Pika + SSL
1,579 views
Skip to first unread message
jbus...@gmail.com
Jul 11, 2013, 8:54:37 PM7/11/13
to pika-...@googlegroups.com
Hello list,
I'm attempting to get Pika to connect to RabbitMQ via SSL.
To aid in troubleshooting, I configured RabbitMQ as a tcp_listener on port 5672, and as a ssl_listener on port 5673.
The connection snippet below works fine when port 5672 is in the URLParameters, (I assume the ssl_options are ignored), however, I get pika.exceptions.ConnectionClosed exceptions and errors in RabbitMQ logs when attempting the same on port 5673.
Python connection snippet:
url = urllib.urlencode({'ssl_options': {'ca_certs': '/path/ca.crt', 'certfile': '/path/client.crt', 'keyfile': '/path/client.key'}})
connection = pika.BlockingConnection(pika.connection.URLParameters('amqp://user:password@localhost:5673/myvhost?' + url))
Logs:
$ tail /var/log/rabbitmq/rab...@localhost.log
=INFO REPORT==== 11-Jul-2013::20:28:58 ===
accepting AMQP connection <0.2486.0> ([::1]:46746 -> [::1]:5673)
=ERROR REPORT==== 11-Jul-2013::20:28:58 ===
SSL: hello: ./ssl_record.erl:366:Fatal error: record overflow
=ERROR REPORT==== 11-Jul-2013::20:29:03 ===
error on AMQP connection <0.2486.0>: {ssl_upgrade_error,"record overflow"} (unknown POSIX error)
AFAIK, RabbitMQ is configured correctly since the following openssl troubleshooting step indicates the server-side SSL is working as expected:
$ openssl s_client -connect localhost:5673 -cert /path/client.crt -key /path/client.key -CAfile /path/ca.crt
CONNECTED(00000003)
-snip-
Verify return code: 0 (ok)
---
Is there something wrong or missing from my ssl_options?
Thanks, John
Michael Laing
Jul 11, 2013, 9:47:35 PM7/11/13
to pika-...@googlegroups.com
shouldn't you be using 'amqps' instead of 'amqp' in your uri?
-ml
--
You received this message because you are subscribed to the Google Groups "Pika" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pika-python...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
jbus...@gmail.com
Jul 12, 2013, 7:02:17 AM7/12/13
to pika-...@googlegroups.com
Michael, thanks again, yup this was it.
In case it helps anyone else, here's the documentation I was following.
This page is a very good resource, however the ssl_options example at the bottom of the page uses amqp in the URI. Per your recommendation, once I changed this to amqps on my test system, it worked. I just noticed halfway down the page "To connect via SSL for the previous example, simply change the scheme to amqps," so this is my bust for not reading all the way through.
Thanks, John
On Thursday, July 11, 2013 9:47:35 PM UTC-4, Michael Laing wrote:
shouldn't you be using 'amqps' instead of 'amqp' in your uri?
-ml
On Thu, Jul 11, 2013 at 8:54 PM, <jbus...@gmail.com> wrote:
Hello list,I'm attempting to get Pika to connect to RabbitMQ via SSL.To aid in troubleshooting, I configured RabbitMQ as a tcp_listener on port 5672, and as a ssl_listener on port 5673.The connection snippet below works fine when port 5672 is in the URLParameters, (I assume the ssl_options are ignored), however, I get pika.exceptions.ConnectionClosed exceptions and errors in RabbitMQ logs when attempting the same on port 5673.Python connection snippet:url = urllib.urlencode({'ssl_options': {'ca_certs': '/path/ca.crt', 'certfile': '/path/client.crt', 'keyfile': '/path/client.key'}})
connection = pika.BlockingConnection(pika.connection.URLParameters('amqp://user:password@localhost:5673/myvhost?' + url))Logs:
$ tail /var/log/rabbitmq/rabbit@localhost.log
=INFO REPORT==== 11-Jul-2013::20:28:58 ===
accepting AMQP connection <0.2486.0> ([::1]:46746 -> [::1]:5673)
=ERROR REPORT==== 11-Jul-2013::20:28:58 ===
SSL: hello: ./ssl_record.erl:366:Fatal error: record overflow
=ERROR REPORT==== 11-Jul-2013::20:29:03 ===
error on AMQP connection <0.2486.0>: {ssl_upgrade_error,"record overflow"} (unknown POSIX error)
Mouse
Jan 1, 2015, 2:30:54 AM1/1/15
to pika-...@googlegroups.com
Resurrecting this thread.
I am trying to eliminate password-based authentication at all, switching to SASL EXTERNAL authentication and using client's Common Name (CN) from his TLS certificate to authenticate the connection and perform authorization on.
I successfully establish TLS connection, but haven't figured out yet how to switch SASL mode to EXTERNAL from the default, which is PLAIN.
Would appreciate any help!
Thanks!
On Thursday, July 11, 2013 8:54:37 PM UTC-4, John Busch wrote:
Hello list,I'm attempting to get Pika to connect to RabbitMQ via SSL.To aid in troubleshooting, I configured RabbitMQ as a tcp_listener on port 5672, and as a ssl_listener on port 5673.The connection snippet below works fine when port 5672 is in the URLParameters, (I assume the ssl_options are ignored), however, I get pika.exceptions.ConnectionClosed exceptions and errors in RabbitMQ logs when attempting the same on port 5673.Python connection snippet:url = urllib.urlencode({'ssl_options': {'ca_certs': '/path/ca.crt', 'certfile': '/path/client.crt', 'keyfile': '/path/client.key'}})
connection = pika.BlockingConnection(pika.connection.URLParameters('amqp://user:password@localhost:5673/myvhost?' + url))Logs:
$ tail /var/log/rabbitmq/rabbit@localhost.log
=INFO REPORT==== 11-Jul-2013::20:28:58 ===
accepting AMQP connection <0.2486.0> ([::1]:46746 -> [::1]:5673)
=ERROR REPORT==== 11-Jul-2013::20:28:58 ===
SSL: hello: ./ssl_record.erl:366:Fatal error: record overflow
=ERROR REPORT==== 11-Jul-2013::20:29:03 ===
error on AMQP connection <0.2486.0>: {ssl_upgrade_error,"record overflow"} (unknown POSIX error)
Reply all
Reply to author
Forward
0 new messages