RabbitMQ - OpenSSL: To securely connect the server and client.

[Chaithanya Krishna B]

Using OpenSSL I have generated the ca cert, key and certificate, as shown below:

C:\OpenSSL-Win64\bin>openssl req -x509 -config openssl.cfg -newkey rsa:2048 -days 365 -out ca_certificate_bundle.pem -outform PEM -subj /CN=MyTestCA/ -nodes

Generating a 2048 bit RSA private key

..................................................+++

...................................................................................................+++

writing new private key to 'privkey.pem'

-----

 

C:\OpenSSL-Win64\bin>openssl req -newkey rsa:2048 -nodes -keyout private_key.pem -x509 -days 365 -out certificate.pem

Generating a 2048 bit RSA private key

........................................................................................................................................................................................................+++

...+++

writing new private key to 'private_key.pem'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:

State or Province Name (full name) [Some-State]:

Locality Name (eg, city) []:

Organization Name (eg, company) [Internet Widgits Pty Ltd]:

Organizational Unit Name (eg, section) []:

Common Name (e.g. server FQDN or YOUR name) []: MyTestCA

Email Address []:

The generated files are placed in the C:\Users\jim\AppData\Roaming\RabbitMQ

I have configured the Rabbitmq-config file as below:

{ssl_options, [{cacertfile,            "ca_certificate_bundle"},
{certfile,             "certificate.pem"},
{keyfile,              "private_key.pem"},
{versions,             ['tlsv1.2', 'tlsv1.1', tlsv1]},
{depth, 10},
{verify,               verify_peer},
{fail_if_no_peer_cert, false}]},
{ciphers,  [{ecdhe_ecdsa,aes_128_cbc,sha256},
{ecdhe_ecdsa,aes_256_cbc,sha}]},

I need to configure my client code now to have a secure channel with the server, So i have used the below API in my client code:

                channelPtr = AmqpClient::Channel::CreateSecure(
                        "C:\\Users\\jim\\AppData\\Roaming\\RabbitMQ\\ca_certificate_bundle",
                        "127.0.0.1",
                        "C:\\Users\\jim\\AppData\\Roaming\\RabbitMQ\\private_key.pem,
                        "C:\\Users\\jim\\AppData\\Roaming\\RabbitMQ\\certificate.pem",
                        5671,
                        "",
                        "",
                        "/",
                        131072,
                        false
                    );

I am getting an exception as below:

2019-04-24 18:14:05.197:      host: 127.0.0.1
2019-04-24 18:14:05.202:      port: 5671
2019-04-24 18:14:05.207:      user:
2019-04-24 18:14:05.212:      password:
2019-04-24 18:14:05.217:      vHost: /
2019-04-24 18:14:05.223:     [ AmqpClient::Channel::Create ]
2019-04-24 18:14:05.240:      Exception: class AmqpClient::AmqpLibraryException
2019-04-24 18:14:05.242:      what: Error setting client certificate for socket: SSL handshake failed

Where is the mechanism to set the TLS version and Cipher suites details in the SimpleAmqpClient, what am doing wrong here. Thank you for any help I can get on this.

[Luke Bakken]

Hello,

The following settings must be the full path to the files:

{ssl_options, [

    {cacertfile, "C:/Users/jim/AppData/Roaming/RabbitMQ/ca_certificate_bundle"},
    {certfile, "C:/Users/jim/AppData/Roaming/RabbitMQ/certificate.pem"},

    {keyfile, "C:/Users/jim/AppData/Roaming/RabbitMQ/private_key.pem"},

Also, start with a simpler configuration and do NOT specify TLS versions or ciphers until you get the basic configuration working.

Thanks,

Luke

[Krishna Chaithanya B]

But the rabbit-config file is in the same directory " C:\Users\jim\AppData\Roaming\RabbitMQ" as the certificate pem files.

--
You received this message because you are subscribed to a topic in the Google Groups "rabbitmq-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rabbitmq-users/7322jFIfXxw/unsubscribe.
To unsubscribe from this group and all its topics, send an email to rabbitmq-user...@googlegroups.com.
To post to this group, send email to rabbitm...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Regards,
Krishna Chaithanya B

[Luke Bakken]

Hello,

It doesn't matter since the working directory of the Erlang VM process is different. Like I said, you must use full path names. Did you try it?

Please see my other recommendation to use a less complicated configuration.

Finally, troubleshooting information is available here - https://www.rabbitmq.com/troubleshooting-ssl.html

Thanks,

Luke

[Krishna Chaithanya B]

Hi Luke,

I have tried your suggestions as below:

1. Tried the simpler configuration like you mentioned.

2. Use the full path to the files.

Now am not seeing the SSL Handshake error, but am still facing an error as below:

2019-04-27 22:20:21.833: [ Listener Details ]
2019-04-27 22:20:21.838:      host: 127.0.0.1
2019-04-27 22:20:21.846:      port: 5671
2019-04-27 22:20:21.851:      user: jim
2019-04-27 22:20:21.855:      password: jim
2019-04-27 22:20:21.859:      vHost: /
2019-04-27 22:20:21.864: [ AmqpClient::Channel::CreateSecure ]
2019-04-27 22:20:22.885:      Exception: class AmqpClient::AmqpLibraryException
2019-04-27 22:20:22.887:      what: Error setting client certificate for socket: a socket error occurred

I have working software with username/password queue authentication, using which am able to create queues and send message.

Now I need to change it to certificate based authentication. In the AmqpClient::Channel::CreateSecure API, do I need to pass the username and password ?

On Fri, Apr 26, 2019 at 10:54 PM Luke Bakken <lba...@pivotal.io> wrote:

Hello,

It doesn't matter since the working directory of the Erlang VM process is different. Like I said, you must use full path names. Did you try it?

Please see my other recommendation to use a less complicated configuration.

Finally, troubleshooting information is available here - https://www.rabbitmq.com/troubleshooting-ssl.html

Thanks,

Luke

On Thursday, April 25, 2019 at 11:49:17 PM UTC-7, Krishna Chaithanya B wrote:

But the rabbit-config file is in the same directory " C:\Users\jim\AppData\Roaming\RabbitMQ" as the certificate pem files.

On Wed, Apr 24, 2019 at 7:39 PM Luke Bakken <lba...@pivotal.io> wrote:

Hello,

The following settings must be the full path to the files:

{ssl_options, [

    {cacertfile, "C:/Users/jim/AppData/Roaming/RabbitMQ/ca_certificate_bundle"},
    {certfile, "C:/Users/jim/AppData/Roaming/RabbitMQ/certificate.pem"},

    {keyfile, "C:/Users/jim/AppData/Roaming/RabbitMQ/private_key.pem"},

Also, start with a simpler configuration and do NOT specify TLS versions or ciphers until you get the basic configuration working.

--

You received this message because you are subscribed to a topic in the Google Groups "rabbitmq-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rabbitmq-users/7322jFIfXxw/unsubscribe.
To unsubscribe from this group and all its topics, send an email to rabbitmq-user...@googlegroups.com.
To post to this group, send email to rabbitm...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Krishna Chaithanya B]

Either I get an error like above, or I dont seen any exception after the 'createSecure' call

2019-04-27 22:35:05.650: [ Listener Details ]
2019-04-27 22:35:05.655:      host: 127.0.0.1
2019-04-27 22:35:05.661:      port: 5671
2019-04-27 22:35:05.666:      user: jim
2019-04-27 22:35:05.670:      password: jim
2019-04-27 22:35:05.674:      vHost: /
2019-04-27 22:35:05.681: [ AmqpClient::Channel::CreateSecure ]

The thread just blocks at the createSecure call. Is it a blocking call ?

[Luke Bakken]

Hello,

Could you please provide the version of all software you are using?

What client library are you using?

Finally, what is RabbitMQ logging at the same time as this error?

Thanks,

Luke

[Krishna Chaithanya B]

Hi Luke,

These are the versions.

     - Rabbitmq-c 0.9.0

     - SimpleAmqpClient 2.4.0

     - OpenSSL 1.1.0h  

I am seeing the errors as below when logged in to the browser with https://localhost:15671

2019-04-28 12:43:14.438 [error] <0.630.0> SSL: certify: ssl_alert.erl:88:Fatal error: certificate unknown
2019-04-28 12:43:14.439 [error] <0.631.0> SSL: certify: ssl_alert.erl:88:Fatal error: certificate unknown
2019-04-28 12:43:14.840 [error] <0.637.0> SSL: abbreviated: ssl_alert.erl:88:Fatal error: certificate unknown
2019-04-28 12:43:15.153 [error] <0.659.0> SSL: certify: ssl_alert.erl:88:Fatal error: certificate unknown
2019-04-28 12:43:15.153 [error] <0.658.0> SSL: certify: ssl_alert.erl:88:Fatal error: certificate unknown
2019-04-28 12:43:15.154 [error] <0.654.0> SSL: certify: ssl_alert.erl:88:Fatal error: certificate unknown
2019-04-28 12:43:15.154 [error] <0.656.0> SSL: certify: ssl_alert.erl:88:Fatal error: certificate unknown
2019-04-28 12:43:15.154 [error] <0.662.0> SSL: certify: ssl_alert.erl:88:Fatal error: certificate unknown
2019-04-28 12:43:20.624 [error] <0.664.0> SSL: certify: ssl_alert.erl:88:Fatal error: certificate unknown
2019-04-28 12:43:21.166 [error] <0.671.0> SSL: abbreviated: ssl_alert.erl:88:Fatal error: certificate unknown
2019-04-28 12:43:21.497 [error] <0.689.0> SSL: certify: ssl_alert.erl:88:Fatal error: certificate unknown
2019-04-28 12:45:41.529 [error] <0.775.0> SSL: abbreviated: ssl_alert.erl:88:Fatal error: certificate unknown

My Config file has settings as below:

{ssl_options, [{cacertfile,            "C:\Users\jim\AppData\Roaming\RabbitMQ\cacert.pem"},
{certfile,             "C:\Users\jim\AppData\Roaming\RabbitMQ\servercert.pem"},
{keyfile,              "C:\Users\jim\AppData\Roaming\RabbitMQ\key.pem"}]},

And the simpleAmqpClient API in my application is just stuck at the createSecure call, and I am not seeing any exception.

2019-04-27 22:35:05.650: [ Listener Details ]
2019-04-27 22:35:05.655:      host: 127.0.0.1
2019-04-27 22:35:05.661:      port: 5671
2019-04-27 22:35:05.666:      user: jim
2019-04-27 22:35:05.670:      password: jim
2019-04-27 22:35:05.674:      vHost: /
2019-04-27 22:35:05.681: [ AmqpClient::Channel::CreateSecure ]

At this point there are no logs in the RabbitMQ Log file too. PLEASE FIND THE ATTACHED LOG File.

Thank you.

--

You received this message because you are subscribed to a topic in the Google Groups "rabbitmq-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rabbitmq-users/7322jFIfXxw/unsubscribe.
To unsubscribe from this group and all its topics, send an email to rabbitmq-user...@googlegroups.com.
To post to this group, send email to rabbitm...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Luke Bakken]

Hello,

It's unclear what the exact error is. Have you tried the troubleshooting steps in this guide? I provided the link in an earlier message:

https://www.rabbitmq.com/troubleshooting-ssl.html

On Sunday, April 28, 2019 at 7:51:34 PM UTC-7, Krishna Chaithanya B wrote:

Hi Luke,

[Krishna Chaithanya B]

Hi Luke,

Yes, I tried to go through the troubleshooting steps to some extent.

1. Check TLS Listeners (Ports)

rabbitmqctl status

 {listeners,

     [{clustering,25672,"::"},

      {'amqp/ssl',5671,"::"},

      {'amqp/ssl',5671,"0.0.0.0"},

      {https,15671,"::"},

      {https,15671,"0.0.0.0"}]},

2. Use OpenSSL tools to test the TLS connections

But here am using the same certificate / key for both server and client. I am using windows, is there a way I can use tls-gen on windows ?

c:\OpenSSL-Win64\bin>openssl s_server -accept 5761 -cert C:\Users\jim\AppData\Roaming\RabbitMQ\servercert.pem -key C:\Users\jim\AppData\Roaming\RabbitMQ\key.pem -CAfile C:\Users\jim\AppData\Roaming\RabbitMQ\cacert.pem
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MFoCAQECAgMDBALAMAQABDBxVFXdlvCzwEFt7z7VtJbAQYNhUurobCJ3sjGEvqB5
/ns6L+D5xAiajsvreSuJRpKhBgIEXMbgNKIEAgIcIKQGBAQBAAAArQMCAQE=
-----END SSL SESSION PARAMETERS-----
Shared ciphers:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA
Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Shared Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Supported Elliptic Curve Point Formats: uncompressed:ansiX962_compressed_prime:ansiX962_compressed_char2
Supported Elliptic Curves: X25519:P-256:P-521:P-384
Shared Elliptic curves: X25519:P-256:P-521:P-384
CIPHER is ECDHE-RSA-AES256-GCM-SHA384
Secure Renegotiation IS supported

------

c:\OpenSSL-Win64\bin>
c:\OpenSSL-Win64\bin>openssl s_client -connect 127.0.0.1:5761 -cert C:\Users\jim\AppData\Roaming\RabbitMQ\servercert.pem -key C:\Users\jim\AppData\Roaming\RabbitMQ\key.pem -CAfile C:\Users\jim\AppData\Roaming\RabbitMQ\cacert.pem
CONNECTED(00000158)
depth=0 CN = ISPACSRootCA
verify return:1
---
Certificate chain
0 s:/CN=ISPACSRootCA
   i:/CN=ISPACSRootCA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICzjCCAbagAwIBAgIJAIixDjyPejWIMA0GCSqGSIb3DQEBCwUAMBcxFTATBgNV
BAMMDElTUEFDU1Jvb3RDQTAeFw0xOTAzMTgxODA3MjhaFw0yNDAzMTYxODA3Mjha
MBcxFTATBgNVBAMMDElTUEFDU1Jvb3RDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBANRFtNdt4f+ElFPlahVnxamqvR4M6jjtbCHQ/fJtXFiXEhSRX8Bh
23GLBhP9dpYe38SnofKWe1pEyMFrSxU4K8o0ahZBbJWGFH4uIfWOrpRKQIv+iKFI
gvpbxwX2sfFr46zmiNfoB4iy2/wOibdhETJbBJZIYUJNtOAMQejRhrjpWmI11wRW
q9GGlDwUuqlTNQvmIkwDcvQs2Hmj6n1W11bzjLSVxkeD/FYwxIAJ3MFnrB6YyJWu
txKi60vJJ7cHVRL11eqmdvIWfDibV0XGrrvD9jTT6OJ30y1Xfmv7UCks0BJjCwGe
dzqxA5OE5qqY30SgIb3c+TKm+ZruFLtaY4kCAwEAAaMdMBswDAYDVR0TBAUwAwEB
/zALBgNVHQ8EBAMCArQwDQYJKoZIhvcNAQELBQADggEBAFXxiZ/WcUqLiwyUDfmN
G/THQkwl1t8PUdHQilem/EfB05C9R68gnotNzcT1YTRzRMvWPCdzQCQHjueqPrhD
zf43PWNxBMq2EC6Y3Q7ozRMZgfnc419REoM+FtMkEcxxu0BJrhyQvpp1XdMT/CMk
aI7UTeVJpzDhp6tUoAlKdL+FG+EMAqq4vT2W/t55nJYQb0WN2fbkMyre5s+VZ2ZA
VSOgg+yuLeMy+/HFLnjqIcPcDS/rAM0R0JQ4J5wJ7wfr+OOY+csNNfSJ8Mjf3QqC
YOlA0rrqLDuxfsoXhC3lSQkT/Zy7EANqK3uKGn9Abn2KjNIrXxoO4lOT5FCOQIcp
1RQ=
-----END CERTIFICATE-----
subject=/CN=ISPACSRootCA
issuer=/CN=ISPACSRootCA
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1347 bytes and written 269 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 7A2B3B9814F41C3C5D8D9906699F3BC567CDBC5FEDB2142DE27981E7B7CF4DC3
    Session-ID-ctx:
    Master-Key: 715455DD96F0B3C0416DEF3ED5B496C041836152EAE86C2277B23184BEA079FE7B3A2FE0F9C4089A8ECBEB792B894692
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 57 da 9e 60 11 b9 44 a1-07 2f 54 38 39 e0 37 d6   W..`..D../T89.7.
    0010 - 28 1b a7 43 0e a9 e4 0f-e5 b3 fa 3f b6 9e db 56   (..C.......?...V
    0020 - 41 97 2d eb 97 83 63 60-3e 93 c7 19 30 fd 3e ad   A.-...c`>...0.>.
    0030 - 2a e5 b3 ac fa d3 c0 77-0e c0 ee 7e a5 06 22 38   *......w...~.."8
    0040 - 55 b4 a7 d2 5c 8f 21 0d-67 72 af c7 f1 69 5a 06   U...\.!.gr...iZ.
    0050 - b4 59 11 6a c5 2a b8 01-63 4f 8f bb 16 ae 91 60   .Y.j.*..cO.....`
    0060 - bd 09 fb ec 00 0f 7a 12-c2 26 0e 85 d4 c2 57 68   ......z..&....Wh
    0070 - bf b5 22 b2 63 8b 83 75-8e 55 3f ed 32 a5 3b 1a   ..".c..u.U?.2.;.
    0080 - 3f 2c 68 e4 2f 81 be 2c-4f a5 2a 9c d4 e3 2a 4c   ?,h./..,O.*...*L
    0090 - 1a f6 d9 89 2d 56 3d 03-00 90 c8 de 3d 4f 6e c0   ....-V=.....=On.

    Start Time: 1556537396
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---

--

You received this message because you are subscribed to a topic in the Google Groups "rabbitmq-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rabbitmq-users/7322jFIfXxw/unsubscribe.
To unsubscribe from this group and all its topics, send an email to rabbitmq-user...@googlegroups.com.
To post to this group, send email to rabbitm...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Luke Bakken]

Hi Krishna,

I've never tried tls-gen on Windows. There's a good chance it will work if openssl.exe is in your PATH, as well as Python.

Have you used openssl s_client to connect to port 5671 and 15671 while RabbitMQ is running? That will provide useful information. Be sure to add the -verify 4 argument to s_client - that enables peer cert verification to a depth of 4.

Thanks,

Luke

To unsubscribe from this group and all its topics, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Krishna Chaithanya B]

Hi Luke,

This is what the settings I have in the config file for management plugin

[{listener,
            [{port,     15671},
                {ssl,      true},
                {ssl_opts, [{cacertfile, "cacert.pem"},
                            {certfile,   "servercert.pem"},
                            {keyfile,    "key.pem"}]}
            ]}
]},

{ssl_listeners, [5671]},

{ssl_options, [{cacertfile,            "C:\Users\jim\AppData\Roaming\RabbitMQ\cacert.pem"},
{certfile,             "C:\Users\jim\AppData\Roaming\RabbitMQ\servercert.pem"},
{keyfile,              "C:\Users\jim\AppData\Roaming\RabbitMQ\key.pem"}
]},

With RabbitMQ running, this is what s_client returns

c:\OpenSSL-Win64\bin>openssl s_client -connect 127.0.0.1:5761 -verify 4 -cert C:\Users\jim\AppData\Roaming\RabbitMQ\servercert.pem -key C:\Users\jim\AppData\Roaming\RabbitMQ\key.pem -CAfile C:\Users\jim\AppData\Roaming\RabbitMQ\cacert.pem
verify depth is 4
26096:error:0200274D:system library:connect:reason(1869):crypto\bio\b_sock2.c:108:
26096:error:2008A067:BIO routines:BIO_connect:connect error:crypto\bio\b_sock2.c:109:
connect:errno=0

To unsubscribe from this group and all its topics, send an email to rabbitmq-user...@googlegroups.com.
To post to this group, send email to rabbitm...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Regards,
Krishna Chaithanya B

--

You received this message because you are subscribed to a topic in the Google Groups "rabbitmq-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rabbitmq-users/7322jFIfXxw/unsubscribe.

To unsubscribe from this group and all its topics, send an email to rabbitmq-user...@googlegroups.com.
To post to this group, send email to rabbitm...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Luke Bakken]

Krishna -

You must use full paths in all sections of your configuration related to certificates.

You can see that OpenSSL is returning an error. What does RabbitMQ log at the same time? Can you add the -debug argument to s_client?

Thanks -
Luke

On Monday, April 29, 2019 at 12:23:59 PM UTC-7, Krishna Chaithanya B wrote:

Hi Luke,

[Krishna Chaithanya B]

Hi Luke,

I have installed the latest RabbitMQ and Erlang and tried the troubleshooting steps as per the link you had shared. With the certificates, I was able to open the RabbitMQ management plugin but the SimpleAmqpClient library that am using still fails with SSL handshake exception. I have also posted this in the GitHub.

This is my rabbitmq.conf file, and with these configuration am able to open the RabbitMQ management console with out any issue.
rabbitmq.conf.txt

And verified the Troubleshooting steps mentioned in this link, with OpenSSL the certificates are working as expected. What am I missing here, how to debug further and find the reason for this failure.

This is how am calling the API in my application:

try
{
	AmqpClient::Channel::CreateSecure(
	"C:\\Users\\jim\\AppData\\Roaming\\RabbitMQ\\cacert.pem",
	"127.0.0.1",
	"C:\\Users\\jim\\AppData\\Roaming\\RabbitMQ\\key.pem",
	"C:\\Users\\jim\\AppData\\Roaming\\RabbitMQ\\servercert.pem",
	"5671",
	"guest",
	"guest",
	"/",
	131072,
	false
	);
}
catch (AmqpClient::AmqpException const& exception)
{
	file << "Exception: " << typeid(exception).name() << std::endl;
	file << "\t" << "what: " << exception.what() << std::endl;
	file << "\t" << "is_soft_error: " << exception.is_soft_error() << std::endl;
	file << "\t" << "reply_code: " << exception.reply_code() << std::endl;
	file << "\t" << "class_id: " << exception.class_id() << std::endl;
	file << "\t" << "method_id: " << exception.method_id() << std::endl;
	file << "\t" << "reply_text: " << exception.reply_text() << std::endl;
}
catch (std::exception const& exception)
{
	file << "Exception: " << typeid(exception).name() << std::endl;
	file << "\t" << "what: " << exception.what() << std::endl;
}
catch (...)
{
	
}

2019-05-03 17:38:25.467: host: 127.0.0.1
2019-05-03 17:38:25.473: port: 5671
2019-05-03 17:38:25.478: user: guest
2019-05-03 17:38:25.484: password: guest
2019-05-03 17:38:25.488: vHost: /
2019-05-03 17:38:25.494: [ AmqpClient::Channel::CreateSecure ]
2019-05-03 17:38:25.512: Exception: class AmqpClient::AmqpLibraryException
2019-05-03 17:38:25.513: what: Error setting client certificate for socket: SSL handshake failed

I have attached the text files with the torubleshoot responses and the rabbitMQ conf file that I have used.

--

You received this message because you are subscribed to a topic in the Google Groups "rabbitmq-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rabbitmq-users/7322jFIfXxw/unsubscribe.
To unsubscribe from this group and all its topics, send an email to rabbitmq-user...@googlegroups.com.
To post to this group, send email to rabbitm...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Luke Bakken]

Hi Krishna,

Your configuration file looks good, and thank you for providing that troubleshooting output.

What does RabbitMQ log when you try to connect with SimpleAmqpClient?

Why are you using the server certificate as the client certificate?

Also, there is one suspicious error in the troubleshooting output when connecting to RabbitMQ:

5. Attempt TLS Connection to Broker

c:\OpenSSL-Win64\bin>openssl s_client -connect 127.0.0.1:5671 -cert C:\Users\jim\AppData\Roaming\RabbitMQ\servercert.pem -key C:\Users\jim\AppData\Roaming\RabbitMQ\key.pem -CAfile C:\Users\jim\AppData\Roaming\RabbitMQ\cacert.pem
CONNECTED(00000174)
depth=0 CN = ISPACSRootCA
verify return:1
18600:error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:ssl\record\rec_layer_s3.c:1407:SSL alert number 42
---
Certificate chain
0 s:/CN=ISPACSRootCA
   i:/CN=ISPACSRootCA
---
Server certificate

On Friday, May 3, 2019 at 6:23:48 AM UTC-7, Krishna Chaithanya B wrote:

Hi Luke,

[Krishna Chaithanya B]

Yeah I think am finding it hard to understand the mechanism to generate these certificates. I followed an online blog and generated CA, cert and key

And used the ones I generated fresh, and now the error on the SimpleAmqpClient is different and even the RabbitMQ logs has some information

My Client LOGS

2019-05-03 20:26:52.397: [ Listener Details ]
2019-05-03 20:26:52.404:      host: 127.0.0.1
2019-05-03 20:26:52.410:      port: 5671
2019-05-03 20:26:52.418:      user: jim
2019-05-03 20:26:52.428:      password: jim
2019-05-03 20:26:52.430:      vHost: /
2019-05-03 20:26:52.434: [ AmqpClient::Channel::Create ]
2019-05-03 20:26:52.462:      Exception: class AmqpClient::AmqpLibraryException
2019-05-03 20:26:52.463:      what: Error setting client certificate for socket: SSL hostname verification failed

RabbitMQ logs.

2019-05-03 20:27:47.755 [error] <0.1404.0> Error on AMQP connection <0.1404.0>: einval (invalid argument)
2019-05-03 20:27:47.764 [warning] <0.1409.0> closing AMQP connection <0.1409.0> (127.0.0.1:61930 -> 127.0.0.1:5671):
client unexpectedly closed TCP connection

It seems it's more of the certificates issue, and how am configuring my client to read the certificates. Right ?

--

You received this message because you are subscribed to a topic in the Google Groups "rabbitmq-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rabbitmq-users/7322jFIfXxw/unsubscribe.
To unsubscribe from this group and all its topics, send an email to rabbitmq-user...@googlegroups.com.
To post to this group, send email to rabbitm...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Krishna Chaithanya B]

Also with the fresh certificates I generated. This is the openssl s_client output:

c:\OpenSSL-Win64\bin>openssl s_client -connect 127.0.0.1:5671 -cert C:\Users\jim\AppData\Roaming\RabbitMQ\servercert.pem -key C:\Users\jim\AppData\Roaming\RabbitMQ\key.pem -CAfile C:\Users\jim\AppData\Roaming\RabbitMQ\cacert.pem

CONNECTED(00000178)
depth=1 C = IN, ST = KA, O = MyOrg, OU = MyOrgUnit, CN = MyOrgUnitCA
verify return:1
depth=0 C = IN, ST = KA, O = MyOrg, OU = MyOrgUnit, CN = MyOrgUnit Dev Certificate
verify return:1
---
Certificate chain
 0 s:/C=IN/ST=KA/O=MyOrg/OU=MyOrgUnit/CN=MyOrgUnit Dev Certificate
   i:/C=IN/ST=KA/O=MyOrg/OU=MyOrgUnit/CN=MyOrgUnitCA
 1 s:/C=IN/ST=KA/O=MyOrg/OU=MyOrgUnit/CN=MyOrgUnitCA
   i:/C=IN/ST=KA/O=MyOrg/OU=MyOrgUnit/CN=MyOrgUnitCA

---
Server certificate
-----BEGIN CERTIFICATE-----

MIIDJjCCAg4CCQDaJMYtCYgn2DANBgkqhkiG9w0BAQsFADBOMQswCQYDVQQGEwJJ
TjELMAkGA1UECAwCS0ExEDAOBgNVBAoMB1BoaWxpcHMxDjAMBgNVBAsMBU5ldXJv
MRAwDgYDVQQDDAdOZXVyb0NBMB4XDTE5MDUwMzE0MTQ1MVoXDTIwMDkxNDE0MTQ1
MVowXDELMAkGA1UEBhMCSU4xCzAJBgNVBAgMAktBMRAwDgYDVQQKDAdQaGlsaXBz
MQ4wDAYDVQQLDAVOZXVybzEeMBwGA1UEAwwVTmV1cm8gRGV2IENlcnRpZmljYXRl
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2wV8CM2QlAEtOlQJG8ix
oU7M0chi9oIu2Z7Eu4zdFZDb8TKy48QFPnQ0phU/P5YVBD1rCmXl6kuzByKWZqFa
J3EFpnTohI1t4h/teM4o57b72L1c56UBHK5+uLEDDGyD8PH2AvEwS2EaDDGhVqcL
YGSTzccyMXyIQOc6yzlwPTeyf0twCLg66ZtmC5Cdkpw2c2QBkzTIj96EhYtQMPMH
/FLy5d68WO2A3VOKULO9vJTnr+guCNjQkerkGcn05NyeV5UhrXVvNpIBVHoZ3Qiy
H6F0JcAcf6WG4Uce6u1vRcKeG2QNdvi0Dm9GcjnmpoPA+t0MRE/f7BpwkyD42/XA
wwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAW307AhqKOGUfFidA35V/C3NqinsXO
BBzOHg3liji5jCB+LVLHVsu739lE490+9JBOCKXB4UVULt0ECHgeq9Ghf25MsJkE
qF2h4bPPmqrQ3SciFJCAjnpKvRAiVGehWjAHzfoTr5g8fHCgsCgKocpQuiW6hnO8
LisFcnPRPkMMo4DYhBFL4xvOMhnUF3Ohazowj8Lpb6alb66bVS4h1U1NePcUEpyL
eV2TBlz35IO5e9s0YZHeAb95FmD87hcadPui/LWhvsIHz3pBGkSpsV1eOQbta3Y6
Ig2aqjdSI5dGqXTN5/JLhUXbuHMIzwlAQQqyGSDd7VIrzfvVOaSwIWcE
-----END CERTIFICATE-----
subject=/C=IN/ST=KA/O=MyOrg/OU=MyOrgUnit/CN=MyOrgUnit Dev Certificate
issuer=/C=IN/ST=KA/O=MyOrg/OU=MyOrgUnit/CN=MyOrgUnitCA
---
Acceptable client certificate CA names
/C=IN/ST=KA/O=MyOrg/OU=MyOrgUnit/CN=MyOrgUnitCA
Client Certificate Types: ECDSA sign, RSA sign, DSA sign
Requested Signature Algorithms: ECDSA+SHA512:RSA+SHA512:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA256:RSA+SHA256:ECDSA+SHA224:RSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
Shared Requested Signature Algorithms: ECDSA+SHA512:RSA+SHA512:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA256:RSA+SHA256:ECDSA+SHA224:RSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2325 bytes and written 2285 bytes

Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384

    Session-ID: 261936F153E80D4D9805C5CE24D03C26DACFEA2A422760E8D3C47E09EA5EFD2B
    Session-ID-ctx:
    Master-Key: 8FCB7D78E19E93B1955D5368D1C9A5BE6C301F6FCC276FA9DDB269545A744C88B62CA7D3601F2CACF7C961734DBD4B5D

    PSK identity: None
    PSK identity hint: None
    SRP username: None

    Start Time: 1556896192

    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)

    Extended master secret: no
---

--

You received this message because you are subscribed to a topic in the Google Groups "rabbitmq-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rabbitmq-users/7322jFIfXxw/unsubscribe.
To unsubscribe from this group and all its topics, send an email to rabbitmq-user...@googlegroups.com.
To post to this group, send email to rabbitm...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Krishna Chaithanya B]

Hi Luke,

I have changed my API to set 'verify hostname' check to FALSE.

AmqpClient::Channel::CreateSecure(
	"C:\\Users\\jim\\AppData\\Roaming\\RabbitMQ\\cacert.pem",
	"127.0.0.1",
	"C:\\Users\\jim\\AppData\\Roaming\\RabbitMQ\\key.pem",
	"C:\\Users\\jim\\AppData\\Roaming\\RabbitMQ\\servercert.pem",
	"5671",
	"guest",
	"guest",
	"/",
	131072,
	false
	);

Now the error is different.

2019-05-03 20:49:52.636:      Exception: class AmqpClient::AmqpResponseLibraryException
2019-05-03 20:49:52.637:      what: : unsupported sasl method requested

--

You received this message because you are subscribed to a topic in the Google Groups "rabbitmq-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rabbitmq-users/7322jFIfXxw/unsubscribe.
To unsubscribe from this group and all its topics, send an email to rabbitmq-user...@googlegroups.com.
To post to this group, send email to rabbitm...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Luke Bakken]

OK this is looking better. The hostname check failed because the CN value in the cert doesn't match the host you're using (127.0.0.1). Disabling the check for now is fine.

When you see errors in the client, you must let us know what RabbitMQ logs at the same time. I can't stress this enough!

On Friday, May 3, 2019 at 8:28:07 AM UTC-7, Krishna Chaithanya B wrote:

Hi Luke,

[Krishna Chaithanya B]

Yeah sorry for that.

This is what the RabbitMQ logs show:

2019-05-03 22:15:02.068 [info] <0.9903.0> TLS server: In state abbreviated received CLIENT ALERT: Fatal - Certificate Unknown

2019-05-03 22:15:02.651 [info] <0.9920.0> accepting AMQP connection <0.9920.0> (127.0.0.1:56022 -> 127.0.0.1:5671)
2019-05-03 22:15:02.655 [info] <0.9923.0> accepting AMQP connection <0.9923.0> (127.0.0.1:56023 -> 127.0.0.1:5671)
2019-05-03 22:15:02.655 [info] <0.9928.0> accepting AMQP connection <0.9928.0> (127.0.0.1:56024 -> 127.0.0.1:5671)
2019-05-03 22:15:02.661 [warning] <0.9920.0> closing AMQP connection <0.9920.0> (127.0.0.1:56022 -> 127.0.0.1:5671):

client unexpectedly closed TCP connection

2019-05-03 22:15:02.663 [warning] <0.9923.0> closing AMQP connection <0.9923.0> (127.0.0.1:56023 -> 127.0.0.1:5671):

client unexpectedly closed TCP connection

2019-05-03 22:15:02.666 [warning] <0.9928.0> closing AMQP connection <0.9928.0> (127.0.0.1:56024 -> 127.0.0.1:5671):

client unexpectedly closed TCP connection

2019-05-03 22:15:02.677 [info] <0.9933.0> accepting AMQP connection <0.9933.0> (127.0.0.1:56025 -> 127.0.0.1:5671)
2019-05-03 22:15:02.691 [warning] <0.9933.0> closing AMQP connection <0.9933.0> (127.0.0.1:56025 -> 127.0.0.1:5671):

client unexpectedly closed TCP connection

--

You received this message because you are subscribed to a topic in the Google Groups "rabbitmq-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rabbitmq-users/7322jFIfXxw/unsubscribe.
To unsubscribe from this group and all its topics, send an email to rabbitmq-user...@googlegroups.com.
To post to this group, send email to rabbitm...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Luke Bakken]

Hi Krishna,

You didn't mention that you're trying to get certificate authentication to work. I re-read your configuration file and see the following:

## To force x509 certificate-based authentication on all clients,
## exclude all other mechanisms (note: this will disable password-based
## authentication even for the management UI!):
##
auth_mechanisms.1 = EXTERNAL
ssl_cert_login_from   = common_name

rabbitmq-c and SimpleAmqpClient do not support EXTERNAL authentication, this is why you see "unsupported sasl method requested".

Comment-out the above two lines and I believe you will be able to connect to RabbitMQ

To unsubscribe from this group and all its topics, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Krishna Chaithanya B]

Hi Luke,

Thank you very much, It is working fine after commenting out the changes you suggested.

Previously I was using PLAIN authentication (username/password) and my SimpleAmqpClient API looks like this:

            AmqpClient::Channel::Create(
                "127.0.0.1",
                "5672",

                "guest",
                "guest",
                "/"

            );

The reason I wanted to go with the TLS enabled / certificate based authentication was to secure the traffic between the server and client.

For that I learnt to generate SSL certificate and as of now have used same certificate for both the server and client and still provided the username/password and changed the SimpleAmqpClient API as below:

AmqpClient::Channel::CreateSecure(
    "C:\\Users\\jim\\AppData\\Roaming\\RabbitMQ\\cacert.pem",
    "127.0.0.1",
    "C:\\Users\\jim\\AppData\\Roaming\\RabbitMQ\\key.pem",
    "C:\\Users\\jim\\AppData\\Roaming\\RabbitMQ\\servercert.pem",
    "5671",
    "guest",
    "guest",
    "/",
    131072,
    false
    );

I am really thankful for your time to get me reach this milestone to get the basics working. Now I have few questions in mind:

Q1: Did I achieve the requirement of securing the data traffic between the server and client.

Q2; Do I need to generate the client and server certificate separately ?

Q3: Since SimpleAmqpClient does not support EXTERNAL auth, that means I need to still use username/password based auth ?

Thank you once again.

Regards

Krishna.

To unsubscribe from this group and all its topics, send an email to rabbitmq-user...@googlegroups.com.
To post to this group, send email to rabbitm...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Regards,
Krishna Chaithanya B

--

You received this message because you are subscribed to a topic in the Google Groups "rabbitmq-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rabbitmq-users/7322jFIfXxw/unsubscribe.

To unsubscribe from this group and all its topics, send an email to rabbitmq-user...@googlegroups.com.
To post to this group, send email to rabbitm...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Luke Bakken]

Hi Krishna,

The reason I wanted to go with the TLS enabled / certificate based authentication was to secure the traffic between the server and client.

Understood. You can have an encrypted connection without using client certificate authentication. This is basically the configuration you have now.

 

Q1: Did I achieve the requirement of securing the data traffic between the server and client.

Yes.

 

Q2; Do I need to generate the client and server certificate separately ?

That's up to you at this point. Right now, you have RabbitMQ configured to require a valid client certificate when the TLS connection is established but not then use the certificate for authentication. All connections must present a certificate that is signed by the Root CA you are using, but the contents of the certificate (common name) are not used for authentication. That's why you still have to provide a username and password.

 

Q3: Since SimpleAmqpClient does not support EXTERNAL auth, that means I need to still use username/password based auth ?

Yes. Hopefully this won't be too much of an issue.

Have a good weekend -

Luke 

[Krishna Chaithanya B]

Thank you for the clarification. I have just couple of follow up questions:

Q2; Do I need to generate the client and server certificate separately ?

That's up to you at this point. Right now, you have RabbitMQ configured to require a valid client certificate when the TLS connection is established but not then use the certificate for authentication. All connections must present a certificate that is signed by the Root CA you are using, but the contents of the certificate (common name) are not used for authentication. That's why you still have to provide a username and password.

If at all I need to implement the certificate based authentication using this SimpleAmqpClient - do I have any option? I am already at a point where I can;t look for any substitute C++ library, but at the same time see what's the best option I have to authenticate the server and client connections.

Q4: The CreateSecure() SimpleAmqpClient library expects the path to the PEM files to be passed on to the API. That means I need to always package the PEM files with the application to refer the absolute path to the files in my application or is there a way like MMC (in C# world) where I can import these certificate and use in with the SimpleAmqpClient library.

Have a nice day and happy weekend for you too.

Thanks & Regards,

Krishna.

--

You received this message because you are subscribed to a topic in the Google Groups "rabbitmq-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rabbitmq-users/7322jFIfXxw/unsubscribe.
To unsubscribe from this group and all its topics, send an email to rabbitmq-user...@googlegroups.com.
To post to this group, send email to rabbitm...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Michael Klishin]

Your questions are increasingly specific to the library which team RabbitMQ does not maintain and/or modern C++ application deployment practices.

Consider directing them to the client library author.

Most clients can load certificate and private key files using a relative path. It has to be on a local filesystem. I doubt that C++ would be very different.

If so it should be a trivial usability improvement to consider for the SimpleAmqpClient maintainer.

Krishna Chaithanya B:

[Krishna Chaithanya B]

Hi Michael,

Thank you for the information. Thanks to team RabbitMQ.

--
You received this message because you are subscribed to a topic in the Google Groups "rabbitmq-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rabbitmq-users/7322jFIfXxw/unsubscribe.
To unsubscribe from this group and all its topics, send an email to rabbitmq-user...@googlegroups.com.
To post to this group, send email to rabbitm...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[wenbo sun]

thank you 

You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.

[Krishna Chaithanya B]

Hi Luke,

For my learning purpose, is there any other C++ library that can support EXTERNAL authentication.

Regards

Krishna.

To unsubscribe from this group and all its topics, send an email to rabbitmq-user...@googlegroups.com.
To post to this group, send email to rabbitm...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Regards,
Krishna Chaithanya B

--

You received this message because you are subscribed to a topic in the Google Groups "rabbitmq-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rabbitmq-users/7322jFIfXxw/unsubscribe.

To unsubscribe from this group and all its topics, send an email to rabbitmq-user...@googlegroups.com.
To post to this group, send email to rabbitm...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.