there is a issue about tls_handshake of rabbitmq using auth_http

[陈世飞（china clever eyes）]

Currently , I use rabbitmq 3.12.10, I use MQTT protocol of RabbitMQ for my services,  and RabbitMQ configured auth_http configuration which address is the API exported by my java service,   user and password are generated by my java service. When I connect to RabbitMQ mqtt port(8883) with tls certificates, the RabbitMQ broker log print some errors like this:

2023-12-14 07:34:22.999642+00:00 [notice] <0.12823.0> TLS server: In state hello at tls_handshake.erl:354 generated SERVER ALERT: Fatal - Insufficient Security

2023-12-14 07:34:22.999642+00:00 [notice] <0.12823.0> - no_suitable_ciphers

I tried rabbitmq 3.11.4, there is no this problem.

finally, I added my configuration of rabbitmq, hope to get your help. and I don't know if it is a bug for MQTT.

## Username and password
##
default_user = admin
## Clustering
##
cluster_formation.peer_discovery_backend = rabbit_peer_discovery_k8s
cluster_formation.k8s.host = kubernetes.default
cluster_formation.node_cleanup.interval = 10
cluster_formation.node_cleanup.only_log_warning = true
cluster_partition_handling = autoheal

# queue master locator
queue_master_locator = min-masters
# enable loopback user
loopback_users.admin = false
mqtt.listeners.tcp.default = 1883
mqtt.listeners.ssl.default = 8883
mqtt.listeners.tcp = none
loopback_users = none
listeners.ssl.default = 5671
ssl_options.password = bunnies
ssl_options.verify = verify_none
ssl_options.fail_if_no_peer_cert = false
ssl_options.versions.1 = tlsv1.3
ssl_options.versions.2 = tlsv1.2
ssl_options.versions.3 = tlsv1.1
auth_http.user_path = https://mqttauthmanager.mindsphere-conn.svc.cluster.local/api/v3/auth/user
auth_http.vhost_path = https://mqttauthmanager.mindsphere-conn.svc.cluster.local/api/v3/auth/vhost
auth_http.resource_path = https://mqttauthmanager.mindsphere-conn.svc.cluster.local/api/v3/auth/resource
auth_http.topic_path = https://mqttauthmanager.mindsphere-conn.svc.cluster.local/api/v3/auth/topic
log.file.level = info
mqtt.vhost = mqtt
mqtt.exchange = amq.topic
mqtt.allow_anonymous = false
# auth config
auth_backends.1.authn = internal
auth_backends.1.authz = internal
auth_backends.2.authz = cache
auth_backends.2.authn = http
auth_backends.3.authz = http
auth_cache.cached_backend = http
auth_http.http_method = post
auth_cache.cache_ttl = 3500000
tcp_listen_options.backlog = 128
tcp_listen_options.nodelay = true
tcp_listen_options.linger.on = true
tcp_listen_options.linger.timeout = 0
tcp_listen_options.keepalive = false
ssl_options.verify = verify_peer
listeners.ssl.default = 5671
ssl_options.fail_if_no_peer_cert = false
ssl_options.cacertfile = /opt/bitnami/rabbitmq/certs/ca_certificate.pem
ssl_options.certfile = /opt/bitnami/rabbitmq/certs/server_certificate.pem
ssl_options.keyfile = /opt/bitnami/rabbitmq/certs/server_key.pem
## Prometheus metrics
##
prometheus.tcp.port = 9419
## Memory Threshold
total_memory_available_override_value = 6442450944
vm_memory_high_watermark.relative = 0.5
## TCP Listen Options
##
tcp_listen_options.backlog = 128
tcp_listen_options.nodelay = true
tcp_listen_options.linger.on = true
tcp_listen_options.linger.timeout = 0
tcp_listen_options.keepalive = false

[Luke Bakken]

Hello -

Which version of Erlang are you using with RabbitMQ 3.12.10 and 3.11.4?

How are you making an MQTT connection? Can you share your code?

Thanks -

Luke

[陈世飞（china clever eyes）]

Hi,

erlang of RabbitMQ 3.12.10 :   Erlang (SMP,ASYNC_THREADS) (BEAM) emulator version 14.1.1

erlang of RabbitMQ 3.11.4 :  Erlang (SMP,ASYNC_THREADS) (BEAM) emulator version 13.1.2

I use bitnami charts for rabbitmq,

and chart information as following:

---  Chart.yaml ---
annotations:
  category: Infrastructure
  images: |
    - name: os-shell
      image: docker.io/bitnami/os-shell:11-debian-11-r91
    - name: rabbitmq
      image: docker.io/bitnami/rabbitmq:3.12.10-debian-11-r1
  licenses: Apache-2.0
apiVersion: v2
appVersion: 3.12.10
dependencies:
- name: common
  repository: oci://registry-1.docker.io/bitnamicharts
  tags:
  - bitnami-common
  version: 2.x.x
description: RabbitMQ is an open source general-purpose message broker that is designed
  for consistent, highly-available messaging scenarios (both synchronous and asynchronous).
home: https://bitnami.com
icon: https://bitnami.com/assets/stacks/rabbitmq/img/rabbitmq-stack-220x234.png
keywords:
- rabbitmq
- message queue
- AMQP
maintainers:
- name: VMware, Inc.
  url: https://github.com/bitnami/charts
name: rabbitmq
sources:
- https://github.com/bitnami/charts/tree/main/bitnami/rabbitmq
version: 12.5.6

and I am using MQTTX to connect rabbitmq MQTT API, like the picture.   and the user _CertificateBearer is gernerated with business tenant.

and broker will interact with "https://mqttauthmanager.mindsphere-conn.svc.cluster.local/api/v3/auth" using your auth_http module.

When I click connect button ,  the MQTTX will try to connect rabbitmq broker, and then rabbitmq broker will interact with " https://mqttauthmanager.mindsphere-conn.svc.cluster.local/api/v3/auth" , the url " https://mqttauthmanager.mindsphere-conn.svc.cluster.local/api/v3/auth " which is provided by my java micro services is for auth_http.

so I don't know how to troubleshoot it.  By the way , I can connect to rabbitmq broker using admin user that provide by broker itself secucessfully.

I think its just issue about auth_http module?

[Luke Bakken]

Hello -

no_suitable_ciphers usually means there is something wrong with your TLS / SSL settings, or maybe your certificate.

You have many different parts in your environment, so I won't be able to try to reproduce what you report. You will have to simplify your setup to the point where it works as expected, then add parts back.

• Start with just your RabbitMQ broker. Can you verify that TLS works correctly for connections to port 5671 and 8883?
  • Use an MQTT client to connect to port 8883. Ensure that the client is configured to use TLS and that authentication works.
  • Use PerfTest to connect to port 5671 - https://perftest.rabbitmq.com/
  • Use "openssl s_client" to connect to both ports - https://www.rabbitmq.com/troubleshooting-ssl.html#openssl-tools
• Can you verify that a TLS connection to port 443 of your HTTP auth server works? https://www.rabbitmq.com/troubleshooting-ssl.html#openssl-tools
• If all of the above succeed, configure RabbitMQ to connect to your HTTP auth backend using plain HTTP, not HTTPS. Does that work?
• If all of the above succeed, configure RabbitMQ to use HTTPS  for the auth backend, but remove the "cache" backend from your auth backends, and remove "ssl_options.versions". Does HTTPS auth backend work now?

Thanks -

Luke

[陈世飞（china clever eyes）]

We tried ,   We only get an error when we configure http auth backend.    but old version of broker work.

Is there a configuration that  does not check certificates while accessing  http auth backend service?

[Michal Kuratczyk]

It's more about the Erlang/OTP change than RabbitMQ change.

OTP26 defaults to verify_peer and not verify_none as it was before: https://www.erlang.org/blog/otp-26-highlights/#ssl-safer-defaults

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/a31a2d4d-2cce-475f-bca1-164f568a6e6cn%40googlegroups.com.

--

Michal

RabbitMQ Team

This electronic communication and the information and any files transmitted with it, or attached to it, are confidential and are intended solely for the use of the individual or entity to whom it is addressed and may contain information that is confidential, legally privileged, protected by privacy laws, or otherwise restricted from disclosure to anyone else. If you are not the intended recipient or the person responsible for delivering the e-mail to the intended recipient, you are hereby notified that any use, copying, distributing, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited. If you received this e-mail in error, please return the e-mail to the sender, delete it from your computer, and destroy any printed copy of it.

[陈世飞（china clever eyes）]

but we use " Erlang (SMP,ASYNC_THREADS) (BEAM) emulator version 14.1.1 " , not OPT26,

and what options can we configure to skip checking the backend http endpoint in rabbitmq.conf?

[Michal Kuratczyk]

ERTS 14.1.1 is a component of Erlang/OTP 26.1.2 (https://github.com/erlang/otp/blob/master/otp_versions.table).

You can see the TLS options here:

https://github.com/rabbitmq/rabbitmq-server/tree/main/deps/rabbitmq_auth_backend_http#using-tlshttps

To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/9b9e5cc3-8fc5-4a6e-b624-5a0f23a75b9fn%40googlegroups.com.

[陈世飞（china clever eyes）]

but when I already configured following:

ssl_options.verify = verify_none

ssl_options.fail_if_no_peer_cert = false

It still perform bad.

[Luke Bakken]

Hello,

You need to use the advanced.config file in this case, which I have attached to this response. Put it in the same directory as rabbitmq.conf, and restart RabbitMQ. The startup log should show that both configuration files are being used.

Then, run rabbitmqctl environment, save the output to a file, and attach the file to your response so I can double-check that the expected settings are being used.

Thanks,

Luke

[Luke Bakken]

Note that I have created an issue to make this configuration easier - https://github.com/rabbitmq/rabbitmq-server/issues/10281

[陈世飞（china clever eyes）]

ok, It works when I add advanced config:

[
    {rabbitmq_auth_backend_http, [
        {ssl_options, [
            {verify, verify_none},
            {fail_if_no_peer_cert, false}
        ]}
    ]},
{rabbitmq_event_exchange, [
      {vhost, <<"mqtt">>}
]}
].