环境

Question

我正在尝试使用SSL支持设置rabbitmq。但是，连接客户端收到错误以及日志中出现的错误：

=ERROR REPORT==== 7-Aug-2015::07:44:48 ===
STOMP detected network error on <0.11577.0> (172.31.80.14:50841 -> 172.23.115.104:61614):
{ssl_upgrade_failure,
    {{{badmatch,
          {error,
              {asn1,
                  {'Type not compatible with table constraint',
                      {{component,'Type'},
                       {value,{5,<<>>}},
                       {unique_name_and_value,id,{1,2,840,113549,1,1,11}}}}}}},
      [{public_key,pkix_decode_cert,2},
       {ssl_cipher,filter,2},
       {ssl_handshake,select_session,8},
       {ssl_handshake,hello,4},
       {ssl_connection,hello,2},
       {ssl_connection,next_state,3},
       {gen_fsm,handle_msg,7},
       {proc_lib,init_p_do_apply,3}]},
     {gen_fsm,sync_send_all_state_event,[<0.11578.0>,start,5000]}}}

我们正在使用我们使用openssl工具链创建的证书以及我们也创建的ca证书。

我的知识有点简短，但我相信证书已正确生成。我意识到erlang版本已经过时了，我已经启用了使其不安全的配置属性，但我无法访问更新的RHEL版本。

环境

Erlang R14B04
Rabbitmq 3.5.1
RHEL 6 2.6.32-431.29.2.el6.x86_64

rabbitmq.config

[
    {rabbit,
        {tcp_listeners, [5672]}, 
        {ssl_listeners, [5671]},
        {ssl_allow_poodle_attack, true},
        {ssl_options, [
            {cacertfile, "/etc/httpd/ssl/ca.crt"},
            {certfile,"/etc/httpd/ssl/vitel-asl.crt"},
            {keyfile, "/etc/httpd/ssl/vitel-asl.key"},
            {verify, verify_peer},
            {ssl_cert_login_from, common_name},
            {fail_if_no_peer_cert, true}]
        },
        {rabbitmq_stomp, [
            {ssl_listeners, [61614]}
        ]}
    }
].

TLS

ca.crt

维泰尔-asl.crt

维泰尔-asl.key

Answer 1

我有一个类似的问题，我使用RabbitMQ 3.3.4和Erlang R14B04和CA SHA256证书。为了让服务器运行，我不得不升级到Erlang 18.3和RabbitMQ 3.6.2。我有客户消费者试图使用不支持SHA-256证书的SSLv3。

我的配置如下：

[
  {ssl, [{versions, ['tlsv1.2', 'tlsv1.1', 'tlsv1']}]},
  {rabbit, [
     {ssl_listeners, [5671]},
     {ssl_options, [{cacertfile,"/home/rabbitmq/cert/cacert.cer"},
                    {certfile,"/home/rabbitmq/cert/server.cer"},
                    {keyfile,"/home/rabbitmq/cert/server_private.pem"},
                    {versions, ['tlsv1.2', 'tlsv1.1', tlsv1]},
                    {ciphers, ["ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-RSA-AES256-GCM-SHA384",
 "ECDHE-ECDSA-AES256-SHA384","ECDHE-RSA-AES256-SHA384",
 "ECDH-ECDSA-AES256-GCM-SHA384","ECDH-RSA-AES256-GCM-SHA384",
 "ECDH-ECDSA-AES256-SHA384","ECDH-RSA-AES256-SHA384",
 "DHE-RSA-AES256-GCM-SHA384","DHE-DSS-AES256-GCM-SHA384",
 "DHE-RSA-AES256-SHA256","DHE-DSS-AES256-SHA256","AES256-GCM-SHA384",
 "AES256-SHA256","ECDHE-ECDSA-AES128-GCM-SHA256",
 "ECDHE-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES128-SHA256",
 "ECDHE-RSA-AES128-SHA256","ECDH-ECDSA-AES128-GCM-SHA256",
 "ECDH-RSA-AES128-GCM-SHA256","ECDH-ECDSA-AES128-SHA256",
 "ECDH-RSA-AES128-SHA256","DHE-RSA-AES128-GCM-SHA256",
 "DHE-DSS-AES128-GCM-SHA256","DHE-RSA-AES128-SHA256","DHE-DSS-AES128-SHA256",
 "AES128-GCM-SHA256","AES128-SHA256","ECDHE-ECDSA-AES256-SHA",
 "ECDHE-RSA-AES256-SHA","DHE-RSA-AES256-SHA","DHE-DSS-AES256-SHA",
 "ECDH-ECDSA-AES256-SHA","ECDH-RSA-AES256-SHA","AES256-SHA",
 "ECDHE-ECDSA-DES-CBC3-SHA","ECDHE-RSA-DES-CBC3-SHA","EDH-RSA-DES-CBC3-SHA",
 "EDH-DSS-DES-CBC3-SHA","ECDH-ECDSA-DES-CBC3-SHA","ECDH-RSA-DES-CBC3-SHA",
 "DES-CBC3-SHA","ECDHE-ECDSA-AES128-SHA","ECDHE-RSA-AES128-SHA",
 "DHE-RSA-AES128-SHA","DHE-DSS-AES128-SHA","ECDH-ECDSA-AES128-SHA",
 "ECDH-RSA-AES128-SHA","AES128-SHA","EDH-RSA-DES-CBC-SHA","DES-CBC-SHA"]},
                                  {honor_cipher_order, true},
                    {fail_if_no_peer_cert, false}]}
   ]}
].

要获得Erlang支持的密码套件，您可以运行：

rabbitmqctl eval 'ssl:cipher_suites(openssl).'

对于有类似问题的其他人的旁注，您还可以检查公钥和私钥，以确保通过执行以下操作来使用正确的密钥：

# openssl x509 -in ssl.crt -pubkey -noout > from_crt.pub 
# openssl rsa -in ssl.key -pubout > from_key.pub 
# diff from_crt.pub from_key.pub

**如果你使用正确的密钥，你的差异应该是空的。

查看https://www.rabbitmq.com/ssl.html Rabbit有关SSL的信息。

使用SSL配置rabbitmq的问题

环境

rabbitmq.config

TLS

ca.crt

维泰尔-asl.crt

维泰尔-asl.key

1 个答案: