RabbitMQ

Rabbitmq ssl upgrade error with go client program

Classic

List

Threaded

1 message

shravan

Rabbitmq ssl upgrade error with go client program

This post has NOT been accepted by the mailing list yet.

Hi

I am trying to connect to rabbitmq over ssl (amqps). The client is go program using the amqp library - https://github.com/streadway/amqp

I get the following error when I try to connect to rabbitmq over ssl -

ERROR
-----------

rabbitmq logs -
=INFO REPORT==== 9-Sep-2015::10:55:57 ===
started SSL Listener on [::]:5671

=INFO REPORT==== 9-Sep-2015::10:55:57 ===
Management plugin started. Port: 15672

=INFO REPORT==== 9-Sep-2015::10:55:57 ===
Statistics database started.

=INFO REPORT==== 9-Sep-2015::10:55:57 ===
Server startup complete; 7 plugins started.
* rabbitmq_management
* rabbitmq_web_dispatch
* webmachine
* mochiweb
* rabbitmq_management_agent
* amqp_client
* rabbitmq_auth_mechanism_ssl

=ERROR REPORT==== 9-Sep-2015::10:56:12 ===
Error on AMQP connection <0.318.0>:
{ssl_upgrade_error,{options,{ciphers, [{ecdhe_ecdsa,aes_128_cbc,sha256},
{ecdhe_ecdsa,aes_256_cbc,sha},
{ecdhe_ecdsa_aes256_sha384},
{ecdhe_rsa_aes256_sha384},
{ecdh_ecdsa_aes256_sha384},
{ecdh_rsa_aes256_sha384},
{dhe_rsa_aes256_sha256},
{dhe_dss_aes256_sha256},
{aes256_sha256},
{ecdhe_ecdsa_aes128_sha256},
{ecdhe_rsa_aes128_sha256},
{ecdh_ecdsa_aes128_sha256},
{ecdh_rsa_aes128_sha256},
{dhe_rsa_aes128_sha256},
{dhe_dss_aes128_sha256},
{aes128_sha256},
{ecdhe_ecdsa_aes256_sha},
{ecdhe_rsa_aes256_sha},
{dhe_rsa_aes256_sha},
{dhe_dss_aes256_sha},
{ecdh_ecdsa_aes256_sha},
{ecdh_rsa_aes256_sha},
{aes256_sha},
{ecdhe_ecdsa_des_cbc3_sha},
{ecdhe_rsa_des_cbc3_sha},
{edh_rsa_des_cbc3_sha},
{edh_dss_des_cbc3_sha},
{ecdh_ecdsa_des_cbc3_sha},
{ecdh_rsa_des_cbc3_sha},
{des_cbc3_sha},
{ecdhe_ecdsa_aes128_sha},
{ecdhe_rsa_aes128_sha},
{dhe_rsa_aes128_sha},
{dhe_dss_aes128_sha},
{ecdh_ecdsa_aes128_sha},
{ecdh_rsa_aes128_sha},
{aes128_sha},
{ecdhe_ecdsa_rc4_sha},
{ecdhe_rsa_rc4_sha},
{rc4_sha},
{rc4_md5},
{edh_rsa_des_cbc_sha},
{ecdh_ecdsa_rc4_sha},
{ecdh_rsa_rc4_sha},
{des_cbc_sha}]}

Error on the go client -
read tcp 68.140.240.146:45585->68.140.240.146:5671: read: connection reset by peer

CONFIGURATION
----------------------------

Rabbitmq version -
=INFO REPORT==== 9-Sep-2015::10:55:56 ===
Starting RabbitMQ 3.5.4 on Erlang R16B03

On the erlang shell
2> ssl:versions().
[{ssl_app,"5.3.2"},
{supported,['tlsv1.2','tlsv1.1',tlsv1,sslv3]},
{available,['tlsv1.2','tlsv1.1',tlsv1,sslv3]}]

$ openssl version
OpenSSL 1.0.1f 6 Jan 2014

$ openssl ciphers -v
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384
ECDHE-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1
ECDHE-ECDSA-AES256-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1
SRP-DSS-AES-256-CBC-SHA SSLv3 Kx=SRP Au=DSS Enc=AES(256) Mac=SHA1
SRP-RSA-AES-256-CBC-SHA SSLv3 Kx=SRP Au=RSA Enc=AES(256) Mac=SHA1
SRP-AES-256-CBC-SHA SSLv3 Kx=SRP Au=SRP Enc=AES(256) Mac=SHA1
DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256
DHE-DSS-AES256-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(256) Mac=SHA256
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA1
DHE-DSS-CAMELLIA256-SHA SSLv3 Kx=DH Au=DSS Enc=Camellia(256) Mac=SHA1
ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(256) Mac=SHA384
ECDH-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256) Mac=SHA384
ECDH-RSA-AES256-SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=AES(256) Mac=SHA1
ECDH-ECDSA-AES256-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256) Mac=SHA1
AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD
AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
CAMELLIA256-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(256) Mac=SHA1
PSK-AES256-CBC-SHA SSLv3 Kx=PSK Au=PSK Enc=AES(256) Mac=SHA1
ECDHE-RSA-DES-CBC3-SHA SSLv3 Kx=ECDH Au=RSA Enc=3DES(168) Mac=SHA1
ECDHE-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=3DES(168) Mac=SHA1
SRP-DSS-3DES-EDE-CBC-SHA SSLv3 Kx=SRP Au=DSS Enc=3DES(168) Mac=SHA1
SRP-RSA-3DES-EDE-CBC-SHA SSLv3 Kx=SRP Au=RSA Enc=3DES(168) Mac=SHA1
SRP-3DES-EDE-CBC-SHA SSLv3 Kx=SRP Au=SRP Enc=3DES(168) Mac=SHA1
EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
ECDH-RSA-DES-CBC3-SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=3DES(168) Mac=SHA1
ECDH-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
PSK-3DES-EDE-CBC-SHA SSLv3 Kx=PSK Au=PSK Enc=3DES(168) Mac=SHA1
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256
ECDHE-RSA-AES128-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1
ECDHE-ECDSA-AES128-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA1
SRP-DSS-AES-128-CBC-SHA SSLv3 Kx=SRP Au=DSS Enc=AES(128) Mac=SHA1
SRP-RSA-AES-128-CBC-SHA SSLv3 Kx=SRP Au=RSA Enc=AES(128) Mac=SHA1
SRP-AES-128-CBC-SHA SSLv3 Kx=SRP Au=SRP Enc=AES(128) Mac=SHA1
DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256
DHE-DSS-AES128-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(128) Mac=SHA256
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1
DHE-RSA-SEED-SHA SSLv3 Kx=DH Au=RSA Enc=SEED(128) Mac=SHA1
DHE-DSS-SEED-SHA SSLv3 Kx=DH Au=DSS Enc=SEED(128) Mac=SHA1
DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(128) Mac=SHA1
DHE-DSS-CAMELLIA128-SHA SSLv3 Kx=DH Au=DSS Enc=Camellia(128) Mac=SHA1
ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
ECDH-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
ECDH-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(128) Mac=SHA256
ECDH-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128) Mac=SHA256
ECDH-RSA-AES128-SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=AES(128) Mac=SHA1
ECDH-ECDSA-AES128-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128) Mac=SHA1
AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD
AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
SEED-SHA SSLv3 Kx=RSA Au=RSA Enc=SEED(128) Mac=SHA1
CAMELLIA128-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(128) Mac=SHA1
PSK-AES128-CBC-SHA SSLv3 Kx=PSK Au=PSK Enc=AES(128) Mac=SHA1
ECDHE-RSA-RC4-SHA SSLv3 Kx=ECDH Au=RSA Enc=RC4(128) Mac=SHA1
ECDHE-ECDSA-RC4-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=RC4(128) Mac=SHA1
ECDH-RSA-RC4-SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=RC4(128) Mac=SHA1
ECDH-ECDSA-RC4-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=RC4(128) Mac=SHA1
RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
PSK-RC4-SHA SSLv3 Kx=PSK Au=PSK Enc=RC4(128) Mac=SHA1
EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH Au=RSA Enc=DES(56) Mac=SHA1
EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH Au=DSS Enc=DES(56) Mac=SHA1
DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1
oncuelinx@oncuelinx-ThinkPad-T520:~$

rabbitmq config
----------------------
{ssl_listeners, [5671]},

{ssl_options, [{cacertfile, "/etc/ssl/certs/cacert.pem"},
{certfile, "/etc/rabbitmq/ssl/rabbitmq.pem"},
{keyfile, "/etc/rabbitmq/ssl/rabbitmq.key"},
{ciphers, [{ecdhe_ecdsa,aes_128_cbc,sha256},
{ecdhe_ecdsa,aes_256_cbc,sha},
{ecdhe_ecdsa_aes256_sha384},
{ecdhe_rsa_aes256_sha384},
{ecdh_ecdsa_aes256_sha384},
{ecdh_rsa_aes256_sha384},
{dhe_rsa_aes256_sha256},
{dhe_dss_aes256_sha256},
{aes256_sha256},
{ecdhe_ecdsa_aes128_sha256},
{ecdhe_rsa_aes128_sha256},
{ecdh_ecdsa_aes128_sha256},
{ecdh_rsa_aes128_sha256},
{dhe_rsa_aes128_sha256},
{dhe_dss_aes128_sha256},
{aes128_sha256},
{ecdhe_ecdsa_aes256_sha},
{ecdhe_rsa_aes256_sha},
{dhe_rsa_aes256_sha},
{dhe_dss_aes256_sha},
{ecdh_ecdsa_aes256_sha},
{ecdh_rsa_aes256_sha},
{aes256_sha},
{ecdhe_ecdsa_des_cbc3_sha},
{ecdhe_rsa_des_cbc3_sha},
{edh_rsa_des_cbc3_sha},
{edh_dss_des_cbc3_sha},
{ecdh_ecdsa_des_cbc3_sha},
{ecdh_rsa_des_cbc3_sha},
{des_cbc3_sha},
{ecdhe_ecdsa_aes128_sha},
{ecdhe_rsa_aes128_sha},
{dhe_rsa_aes128_sha},
{dhe_dss_aes128_sha},
{ecdh_ecdsa_aes128_sha},
{ecdh_rsa_aes128_sha},
{aes128_sha},
{ecdhe_ecdsa_rc4_sha},
{ecdhe_rsa_rc4_sha},
{rc4_sha},
{rc4_md5},
{edh_rsa_des_cbc_sha},
{ecdh_ecdsa_rc4_sha},
{ecdh_rsa_rc4_sha},
{des_cbc_sha}]},
{verify, verify_peer},
{fail_if_no_peer_cert, false}]},

{auth_mechanisms, ['PLAIN', 'AMQPLAIN']},
{auth_mechanisms, ['EXTERNAL']},
{ssl_handshake_timeout, 10000}

Go version -
$ go version
go version go1.5 linux/amd64

The Go crypto/tls library supports only 3 types of curves -
const (
CurveP256 CurveID = 23
CurveP384 CurveID = 24
CurveP521 CurveID = 25
)

I am stuck with this problem from many days. Is there something wrong with my config ?
Any help is greatly appreciated.

Thanks