我正在尝试使用RabbitMQ的SSL证书,但我不断与代理商发生握手错误。
使用openssl' s_client'我生成的证书可以正常工作。和' s_server'命令在单独的终端窗口中使用端口8443,详见SSL故障排除指南(http://www.rabbitmq.com/troubleshooting-ssl.html)。
当我尝试使用相同的openssl' s_client'连接到RabbitMQ SSL端口5671时,会出现问题。命令:
运行此:
openssl s_client -connect localhost:5671 -cert /etc/rabbitmq/ssl/client/cert.pem -key /etc/rabbitmq/ssl/client/key.pem -CAfile /etc/rabbitmq/ssl/certificate_auth/cacert.pem
产生这个:
CONNECTED(00000003)
depth=1 CN = RMQCA
verify return:1
depth=0 CN = roger.xxxxxx.com, O = server
verify return:1
139997248210760:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1256:SSL alert number 40
139997248210760:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
---
SSL侦听器启动正常,如RabbitMQ日志中所示:
=INFO REPORT==== 19-May-2014::15:45:34 ===
started TCP Listener on [::]:5672
=INFO REPORT==== 19-May-2014::15:45:34 ===
started SSL Listener on [::]:5671
尝试使用' s_client'连接到端口5671时出现错误:
=INFO REPORT==== 19-May-2014::17:20:39 ===
accepting AMQP connection <0.3263.0> ([::1]:58538 -> [::1]:5671)
=ERROR REPORT==== 19-May-2014::17:20:39 ===
SSL: certify: ssl_handshake.erl:1346:Fatal error: handshake failure
=ERROR REPORT==== 19-May-2014::17:20:44 ===
error on AMQP connection <0.3263.0>: {ssl_upgrade_error,
{tls_alert,"handshake failure"}} (unknown POSIX error)
RabbitMQ配置文件:
[
{rabbit, [
{ssl_listeners, [5671]},
{ssl_options, [{cacertfile, "/etc/rabbitmq/ssl/certificate_auth/cacert.pem"},
{certfile, "/etc/rabbitmq/ssl/server/cert.pem"},
{keyfile, "/etc/rabbitmq/ssl/server/key.pem"},
{verify, verify_peer},
{fail_if_no_peer_cert, false}]}
]}
].
RabbitMQ信息:
[{pid,10375},
{running_applications,
[{rabbitmq_management,"RabbitMQ Management Console","3.2.3"},
{rabbitmq_web_dispatch,"RabbitMQ Web Dispatcher","3.2.3"},
{webmachine,"webmachine","1.10.3-rmq3.2.3-gite9359c7"},
{mochiweb,"MochiMedia Web Server","2.7.0-rmq3.2.3-git680dba8"},
{rabbitmq_management_agent,"RabbitMQ Management Agent","3.2.3"},
{rabbit,"RabbitMQ","3.2.3"},
{ssl,"Erlang/OTP SSL application","5.3.3"},
{public_key,"Public key infrastructure","0.21"},
{crypto,"CRYPTO version 2","3.2"},
{asn1,"The Erlang ASN1 compiler version 2.0.4","2.0.4"},
{os_mon,"CPO CXC 138 46","2.2.14"},
{inets,"INETS CXC 138 49","5.9.8"},
{mnesia,"MNESIA CXC 138 12","4.11"},
{amqp_client,"RabbitMQ AMQP Client","3.2.3"},
{xmerl,"XML parser","1.3.6"},
{sasl,"SASL CXC 138 11","2.3.4"},
{stdlib,"ERTS CXC 138 10","1.19.4"},
{kernel,"ERTS CXC 138 10","2.16.4"}]},
{os,{unix,linux}},
{erlang_version,
"Erlang R16B03-1 (erts-5.10.4) [source] [64-bit] [smp:2:2] [async-threads:30] [hipe] [kernel-poll:true]\n"},
{memory,
[{total,43812088},
{connection_procs,5616},
{queue_procs,42528},
{plugins,451248},
{other_proc,13805200},
{mnesia,72752},
{mgmt_db,10208},
{msg_index,34560},
{other_ets,1159472},
{binary,1030272},
{code,21819091},
{atom,793505},
{other_system,4587636}]},
{vm_memory_high_watermark,0.4},
{vm_memory_limit,787819724},
{disk_free_limit,50000000},
{disk_free,31267266560},
{file_descriptors,
[{total_limit,924},{total_used,4},{sockets_limit,829},{sockets_used,2}]},
{processes,[{limit,1048576},{used,215}]},
{run_queue,0},
{uptime,7893}]
...done.
非常感谢任何帮助
提前致谢。
更新:
尝试连接rabbitmqadmin实用程序时出现以下错误。
日志文件:
=INFO REPORT==== 20-May-2014::14:39:12 ===
accepting AMQP connection <0.16589.0> ([::1]:58922 -> [::1]:5671)
=ERROR REPORT==== 20-May-2014::14:39:12 ===
SSL: certify: ssl_handshake.erl:1346:Fatal error: handshake failure
=ERROR REPORT==== 20-May-2014::14:39:17 ===
error on AMQP connection <0.16589.0>: {ssl_upgrade_error,
{tls_alert,"handshake failure"}} (unknown POSIX error)
rabbitmqadmin命令产生了以下内容:
*** Could not connect: [Errno 1] _ssl.c:492: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
答案 0 :(得分:7)
我遇到了与@ user3653959相同的问题,而@Sarah梅塞尔的回答引导我找到解决方案。
您的客户端证书必须 TLS Web Client Authentication“X509v3扩展密钥用法”属性。由于我的客户端生成脚本中的错误,我只有TLS Web Server Authentication。
要检查客户端证书的功能,可以使用以下命令:
openssl x509 -noout -text -in client-certificate.pem
然后查找“ X509v3 extensions:”部分和“ X509v3扩展密钥用法:”小节。
如果您使用示例openssl.conf以及官方"RabbitMQ - TLS Support" guide中提供的客户端和服务器命令生成客户端证书,则它应该是开箱即用的。
这里的关键是extendedKeyUsage = 1.3.6.1.5.5.7.3.2中的openssl.conf openssl配置选项,正如@Sarah Messer指出的那样。这是“TLS Web客户端身份验证”功能。 OpenSSL s_server不需要此功能,这就是它默认使用它的原因,但不适用于RabbitMQ。 keyUsage = digitalSignature足以作为主要使用选项。此外,客户端证书的“公共名称”(CN)并不重要。
我的环境:
我在RabbitMQ日志中看到的错误:
=ERROR REPORT==== 21-Jun-2016::13:28:21 ===
SSL: certify: ssl_handshake.erl:1492:Fatal error: handshake failure
我通过openssl s_client看到的错误:
140735165813584:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt.c:1472:SSL alert number 40
140735165813584:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:656:
答案 1 :(得分:3)
我通过类似的麻烦(使用RabbitMQ 2.7.1 / Erlang R14B04)。这是我发现的:
RabbitMQ plugins page且至少one other site建议启用插件rabbitmq_auth_mechanism_ssl。如果rabbitmq-plugins是您系统上的无效命令,this page描述了如何在Ubuntu上启用它。 (显然apt-get软件包在基于Debian的系统上没有完全预期的行为。)你的输出(来自rabbitmqctl report,我认为)表示你没有启用rabbitmq_auth_mechanism_ssl。
对于你的rabbitmq.config,你需要确保“EXTERNAL”被列为auth_mechanisms之一。该行的语法为{auth_mechanisms, ['PLAIN', 'AMQPLAIN', 'EXTERNAL']},并在配置的默认“兔子”部分显示为一个项目。
您还应该确保您的客户端提供的证书具有为keyUsage和extendedKeyUsage设置的适当值,因为RabbitMQ比s_server更严格。出于调试/测试目的,您可能希望对这些非常宽容。您可以在openssl config中设置keyUsage。广泛接受的openssl配置可能包含这样的行
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign
extendedKeyUsage = 1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2
(我认为.2 OID,“TLS Web客户端身份验证”对于连接RabbitMQ很重要,但我没有做过仔细的测试。)
这将在接近结尾时生成带有此块的证书:
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
s_client应该有更多的输出。特别是,我对最后一行感兴趣,它应该看起来像“验证返回代码:0(确定)”如果你有一个非零/错误消息,请在搜索中将其发布并转出。 (#19非常常见,因为它是not really an error。)
当我到达这一点时,当我尝试创建一个简单的pika.BlockingConnection时,握手显然已经完成了,但是Rabbit从配置中auth_mechanisms中指定的列表中删除了EXTERNAL。我确认我启用了rabbitmq_auth_mechanism_ssl,但这本身还不够。 (我通过继承pika.credentials.ExternalCredentials发现了这一点,并在ConnectionParameters中将实例作为“凭据”项传递,在子类的print start方法的顶部添加了response_for()。)我通过添加修复了以下行到配置文件的rabbit部分,与ssl_listeners和ssl_cert_login_from处于同一级别:
{ssl_apps,[asn1,crypto,public_key,ssl]},
(我怀疑较新版本的RabbitMQ默认启用它,但我的特定设置没有。)
如果你已经完成了所有这些并且仍然遇到问题,那么你也可以尝试在RabbitMQ配置中用“verify_none”替换“verify_peer”。您可能不希望在生产中使用它,因为它会向拥有自签名证书的任何人开放,但它是另一个数据点。此外,在pika中对相关内容进行子类化并添加打印语句,以便更深入地了解Rabbit发送给您的内容以及本地客户端如何解释它。
答案 2 :(得分:-1)
以下是适合我的解决方案:
在rabbitmq.config中添加以下密码:
{ciphers, ["ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-RSA-AES256-GCM-SHA384",
"ECDHE-ECDSA-AES256-SHA384","ECDHE-RSA-AES256-SHA384", "ECDHE-ECDSA-DES-CBC3-SHA",
"ECDH-ECDSA-AES256-GCM-SHA384","ECDH-RSA-AES256-GCM-SHA384","ECDH-ECDSA-AES256-SHA384",
"ECDH-RSA-AES256-SHA384","DHE-DSS-AES256-GCM-SHA384","DHE-DSS-AES256-SHA256",
"AES256-GCM-SHA384","AES256-SHA256","ECDHE-ECDSA-AES128-GCM-SHA256",
"ECDHE-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES128-SHA256","ECDHE-RSA-AES128-SHA256",
"ECDH-ECDSA-AES128-GCM-SHA256","ECDH-RSA-AES128-GCM-SHA256","ECDH-ECDSA-AES128-SHA256",
"ECDH-RSA-AES128-SHA256","DHE-DSS-AES128-GCM-SHA256","DHE-DSS-AES128-SHA256",
"AES128-GCM-SHA256","AES128-SHA256","ECDHE-ECDSA-AES256-SHA",
"ECDHE-RSA-AES256-SHA","DHE-DSS-AES256-SHA","ECDH-ECDSA-AES256-SHA",
"ECDH-RSA-AES256-SHA","AES256-SHA","ECDHE-ECDSA-AES128-SHA",
"ECDHE-RSA-AES128-SHA","DHE-DSS-AES128-SHA","ECDH-ECDSA-AES128-SHA",
"ECDH-RSA-AES128-SHA","AES128-SHA"]},
{fail_if_no_peer_cert,false}]}
]}
]