SSL / TLS - Can't connect from C# Client

[MrJacques]

I've followed the official guide to get basic TLS support going (self signed cert), but I'm having issues connecting from the client. The result I get is "None of the specified endpoints were reachable". I've tried with various combinations of client side configuration settings (ports, host names, turning off firewall, etc.). Any advice would be appreciated.

Erlang OTP 22.3

RabbitMQ Server 3.8.3 on Windows 10 Pro.

rabbitmq-diagnostics listeners:

Interface: [::], port: 25672, protocol: clustering, purpose: inter-node and CLI tool communication

Interface: [::], port: 5672, protocol: amqp, purpose: AMQP 0-9-1 and AMQP 1.0

Interface: 0.0.0.0, port: 5672, protocol: amqp, purpose: AMQP 0-9-1 and AMQP 1.0

Interface: [::], port: 5671, protocol: amqp/ssl, purpose: AMQP 0-9-1 and AMQP 1.0 over TLS

Interface: 0.0.0.0, port: 5671, protocol: amqp/ssl, purpose: AMQP 0-9-1 and AMQP 1.0 over TLS

Interface: [::], port: 15672, protocol: http, purpose: HTTP API

Interface: 0.0.0.0, port: 15672, protocol: http, purpose: HTTP API

rabbitmq-diagnostics check_port_connectivity:

Testing TCP connections to all active listeners on node

Successfully connected to ports 5671, 5671, 5672, 5672, 15672, 15672, 25672 on node

C# Client (net 4.6.1, RabbitMQ Nuget Version 6.0.0, but I also tried with v5)

private void TestSSL()

        {

            try

            {

                var factory = new ConnectionFactory();

                factory.UserName = "user";

                factory.Password = "password";

                factory.HostName = "localhost";

                factory.Port = 5672;

                factory.VirtualHost = "vwsa";

                factory.Ssl.Enabled = true;

                if (factory.Ssl.Enabled)

                {

                    factory.Port = 5671;

                    factory.Ssl.ServerName = "localhost";

                    factory.Ssl.Version = SslProtocols.Tls12;                    

                    //factory.Ssl.ServerName = factory.HostName;

                    //factory.Ssl.CertPath = @"C:\Users\jacques\AppData\Roaming\RabbitMQ\tls-certs\client_certificate.pem";

                }

                using (var conn = factory.CreateConnection())

                {

                    using (var channel = conn.CreateModel())

                    {

                        //non-durable, exclusive, auto-delete queue

                        channel.QueueDeclare("rabbitmq-csharp-test", false, true, true, null);

                        channel.BasicPublish("", "rabbitmq-csharp-test", null, Encoding.UTF8.GetBytes("Hello, World"));

                        var chResponse = channel.BasicGet("rabbitmq-csharp-test", false);

                        if (chResponse == null)

                        {

                            txtInfo.AppendText("No message retrieved");

                        }

                        else

                        {

                            var body = chResponse.Body;

                            txtInfo.AppendText("Received: " + Encoding.UTF8.GetString(body.ToArray()));

                        }

                    }

                }

            }

            catch (Exception ex)

            {

                txtInfo.AppendText("Error: " + ex.Message);

            }

        }

Another test, from WSL. The error could just be due to it being from withing WSL, or may be part of the issue.

OpenSSL> s_client -connect localhost:5761 -tls1

140524518379968:error:0200206F:system library:connect:Connection refused:../crypto/bio/b_sock2.c:110:

140524518379968:error:2008A067:BIO routines:BIO_connect:connect error:../crypto/bio/b_sock2.c:111:

140524518379968:error:0200206F:system library:connect:Connection refused:../crypto/bio/b_sock2.c:110:

140524518379968:error:2008A067:BIO routines:BIO_connect:connect error:../crypto/bio/b_sock2.c:111:

140524518379968:error:0200206F:system library:connect:Connection refused:../crypto/bio/b_sock2.c:110:

140524518379968:error:2008A067:BIO routines:BIO_connect:connect error:../crypto/bio/b_sock2.c:111:

connect:errno=111

error in s_client

[Luke Bakken]

Hello,

Can your client connect without certs to port 5672?

Have you tried connecting to port 5672 using a program like netcat or telnet, just to see if the TCP port is open?

Have you tried totally disabling the Windows firewall?

Run an administrative command prompt and check the output of netstat -an to ensure that RabbitMQ is listening as you expect.

All of the above is covered in this guide - https://www.rabbitmq.com/troubleshooting-networking.html

Thanks,

Luke

[Jacques Doubell]

Hi, Port 5672 works fine, without SSL. It's the TLS part that I can't get working.

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/4199afce-3b4b-48c1-bcde-c43d40c422ec%40googlegroups.com.

[Luke Bakken]

Hello,

Please install OpenSSL for Windows (not WSL) and use that to test port 5671 - https://www.rabbitmq.com/troubleshooting-ssl.html

Can you telnet to port 5671?

Are you certain TLS is configured correctly for RabbitMQ? Is anything logged by RabbitMQ? Are your certificate files readable, and correctly configured in rabbitmq.conf? Is the erl.exe process actually listening on port 5671 (confirm with netstat)?

Thanks -

Luke

On Monday, April 20, 2020 at 8:03:23 AM UTC-7, MrJacques wrote:

Hi, Port 5672 works fine, without SSL. It's the TLS part that I can't get working.

On Mon, Apr 20, 2020 at 4:45 PM Luke Bakken <lba...@pivotal.io> wrote:

Hello,

Can your client connect without certs to port 5672?

Have you tried connecting to port 5672 using a program like netcat or telnet, just to see if the TCP port is open?

Have you tried totally disabling the Windows firewall?

Run an administrative command prompt and check the output of netstat -an to ensure that RabbitMQ is listening as you expect.

All of the above is covered in this guide - https://www.rabbitmq.com/troubleshooting-networking.html

Thanks,

Luke

On Sunday, April 19, 2020 at 8:03:51 AM UTC-7, MrJacques wrote:

I've followed the official guide to get basic TLS support going (self signed cert), but I'm having issues connecting from the client. The result I get is "None of the specified endpoints were reachable". I've tried with various combinations of client side configuration settings (ports, host names, turning off firewall, etc.). Any advice would be appreciated.

Erlang OTP 22.3

RabbitMQ Server 3.8.3 on Windows 10 Pro.

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.

To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.

[MrJacquers]

I installed a JDK and tested using the simple echo client code example from the official documentation. That works, no issues, so my server setup, ports, etc. must be correct.

This seems to be an issue with the C# client. It seems to be handling things differently and the error message is either incorrect or lacking detail.

Kind Regards.

To unsubscribe from this group and stop receiving emails from it, send an email to rabbitm...@googlegroups.com.

[Jacques Doubell]

I download the source for the C# client. Debugging it reveals the actual exception, which is: "The remote certificate is invalid according to the validation procedure."

I do wonder why the Java client doesn't have this issue? Surely the libraries should behave similarly?

To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/8b525dad-db6e-4baa-a92e-4e0200a4f3d9%40googlegroups.com.

[Jacques Doubell]

I finally have it working locally. Not in production, but our network has other policies, etc.

I had to add this code:

factory.Ssl.AcceptablePolicyErrors = System.Net.Security.SslPolicyErrors.RemoteCertificateChainErrors |

                        System.Net.Security.SslPolicyErrors.RemoteCertificateNameMismatch |

                        System.Net.Security.SslPolicyErrors.RemoteCertificateNotAvailable;

[Luke Bakken]

Hi Jacques,

Thanks for writing back to the list.

Your solution isn't unique to the RabbitMQ .NET client. Any C# code using your certificates would have to apply those policy settings. Please note that by doing so, you are disabling all validation checks on the server's identity.

Thanks,

Luke

To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.

[MrJacquers]

Thanks. I realize that and it's fine.

Getting the C# configuration correct is a bit tricky, perhaps the documentation can be updated, it would help others save some time.

To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/8b525dad-db6e-4baa-a92e-4e0200a4f3d9%40googlegroups.com.

[Luke Bakken]

Hello,

What documentation specifically could be improved to address this issue? It is all open-source and we would gladly review a pull request to improve it.

Thanks -

Luke