Bunny Specs + Docker + SSL

[Andrew Babichev]

Hi,

When I try to run specs in spec/higher_level_api/integration/connection_spec.rb I get the next error

OpenSSL::SSL::SSLError: hostname "127.0.0.1" does not match the server certificate

I found that current SSL certificates were created for "mercurio" host, but I run specs against dockerized rabbitmq server (127.0.0.1). I'm newby in SSL generally and RMQ support particularly, so please could you help me to figure out the proper way of certificates preparation to run tests on local machine with Docker?

[Andrew Babichev]

I have to add, that it happens when I actually start the session with SSL configuration.

context "initialized with tls: true" do
  let(:subject) do
    described_class.new(username: "bunny_gem",
      password: "bunny_password",
      vhost: "bunny_testbed",
      tls: true,
      tls_cert: "spec/tls/client_certificate.pem",
      tls_key: "spec/tls/client_key.pem",
      tls_ca_certificates: ["./spec/tls/ca_certificate.pem"])
  end

  it "uses TLS port" do
    subject.start
    expect(subject.port).to eq tls_port
  end
end

среда, 20 декабря 2017 г., 11:14:25 UTC+2 пользователь Andrew Babichev написал:

[Michael Klishin]

Please override https://github.com/ruby-amqp/bunny/blob/master/spec/higher_level_api/integration/tls_connection_spec.rb#L5 when testing
locally. The tests assume tls-gen's basic profile is used [1].

The Docker image should be modified to use that as well.

1. https://github.com/ruby-amqp/bunny/blob/master/spec/higher_level_api/integration/tls_connection_spec.rb#L5

[Michael Klishin]

Another value you can override which will be machine-specific for the TLS suite:
https://github.com/ruby-amqp/bunny/blob/master/spec/higher_level_api/integration/tls_connection_spec.rb#L38.

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

MK

Staff Software Engineer, Pivotal/RabbitMQ

[Michael Klishin]

This discussion continued in Andrew's pull request: https://github.com/ruby-amqp/bunny/pull/534,

which uncovered a bug in an amq-protocol URI/option parser function among other things.

On Wed, Dec 20, 2017 at 7:37 PM, Michael Klishin <mkli...@pivotal.io> wrote:

Another value you can override which will be machine-specific for the TLS suite:
https://github.com/ruby-amqp/bunny/blob/master/spec/higher_level_api/integration/tls_connection_spec.rb#L38.

On Wed, Dec 20, 2017 at 7:30 PM, Michael Klishin <mkli...@pivotal.io> wrote:

Please override https://github.com/ruby-amqp/bunny/blob/master/spec/higher_level_api/integration/tls_connection_spec.rb#L5 when testing
locally. The tests assume tls-gen's basic profile is used [1].

The Docker image should be modified to use that as well.

1. https://github.com/ruby-amqp/bunny/blob/master/spec/higher_level_api/integration/tls_connection_spec.rb#L5

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.

To post to this group, send email to rabbitm...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

MK

Staff Software Engineer, Pivotal/RabbitMQ

[Andrew Babichev]

After all only adding the next entry to /etc/hosts helped to solve the issue:

127.0.0.1 mercurio

and the next env var assignments to docker-compose.yml:

    environment:
      BUNNY_RABBITMQ_HOSTNAME: mercurio

I don't know why bunny has certs generated against "mercurio" hostname, but not "localhost" or "127.0.0.1". Michael, could you give me insight on this?

среда, 20 декабря 2017 г., 11:14:25 UTC+2 пользователь Andrew Babichev написал:

Hi,

[Andrew Babichev]

Also, how do you export env vars locally? For ruby apps we usually use figaro or dotenv, if app is not dockerized.

среда, 20 декабря 2017 г., 11:14:25 UTC+2 пользователь Andrew Babichev написал:

Hi,

[Andrew Babichev]

Regarding "Extend URI Parsing Specs" GitHub PR, I'm still concerned about "mercurio" hostname default.

After I read attentively "TLS Support" RabbitMQ official documentation page and re-read bunny CONTRIBUTING.md I realised, that tls-gen was run with configured CN=mercurio option (or picked up as local hostname where keys were generated), that could be specified during certificate generation. But it's not user friendly for contributor, because almost everybody relies on 127.0.0.1 at local machine. Also docker exposes rabbitmq server to localhost.

I think if we re-create certs with CN=127.0.0.01 (or CN=localhost) that would much simplify life of the feature contributor. I guess bunny doesn't responsible to test host during peer cert verification, because underlying openssl library already did that. Another variant – disable Server Name Indication during TLS context preparation.

Does it make sense?

среда, 20 декабря 2017 г., 11:14:25 UTC+2 пользователь Andrew Babichev написал:

Hi,

[Michael Klishin]

Both certificate/key pair location and hostname can and should be overridden:
https://github.com/ruby-amqp/bunny/blob/master/CONTRIBUTING.md.

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.

To post to this group, send email to rabbitmq-users@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.