.1"},
      {ssl,"Erlang/OTP SSL application","4.1.6"},
      {public_key,"Public key infrastructure","0.13"},
      {crypto,"CRYPTO version 2","2.0.4"},
      {rabbitmq_stomp,"Embedded Rabbit Stomp Adapter","3.3.1"},
      {rabbitmq_management_visualiser,"RabbitMQ Visualiser","3.3.1"},
      {rabbitmq_management,"RabbitMQ Management Console","3.3.1"},
      {rabbitmq_management_agent,"RabbitMQ Management Agent","3.3.1"},
      {rabbitmq_amqp1_0,"AMQP 1.0 support for RabbitMQ","3.3.1"},
      {rabbit,"RabbitMQ","3.3.1"},
      {os_mon,"CPO  CXC 138 46","2.2.7"},
      {rabbitmq_web_dispatch,"RabbitMQ Web Dispatcher","3.3.1"},
      {webmachine,"webmachine","1.10.3-rmq3.3.1-gite9359c7"},
      {mochiweb,"MochiMedia Web Server","2.7.0-rmq3.3.1-git680dba8"},
      {xmerl,"XML parser","1.2.10"},
      {cowboy,"Small, fast, modular HTTP server.","0.5.0-rmq3.3.1-git4b93c2d"},
      {sockjs,"SockJS","0.3.4-rmq3.3.1-git3132eb9"},
      {inets,"INETS  CXC 138 49","5.7.1"},
      {mnesia,"MNESIA  CXC 138 12","4.5"},
      {amqp_client,"RabbitMQ AMQP Client","3.3.1"},
      {sasl,"SASL  CXC 138 11","2.1.10"},
      {stdlib,"ERTS  CXC 138 10","1.17.5"},
      {kernel,"ERTS  CXC 138 10","2.14.5"}]},
 {os,{unix,linux}},
 {erlang_version,
     "Erlang R14B04 (erts-5.8.5) [source] [64-bit] [smp:24:24] [rq:24] [async-threads:30] [kernel-poll:true]\n"},


On Friday, April 25, 2014 4:34:22 PM UTC-5, Sebastien Dubois wrote:

Hi all,

  Up to recently we've been using RabbitMQ 3.2.3/Erlang R15B01 with the web_Stomp plugin over SSL.  Since this was not supported, we had to rebuilt the web_stomp plugin using a patched branch as described at <a href="https://gist.github.com/berico-rclayton/5475365" target="_blank" onmousedown="this.href='https://www.google.com/url?q\75https%3A%2F%2Fgist.github.com%2Fberico-rclayton%2F5475365\46sa\75D\46sntz\0751\46usg\75AFQjCNGnKsNVT2kqlQdJ6Uw6so82l_Zy9A';return true;" onclick="this.href='https://www.google.com/url?q\75https%3A%2F%2Fgist.github.com%2Fberico-rclayton%2F5475365\46sa\75D\46sntz\0751\46usg\75AFQjCNGnKsNVT2kqlQdJ6Uw6so82l_Zy9A';return true;">https://gist.github.com/berico-rclayton/5475365 (also see <a href="https://github.com/rabbitmq/rabbitmq-web-stomp/pull/3" target="_blank" onmousedown="this.href='https://www.google.com/url?q\75https%3A%2F%2Fgithub.com%2Frabbitmq%2Frabbitmq-web-stomp%2Fpull%2F3\46sa\75D\46sntz\0751\46usg\75AFQjCNFFDmbbZR1Rfna42TLFOnu5uUJh5Q';return true;" onclick="this.href='https://www.google.com/url?q\75https%3A%2F%2Fgithub.com%2Frabbitmq%2Frabbitmq-web-stomp%2Fpull%2F3\46sa\75D\46sntz\0751\46usg\75AFQjCNFFDmbbZR1Rfna42TLFOnu5uUJh5Q';return true;">https://github.com/rabbitmq/rabbitmq-web-stomp/pull/3).  This has been working fine for months.

  We recently realized that the fix for SSL support in web_stomp was systemized in RabbitMQ 3.3.0/Erlang R16B03.  So we installed it and updated our configuration.  However, using the exact same setup and self-signed keys/certificates, we cannot get the new version to work properly while using SSL over stomp.  Connecting to https://<rabbit server IP>:15678/stomp just fails, although from the log web_stomp seems to be listening correctly on port 15678.  We tried to regenerate a new set of keys, but it did not do anything.

Our old rabbitMQ config (patched 3.2.3 web_stomp) was:

  {rabbitmq_web_stomp, [

        {ssl_enabled, true},

        {https_port, 15678},

        {ssl_key_file, "/usr/local/ssl/private/server.key"},

        {ssl_key_password, "password"},

        {ssl_ca_certificate_file, "/usr/local/ssl/crt/public.crt"},

        {ssl_certificate_file, "/usr/local/ssl/crt/public.crt"}

   ] },


And the corresponding new config on RabbitMQ 3.3.0 is

  {rabbitmq_web_stomp,

      [{ssl_config, [{port,       15678},

                     {backlog,    1024},

                     {certfile,   "/usr/local/ssl/crt/public.crt"},

                     {keyfile,    "/usr/local/ssl/private/server.key"},

                     {cacertfile, "/usr/local/ssl/crt/public.crt"},

{password, "password"}

      ]}

  ]},

Is our config ok?  does anybody experienced similar problems or have any idea what we could be doing wrong?


Thanks in advance,

/Sebas


_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
Reply | Threaded
Open this post in threaded view
|

Re: New RabbitMQ 3.3.0 Web_stomp SSL problems

brad
The config I posted was from when I was testing some things and is not correct.  The ssl port should be 15675.

On Wednesday, April 30, 2014 5:04:56 PM UTC-5, [hidden email] wrote:
I'm having a similar, or possibly the same, problem.  My config is basically the same as yours.  I'm running version 3.3.1.  When starting up, a message is logged that says "rabbit_web_stomp: listening for HTTPS connections on <a href="http://0.0.0.0:15675" target="_blank" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2F0.0.0.0%3A15675\46sa\75D\46sntz\0751\46usg\75AFQjCNFBkuI1TKZ10XNPMsDh-7yX0MwG8w';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2F0.0.0.0%3A15675\46sa\75D\46sntz\0751\46usg\75AFQjCNFBkuI1TKZ10XNPMsDh-7yX0MwG8w';return true;">0.0.0.0:15675", but netstat shows that nothing is listening on port 15675 and connections to my server on port 15675 fail.  There aren't any other interesting log messages in any of the rabbit log files.  I have tried changing the port several time but the same message is logged and nothing listens on the new port.  I know the certificates are good since we're using the on our live sites.  If I change the config to point to files that do not exist for the certificates, the same thing happens.

rabbitmq.config:

[
  {rabbit, [
    {auth_backends, [rabbit_auth_backend_internal]},
    {log_levels, [
      {connection, info},
      {mirroring, info}
    ]},
    {heartbeat, 10},
    {collect_statistics_interval, 1000},
    {delegate_count, 32},
    {cluster_partition_handling, pause_minority}
  ]},
  {rabbitmq_management, [
    {sample_retention_policies, [
      {global, [{3600, 5}, {86400, 60}, {604800, 600}]},
      {basic, [{60, 5}, {3600, 60}]},
      {detailed, [{30, 1}]}
    ]},
    {http_log_dir, "/tmp/rabbit-mgmt"}
  ]},
  {kernel, [
    {net_ticktime, 5}
  ]},
  {rabbitmq_web_stomp, [
    {ssl_config, [
      {port,       15674},
      {backlog,    1024},
      {certfile,   "/etc/pki/tls/certs/dpp.crt"},
      {keyfile,    "/etc/pki/tls/private/dpp.key"}
    ]}
  ]}
].


status:

 {running_applications,
     [{rabbitmq_web_stomp,"Rabbit WEB-STOMP - WebSockets to Stomp adapter",
          "3.3.1"},
      {ssl,"Erlang/OTP SSL application","4.1.6"},
      {public_key,"Public key infrastructure","0.13"},
      {crypto,"CRYPTO version 2","2.0.4"},
      {rabbitmq_stomp,"Embedded Rabbit Stomp Adapter","3.3.1"},
      {rabbitmq_management_visualiser,"RabbitMQ Visualiser","3.3.1"},
      {rabbitmq_management,"RabbitMQ Management Console","3.3.1"},
      {rabbitmq_management_agent,"RabbitMQ Management Agent","3.3.1"},
      {rabbitmq_amqp1_0,"AMQP 1.0 support for RabbitMQ","3.3.1"},
      {rabbit,"RabbitMQ","3.3.1"},
      {os_mon,"CPO  CXC 138 46","2.2.7"},
      {rabbitmq_web_dispatch,"RabbitMQ Web Dispatcher","3.3.1"},
      {webmachine,"webmachine","1.10.3-rmq3.3.1-gite9359c7"},
      {mochiweb,"MochiMedia Web Server","2.7.0-rmq3.3.1-git680dba8"},
      {xmerl,"XML parser","1.2.10"},
      {cowboy,"Small, fast, modular HTTP server.","0.5.0-rmq3.3.1-git4b93c2d"},
      {sockjs,"SockJS","0.3.4-rmq3.3.1-git3132eb9"},
      {inets,"INETS  CXC 138 49","5.7.1"},
      {mnesia,"MNESIA  CXC 138 12","4.5"},
      {amqp_client,"RabbitMQ AMQP Client","3.3.1"},
      {sasl,"SASL  CXC 138 11","2.1.10"},
      {stdlib,"ERTS  CXC 138 10","1.17.5"},
      {kernel,"ERTS  CXC 138 10","2.14.5"}]},
 {os,{unix,linux}},
 {erlang_version,
     "Erlang R14B04 (erts-5.8.5) [source] [64-bit] [smp:24:24] [rq:24] [async-threads:30] [kernel-poll:true]\n"},


On Friday, April 25, 2014 4:34:22 PM UTC-5, Sebastien Dubois wrote:

Hi all,

  Up to recently we've been using RabbitMQ 3.2.3/Erlang R15B01 with the web_Stomp plugin over SSL.  Since this was not supported, we had to rebuilt the web_stomp plugin using a patched branch as described at <a href="https://gist.github.com/berico-rclayton/5475365" target="_blank" onmousedown="this.href='https://www.google.com/url?q\75https%3A%2F%2Fgist.github.com%2Fberico-rclayton%2F5475365\46sa\75D\46sntz\0751\46usg\75AFQjCNGnKsNVT2kqlQdJ6Uw6so82l_Zy9A';return true;" onclick="this.href='https://www.google.com/url?q\75https%3A%2F%2Fgist.github.com%2Fberico-rclayton%2F5475365\46sa\75D\46sntz\0751\46usg\75AFQjCNGnKsNVT2kqlQdJ6Uw6so82l_Zy9A';return true;">https://gist.github.com/berico-rclayton/5475365 (also see <a href="https://github.com/rabbitmq/rabbitmq-web-stomp/pull/3" target="_blank" onmousedown="this.href='https://www.google.com/url?q\75https%3A%2F%2Fgithub.com%2Frabbitmq%2Frabbitmq-web-stomp%2Fpull%2F3\46sa\75D\46sntz\0751\46usg\75AFQjCNFFDmbbZR1Rfna42TLFOnu5uUJh5Q';return true;" onclick="this.href='https://www.google.com/url?q\75https%3A%2F%2Fgithub.com%2Frabbitmq%2Frabbitmq-web-stomp%2Fpull%2F3\46sa\75D\46sntz\0751\46usg\75AFQjCNFFDmbbZR1Rfna42TLFOnu5uUJh5Q';return true;">https://github.com/rabbitmq/rabbitmq-web-stomp/pull/3).  This has been working fine for months.

  We recently realized that the fix for SSL support in web_stomp was systemized in RabbitMQ 3.3.0/Erlang R16B03.  So we installed it and updated our configuration.  However, using the exact same setup and self-signed keys/certificates, we cannot get the new version to work properly while using SSL over stomp.  Connecting to https://<rabbit server IP>:15678/stomp just fails, although from the log web_stomp seems to be listening correctly on port 15678.  We tried to regenerate a new set of keys, but it did not do anything.

Our old rabbitMQ config (patched 3.2.3 web_stomp) was:

  {rabbitmq_web_stomp, [

        {ssl_enabled, true},

        {https_port, 15678},

        {ssl_key_file, "/usr/local/ssl/private/server.key"},

        {ssl_key_password, "password"},

        {ssl_ca_certificate_file, "/usr/local/ssl/crt/public.crt"},

        {ssl_certificate_file, "/usr/local/ssl/crt/public.crt"}

   ] },


And the corresponding new config on RabbitMQ 3.3.0 is

  {rabbitmq_web_stomp,

      [{ssl_config, [{port,       15678},

                     {backlog,    1024},

                     {certfile,   "/usr/local/ssl/crt/public.crt"},

                     {keyfile,    "/usr/local/ssl/private/server.key"},

                     {cacertfile, "/usr/local/ssl/crt/public.crt"},

{password, "password"}

      ]}

  ]},

Is our config ok?  does anybody experienced similar problems or have any idea what we could be doing wrong?


Thanks in advance,

/Sebas


_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
Reply | Threaded
Open this post in threaded view
|

Re: New RabbitMQ 3.3.0 Web_stomp SSL problems

Matthias Radestock-3
In reply to this post by brad
On 30/04/14 23:04, [hidden email] wrote:

> When starting up, a message is logged that says "rabbit_web_stomp:
> listening for HTTPS connections on 0.0.0.0:15675", but netstat shows
> that nothing is listening on port 15675. [...]
> rabbitmq.config:
>
> [
>    {rabbitmq_web_stomp, [
>      {ssl_config, [
>        {port,       15674},
>        {backlog,    1024},
>        {certfile,   "/etc/pki/tls/certs/dpp.crt"},
>        {keyfile,    "/etc/pki/tls/private/dpp.key"}
>      ]}
>    ]}
> ].

I have reproduced this.

If you check the rabbit-sasl.log you'll find some cryptic error.

The root cause is that you are missing a password in the above config,
which is mandatory (but can be "") for the ssl config in cowboy, the web
server library used by web_stomp.

I have just updated our docs at
http://www.rabbitmq.com/web-stomp.html#config to make that clear.

Matthias.
_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss