Unable to connect to RabbitMQ server from phpAmqpLib with TLS

[Romain WeMove]

Hello,

I am having trouble connecting to RabbitMQ with TLS using a phpAmqpLib client even though it works fine from a bunny client, using the same key and certificate.

My set-up is the following:

Server

RabbitMQ v3.7.15 deployed in docker

SSL listener on port 5671 restricted to protocol TLSv1.2 without terminating proxy

Peer verification enabled and client certificate required

All the ciphers listed by rabbitmq-diagnostics are allowed

Letsencrypt certificate

Client

PhpAmqpLib v2.9.2 with PHP 7.1

Wildcard certificate from a trusted company

N.B. I had to comment one line of code in the library (StreamIO.php:96) to get "meaningful" information about the error, otherwise it just reports "Unknown error"...

Connection code:

 37 new AMQPSSLConnection(
 38     AMQP_HOST, AMQP_PORT,
 39     AMQP_USER, AMQP_PASSWORD, AMQP_VHOST,
 40     array(
 41       'local_cert' => PATH_TO_SSL_CERT,
 42       'local_pk' => PATH_TO_SSL_KEY,
 43       'cafile' => '/etc/ssl/certs/ca-certificates.crt',
 44  //     'verify_peer' => FALSE,
 45  //     'verify_peer_name' => FALSE,
 46  //     'ciphers' => 'DEFAULT:!TLSv1.0:!SSLv3',
 48     ),
 49     array(),
 50     'ssl'       // 'tls', 'tlsv1.2'
 51   );

The client and the server are on different machines, but have the same CA file, which is the default Ubuntu store appended with intermediate certificates of Letsencrypt and the Wildcard certificate provider.

Error

PHP Warning:  stream_socket_client(): SSL operation failed with code 1. OpenSSL Error messages:
error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure in /var/www/civi.custom/extensions/mailjet/amqp/vendor/php-amqplib/php-amqplib/PhpAmqpLib/Wire/IO/StreamIO.php on line 105
PHP Warning:  stream_socket_client(): Failed to enable crypto in /var/www/civi.custom/extensions/mailjet/amqp/vendor/php-amqplib/php-amqplib/PhpAmqpLib/Wire/IO/StreamIO.php on line 105
PHP Warning:  stream_socket_client(): unable to connect to ssl://-----.---------.--:5671 (Unknown error)

On the server side, nothing much in logs (log level set to debug for console):

2019-08-13 09:48:50.201 [debug] <0.4091.0> Supervisor {<0.4091.0>,rabbit_connection_sup} started rabbit_connection_helper_sup:start_link() at pid <0.4092.0>
2019-08-13 09:48:50.201 [debug] <0.4091.0> Supervisor {<0.4091.0>,rabbit_connection_sup} started rabbit_reader:start_link(<0.4092.0>, {acceptor,{0,0,0,0,0,0,0,0},5671}) at pid <0.4093.0>

As you can see, the client seems to try to negociate a SSLv3 handshake, even though the server allows only TLSv1.2

I've tried to specify the protocol to 'tls', but it gives a protocol error because it tries to negociate a TLSv1.0 handshake, or specify 'tlsv1.2' (which is listed as a valid protocol by "php -i") but it gives the same "sslv3 alert handshake failure". So I'm not sure this is actually a SSLv3 or TLSv1.2 that's being negociated...

I've also tried limiting ciphers to the ones accepted by TLSv1.2 (see line 46), same error message.

I've tried disabling peer verification on client side, no difference.

I've also tried bundling the client key and certificate in the same file, as I've seen in (old) forums this can solve SSL problems with PHP, no difference.

I've also tried the following tests to find the root cause:

 - phpAmqpLib -> openssl s_server -tlsv1_2 (with same certificate as rabbitmq, ran on docker host) => Connect OK (and dies with no hearbeat from server)

 - openssl s_client (with same certificate as phpAmqpLib) -> RabbitMQ  => Connect OK on TLSv1.2 (and server closes the connection because no AMQP input)

 - bunny (with same certificate, from another machine) -> RabbitMQ => Connect OK

These tests seem to show that both the php client and server are configured correctly as both are able to establish connections, yet they don't want to talk to each other :(

Any idea what I might be missing?

Thanks for your suggestions
Romain