我正在运行RabbitMQ 3.6.1 / Erlang 18.3,并发现我无法使用Spring AMQP 1.5.4.RELEASE Java客户端与代理建立TLSv1或TLSv1.1会话。但是,我能够与代理建立TLSv1.2会话。我的RabbitMQ代理配置为支持tlsv1,tlsv1.1和tlsv1.2中的所有三个。我在OS X上使用Java 1.8.0_77-b03。
这是我的RabbitMQ配置:
https://gist.github.com/ae6rt/de06d1efecf62fbe8cef31774d9be3d7
代理上的Erlang报告ssl版本
# erl
Eshell V7.3 (abort with ^G)
1> ssl:versions().
[{ssl_app,"7.3"},
{supported,['tlsv1.2','tlsv1.1',tlsv1]},
{available,['tlsv1.2','tlsv1.1',tlsv1,sslv3]}]
这是RabbitMQ在失败时记录的错误:
=ERROR REPORT==== 22-Apr-2016::03:19:02 ===
SSL: hello: tls_handshake.erl:167:Fatal error: insufficient security
在TLS设置期间,我使用tcpdump来嗅探安全端口5671上的流量。这是tshark对该数据的格式化:
Frame 4: 210 bytes on wire (1680 bits), 210 bytes captured (1680 bits)
Encapsulation type: Ethernet (1)
Arrival Time: Apr 21, 2016 20:09:38.053439000 PDT
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1461294578.053439000 seconds
[Time delta from previous captured frame: 0.013675000 seconds]
[Time delta from previous displayed frame: 0.000000000 seconds]
[Time since reference or first frame: 0.013840000 seconds]
Frame Number: 4
Frame Length: 210 bytes (1680 bits)
Capture Length: 210 bytes (1680 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:tcp:ssl]
Ethernet II, Src: 02:42:f5:68:bc:7c (02:42:f5:68:bc:7c), Dst: 02:42:ac:11:00:02 (02:42:ac:11:00:02)
Destination: 02:42:ac:11:00:02 (02:42:ac:11:00:02)
Address: 02:42:ac:11:00:02 (02:42:ac:11:00:02)
.... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: 02:42:f5:68:bc:7c (02:42:f5:68:bc:7c)
Address: 02:42:f5:68:bc:7c (02:42:f5:68:bc:7c)
.... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 10.0.2.2, Dst: 172.17.0.2
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00.. = Differentiated Services Codepoint: Default (0)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 196
Identification: 0x0a1e (2590)
Flags: 0x00
0... .... = Reserved bit: Not set
.0.. .... = Don't fragment: Not set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 63
Protocol: TCP (6)
Header checksum: 0xb901 [validation disabled]
[Good: False]
[Bad: False]
Source: 10.0.2.2
Destination: 172.17.0.2
[Source GeoIP: Unknown]
[Destination GeoIP: Unknown]
Transmission Control Protocol, Src Port: 39141 (39141), Dst Port: 5671 (5671), Seq: 1, Ack: 1, Len: 156
Source Port: 39141
Destination Port: 5671
[Stream index: 0]
[TCP Segment Len: 156]
Sequence number: 1 (relative sequence number)
[Next sequence number: 157 (relative sequence number)]
Acknowledgment number: 1 (relative ack number)
Header Length: 20 bytes
Flags: 0x018 (PSH, ACK)
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Set
.... .... 1... = Push: Set
.... .... .0.. = Reset: Not set
.... .... ..0. = Syn: Not set
.... .... ...0 = Fin: Not set
[TCP Flags: *******AP***]
Window size value: 65535
[Calculated window size: 65535]
[Window size scaling factor: -2 (no window scaling used)]
Checksum: 0x6ef9 [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Urgent pointer: 0
[SEQ/ACK analysis]
[iRTT: 0.000165000 seconds]
[Bytes in flight: 156]
Secure Sockets Layer
SSL Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)
Length: 151
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 147
Version: TLS 1.0 (0x0301)
Random
GMT Unix Time: Apr 21, 2016 20:09:38.000000000 PDT
Random Bytes: 742380f15c78a0409bd2817911699637f5c7879f27bf6dc1...
Session ID Length: 0
Cipher Suites Length: 44
Cipher Suites (22 suites)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (0xc005)
Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (0xc00f)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004)
Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008)
Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
Cipher Suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc003)
Cipher Suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA (0xc00d)
Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
Compression Methods Length: 1
Compression Methods (1 method)
Compression Method: null (0)
Extensions Length: 62
Extension: elliptic_curves
Type: elliptic_curves (0x000a)
Length: 52
Elliptic Curves Length: 50
Elliptic curves (25 curves)
Elliptic curve: secp256r1 (0x0017)
Elliptic curve: sect163k1 (0x0001)
Elliptic curve: sect163r2 (0x0003)
Elliptic curve: secp192r1 (0x0013)
Elliptic curve: secp224r1 (0x0015)
Elliptic curve: sect233k1 (0x0006)
Elliptic curve: sect233r1 (0x0007)
Elliptic curve: sect283k1 (0x0009)
Elliptic curve: sect283r1 (0x000a)
Elliptic curve: secp384r1 (0x0018)
Elliptic curve: sect409k1 (0x000b)
Elliptic curve: sect409r1 (0x000c)
Elliptic curve: secp521r1 (0x0019)
Elliptic curve: sect571k1 (0x000d)
Elliptic curve: sect571r1 (0x000e)
Elliptic curve: secp160k1 (0x000f)
Elliptic curve: secp160r1 (0x0010)
Elliptic curve: secp160r2 (0x0011)
Elliptic curve: sect163r1 (0x0002)
Elliptic curve: secp192k1 (0x0012)
Elliptic curve: sect193r1 (0x0004)
Elliptic curve: sect193r2 (0x0005)
Elliptic curve: secp224k1 (0x0014)
Elliptic curve: sect239k1 (0x0008)
Elliptic curve: secp256k1 (0x0016)
Extension: ec_point_formats
Type: ec_point_formats (0x000b)
Length: 2
EC point formats Length: 1
Elliptic curves point formats (1)
EC point format: uncompressed (0)
Frame 6: 61 bytes on wire (488 bits), 61 bytes captured (488 bits)
Encapsulation type: Ethernet (1)
Arrival Time: Apr 21, 2016 20:09:38.053842000 PDT
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1461294578.053842000 seconds
[Time delta from previous captured frame: 0.000377000 seconds]
[Time delta from previous displayed frame: 0.000403000 seconds]
[Time since reference or first frame: 0.014243000 seconds]
Frame Number: 6
Frame Length: 61 bytes (488 bits)
Capture Length: 61 bytes (488 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:tcp:ssl]
Ethernet II, Src: 02:42:ac:11:00:02 (02:42:ac:11:00:02), Dst: 02:42:f5:68:bc:7c (02:42:f5:68:bc:7c)
Destination: 02:42:f5:68:bc:7c (02:42:f5:68:bc:7c)
Address: 02:42:f5:68:bc:7c (02:42:f5:68:bc:7c)
.... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: 02:42:ac:11:00:02 (02:42:ac:11:00:02)
Address: 02:42:ac:11:00:02 (02:42:ac:11:00:02)
.... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 172.17.0.2, Dst: 10.0.2.2
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00.. = Differentiated Services Codepoint: Default (0)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 47
Identification: 0x3fb8 (16312)
Flags: 0x02 (Don't Fragment)
0... .... = Reserved bit: Not set
.1.. .... = Don't fragment: Set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: TCP (6)
Header checksum: 0x42fc [validation disabled]
[Good: False]
[Bad: False]
Source: 172.17.0.2
Destination: 10.0.2.2
[Source GeoIP: Unknown]
[Destination GeoIP: Unknown]
Transmission Control Protocol, Src Port: 5671 (5671), Dst Port: 39141 (39141), Seq: 1, Ack: 157, Len: 7
Source Port: 5671
Destination Port: 39141
[Stream index: 0]
[TCP Segment Len: 7]
Sequence number: 1 (relative sequence number)
[Next sequence number: 8 (relative sequence number)]
Acknowledgment number: 157 (relative ack number)
Header Length: 20 bytes
Flags: 0x018 (PSH, ACK)
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Set
.... .... 1... = Push: Set
.... .... .0.. = Reset: Not set
.... .... ..0. = Syn: Not set
.... .... ...0 = Fin: Not set
[TCP Flags: *******AP***]
Window size value: 30016
[Calculated window size: 30016]
[Window size scaling factor: -2 (no window scaling used)]
Checksum: 0xb836 [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Urgent pointer: 0
[SEQ/ACK analysis]
[iRTT: 0.000165000 seconds]
[Bytes in flight: 7]
Secure Sockets Layer
TLSv1 Record Layer: Alert (Level: Fatal, Description: Insufficient Security)
Content Type: Alert (21)
Version: TLS 1.0 (0x0301)
Length: 2
Alert Message
Level: Fatal (2)
Description: Insufficient Security (71)
这是Spring连接失败:
org.springframework.amqp.AmqpIOException: javax.net.ssl.SSLHandshakeException: Received fatal alert: insufficient_security
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:747)
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
at java.io.DataOutputStream.flush(DataOutputStream.java:123)
at com.rabbitmq.client.impl.SocketFrameHandler.sendHeader(SocketFrameHandler.java:129)
at com.rabbitmq.client.impl.SocketFrameHandler.sendHeader(SocketFrameHandler.java:134)
at com.rabbitmq.client.impl.AMQConnection.start(AMQConnection.java:277)
at com.rabbitmq.client.ConnectionFactory.newConnection(ConnectionFactory.java:647)
at org.springframework.amqp.rabbit.connection.AbstractConnectionFactory.createBareConnection(AbstractConnectionFactory.java:273)
at org.springframework.amqp.rabbit.connection.CachingConnectionFactory.createConnection(CachingConnectionFactory.java:510)
at com.xoom.inf.amqp.TlsTest.contactBrokerOverTLS(TlsTest.java:42)
我的RabbitMQ代理配置为协商tlsv1,tlsv1.1和tlsv1.2。为什么在代理应支持tlsv1和tlsv1.1时TLS设置失败?相同的Java客户端可以与RabbitMQ 3.3.1 / Erlang R16B02代理协商TLSv1。
谢谢。
答案 0 :(得分:1)
18.3.x系列中的Erlang ssl应用程序中存在一些回归。其中一个导致您所看到的内容:客户端在握手期间拒绝,服务器端登录insufficient security。如果我没记错的话,这出现在补丁18.3.3中,并在18.3.4中修复。这不是客户的问题。
在18.3.2中有一个回归,修正在18.3.3中,这阻止了RabbitMQ的启动(由于密码套件的表示发生了变化)。
因此建议保持18.3(初始版本)或更新到19.x。