Rabbitmq SSL in dot net
590 views
Skip to first unread message
Rubi
Oct 10, 2017, 11:01:43 AM10/10/17
to rabbitmq-users
Hi,
I trying to establish connection via ssl to rabbitmq server but I have the following problem:
"A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond"
1) my config:
[
{rabbit, [
{ssl_listeners, [5671]},
{ssl_options, [{cacertfile,"D:/a-inc.pem"},
{certfile,"D:/a-inc-server.pem"},
{keyfile,"D:/a-inc.key"},
{password,"pass1"},
{verify,verify_peer},
{fail_if_no_peer_cert, false}
]}
]}
].
2) my dot net code:
_factory.Ssl = new SslOption()
{
Enabled = true,
ServerName = h,
CertPath = "D:\\a-inc.pfx",
CertPassphrase = "pass1",
Version = SslProtocols.Tls
};
_factory.Port = AmqpTcpEndpoint.DefaultAmqpSslPort;
_connection = _factory.CreateConnection();
3) without the peer verification it gives the same result
4) the log writes :
=INFO REPORT==== 10-Oct-2017::17:45:49 ===
started SSL Listener on [::]:5671
=INFO REPORT==== 10-Oct-2017::17:45:49 ===
started SSL Listener on 0.0.0.0:5671
with no errors at all.
5) when the rabbitmq service is up I run the following command to check the connection and get the result:
openssl s_client -connect localhost:5671 -tls1 -cert D:\a-inc-server.pem -key D:\a-inc.key -CAfile D:\a-inc.pem
result:
C:\WINDOWS\system32>openssl s_client -connect localhost
:5671 -tls1 -cert D:\\a-inc-server.pem -key D:\a-inc.key -CAfile D:\a-inc.pem
Enter pass phrase for D:\a-inc.key:
CONNECTED(00000140)
write:errno=0
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 102 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1507646784
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---
6) I use a wildcard certificate
7) Please assist. Thank you in advance.
Rubi
Oct 10, 2017, 11:03:25 AM10/10/17
to rabbitmq-users
I use Erlang 20.1 and rabbitmq 3.6.12
Michael Klishin
Oct 11, 2017, 7:00:52 AM10/11/17
to rabbitm...@googlegroups.com
Consider posting full stack traces when reporting issues, on this list and anywhere else.
According to openssl s_client, your node and config seem to be set up correctly.
Since you use peer verification, next thing I'd check if the client actually trusts the certificate the server
presents and verifies its hostname successfully.
See http://www.rabbitmq.com/ssl.html (sections on peer verification and trust store specifically).
http://www.rabbitmq.com/troubleshooting-ssl.html explains how to use openssl s_server to investigate
TLS-related issues on the client end.
--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
MK
Staff Software Engineer, Pivotal/RabbitMQ
Rubi
Oct 15, 2017, 3:06:37 AM10/15/17
to rabbitmq-users
Hi MK,
When you speak about the full stack , I guess you mean server side, so here is the output with openssl client and server :
C:\WINDOWS\system32>C:\OpenSSL-Win64\bin\openssl.exe s_client -connect localhost
:5671 -tls1 -cert D:\Icenter\GetwayFullFlowContinue2\Deployment\avt-inc-pem\avt-
inc-server.pem -key D:\Icenter\GetwayFullFlowContinue2\Deployment\avt-inc-pem\av
t-inc.key -CAfile D:\Icenter\GetwayFullFlowContinue2\Deployment\avt-inc-pem\avt-
inc.pem
Enter pass phrase for D:\Icenter\GetwayFullFlowContinue2\Deployment\avt-inc-pem\
avt-inc.key:
CONNECTED(00000140)
depth=0 OU = Domain Control Validated, OU = EssentialSSL Wildcard, CN = *.avt-in
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, OU = EssentialSSL Wildcard, CN = *.avt-in
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=EssentialSSL Wildcard/CN=*.avt-inc.com
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Dom
ain Validation Secure Server CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFUDCCBDigAwIBAgIRAJ1UaMQV5X/EIKRtIzuuWhIwDQYJKoZIhvcNAQELBQAw
gZAxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTYwNAYD
VQQDEy1DT01PRE8gUlNBIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIg
Q0EwHhcNMTYwNTAyMDAwMDAwWhcNMTgwNTAyMjM1OTU5WjBbMSEwHwYDVQQLExhE
b21haW4gQ29udHJvbCBWYWxpZGF0ZWQxHjAcBgNVBAsTFUVzc2VudGlhbFNTTCBX
aWxkY2FyZDEWMBQGA1UEAwwNKi5hdnQtaW5jLmNvbTCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAMu7AfG8LPQgkW8m0kAS2+nsNVRPujgg7TAK1u5kiKLd
b0IdQ++Hj7IhGRppCifG+s6lA3XWrzDqFcYTDRUAoCH+5d8xtvAIzqO2FVb+m4Ys
HucjjscL+8BQio6qr/HLc4aFbvRCqyqiW4Xgf5DXC9wyFyDIUGcjBWCJIQJ2XOSj
SW0BN1sgN9twzdWBDUvF3pmDVPsdNAQcobYmHKBfBBtUut8lwnHf10aQj1T+ShCw
lVz3lwRzujhw06tSFY/wsCPEttjaDD3gyCIO5suQjaNwpWyBBf6+0Fdjj9k/A/LE
EHeeGgnz2yS5Xec5sHW7Oid9M16iX99Tvx2cxpUwtgkCAwEAAaOCAdcwggHTMB8G
A1UdIwQYMBaAFJCvajqUWgvYkOoSVnPfQ7Q6KNrnMB0GA1UdDgQWBBQ4lSBRcD3M
4Vgbj1B64WtHsXR5TTAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNV
HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwTwYDVR0gBEgwRjA6BgsrBgEEAbIx
AQICBzArMCkGCCsGAQUFBwIBFh1odHRwczovL3NlY3VyZS5jb21vZG8uY29tL0NQ
UzAIBgZngQwBAgEwVAYDVR0fBE0wSzBJoEegRYZDaHR0cDovL2NybC5jb21vZG9j
YS5jb20vQ09NT0RPUlNBRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNy
bDCBhQYIKwYBBQUHAQEEeTB3ME8GCCsGAQUFBzAChkNodHRwOi8vY3J0LmNvbW9k
b2NhLmNvbS9DT01PRE9SU0FEb21haW5WYWxpZGF0aW9uU2VjdXJlU2VydmVyQ0Eu
Y3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20wJQYDVR0R
BB4wHIINKi5hdnQtaW5jLmNvbYILYXZ0LWluYy5jb20wDQYJKoZIhvcNAQELBQAD
ggEBAAaDXMFugGs0DU0g9TAJ9w4MycCLGoyowZGdLFPztaXr3b1/G6DWoMm8rugJ
teVRbIZg/BJ0iGUNhN6+LKUKfqKQa4g7llU8H7UlbkFCQb4jckXfHEmZBi+apKMD
4SfBzgWxPpAxD0qLHCMiQhdOT5l4QzmSzsisxgbUH1aZi+rD85GKLMGYzELPxKa+
boVpfWkcp10oKI9ev1yPTG6oioMQf9KD/xaGBH3s8sLlaoNTmzkxypxy5pDThPcl
HqC4560N0yLU1MUc/aqsKivD+jWQ0GdRd/IrBDTlRw+k+ha+7lr3Gek8+nPiNy8E
y0klhqPGoTMUlGwqRNbbuReRUqU=
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=EssentialSSL Wildcard/CN=*.avt-inc.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA D
omain Validation Secure Server CA
---
No client certificate CA names sent
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2003 bytes and written 207 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.0, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : ECDHE-RSA-AES256-SHA
Session-ID: E6E0D312470B9BBF1A3026F1EEF51DB59ABA1F9D1CD8C907D7C6AF92EE4C6AE3
Session-ID-ctx:
Master-Key: ADCB04659BB087E79E08556D885A0229690637CF81C0913F3035D7417C7DFE5C
17D8F9DB8DBAD7DBA278C3BED5E7C9AA
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 17 9e 4e 30 4e fa 21 75-42 05 73 d1 88 09 f9 c1 ..N0N.!uB.s.....
0010 - 23 4d df 59 b6 90 1e b1-47 fe 6e 06 da f3 59 44 #M.Y....G.n...YD
0020 - de f0 b7 96 30 b8 74 63-d3 14 2f 9a c4 2a 58 e5 ....0.tc../..*X.
0030 - f0 31 69 10 24 2f 12 fd-97 ff ef d4 96 9c 0c 04 .1i.$/..........
0040 - 44 e7 06 c1 4c 08 24 c0-a2 28 02 45 42 88 10 1e D...L.$..(.EB...
0050 - 53 23 8e e8 e0 87 2c 60-18 ca 45 5b d6 71 e7 c4 S#....,`..E[.q..
0060 - e2 bf 68 a5 18 47 3e 77-ec 75 bf c8 c9 ac e4 d4 ..h..G>w.u......
0070 - 3c 5c 8d 27 6a b0 ac 71-24 1e e9 4e d8 a8 b1 68 <\.'j..q$..N...h
0080 - 2b 1c b5 82 7a 52 2b a8-bb 99 e1 69 a9 10 5e f6 +...zR+....i..^.
0090 - b6 43 06 ba ee f6 53 8f-90 c4 ee a6 c4 fa 64 1f .C....S.......d.
Start Time: 1508050746
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: yes
---
server :
openssl s_server -accept 5671 -cert D:\a-inc-server.pem -key D:\a-inc.key -CAfile D:\a-inc.pem
Enter pass phrase for D:\Icenter\GetwayFullFlowContinue2\Deployment\avt-inc-pem\
avt-inc.key:
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MFoCAQECAgMBBALAFAQABDCtywRlm7CH554IVW2IWgIpaQY3z4HAkT8wNddBfH3+
XBfY+duNutfbonjDvtXnyaqhBgIEWeMHOqIEAgIcIKQGBAQBAAAArQMCAQE=
-----END SSL SESSION PARAMETERS-----
Shared ciphers:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:EC
DHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA:AES128-S
HA
Supported Elliptic Curve Point Formats: uncompressed:ansiX962_compressed_prime:a
nsiX962_compressed_char2
Supported Elliptic Curves: X25519:P-256:P-521:P-384
Shared Elliptic curves: X25519:P-256:P-521:P-384
CIPHER is ECDHE-RSA-AES256-SHA
Secure Renegotiation IS supported
Is the error in client do the trouble?
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To post to this group, send email to rabbitm...@googlegroups.com.
Michael Klishin
Oct 16, 2017, 3:20:23 PM10/16/17
to rabbitm...@googlegroups.com
I meant the .NET stack trace.
What exactly are you running s_client and s_server against? If it's against each other, all it tells you is that
the certificates and keys are sane. It does not help you narrow down the problem to either side of the connection.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.
Rubi
Oct 17, 2017, 9:35:12 AM10/17/17
to rabbitmq-users
Here is the stack:
RabbitMQ.Client.Exceptions.BrokerUnreachableException occurred
HResult=-2146232800
Message=None of the specified endpoints were reachable
Source=RabbitMQ.Client
StackTrace:
at RabbitMQ.Client.ConnectionFactory.CreateConnection(IList`1 endpoints, String clientProvidedName)
InnerException:
HResult=-2146232800
Message=Unable to read data from the transport connection: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
Source=System
StackTrace:
at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.FixedSizeReader.ReadPacket(Byte[] buffer, Int32 offset, Int32 count)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
at System.Net.Security.SslStream.AuthenticateAsClient(String targetHost, X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation)
at RabbitMQ.Client.SslHelper.TcpUpgrade(Stream tcpStream, SslOption sslOption)
at RabbitMQ.Client.Impl.SocketFrameHandler..ctor(AmqpTcpEndpoint endpoint, Func`2 socketFactory, Int32 connectionTimeout, Int32 readTimeout, Int32 writeTimeout)
at RabbitMQ.Client.Framing.Impl.ProtocolBase.CreateFrameHandler(AmqpTcpEndpoint endpoint, Func`2 socketFactory, Int32 connectionTimeout, Int32 readTimeout, Int32 writeTimeout)
at RabbitMQ.Client.ConnectionFactory.CreateFrameHandler(AmqpTcpEndpoint endpoint)
at RabbitMQ.Client.ConnectionFactory.CreateConnection(IList`1 endpoints, String clientProvidedName)
InnerException:
ErrorCode=10060
HResult=-2147467259
Message=A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond
NativeErrorCode=10060
Source=System
StackTrace:
at System.Net.Sockets.Socket.Receive(Byte[] buffer, Int32 offset, Int32 size, SocketFlags socketFlags)
at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)
InnerException:
Michael Klishin
Oct 17, 2017, 9:44:22 AM10/17/17
to rabbitm...@googlegroups.com
This is a very generic socket read error. See server logs around the same time for clues.
If there are no entries, this can be a genuine TCP connectivity issue.
Taking a traffic capture is by far the most efficient way to investigate those [1].
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.
Rubi
Oct 19, 2017, 3:26:51 AM10/19/17
to rabbitmq-users
Hi MK,
Now I have the following exception: (without the peer verification it works fine):
System.Security.Authentication.AuthenticationException occurred
HResult=-2146233087
Message=A call to SSPI failed, see inner exception.
Source=System
StackTrace:
at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception)
InnerException:
ErrorCode=-2147467259
HResult=-2147467259
Message=The certificate chain was issued by an authority that is not trusted
NativeErrorCode=-2146893019
InnerException:
I imported the certificate in local computer certificates trusted root certification authorities. But it still fails....
Please advise
Brian Yule
Oct 19, 2017, 3:51:00 AM10/19/17
to rabbitmq-users
+1
I'm getting same.
Rubi
Oct 19, 2017, 4:22:30 AM10/19/17
to rabbitmq-users
Reminder : I am using a wildcard certificate
Michael Klishin
Oct 19, 2017, 7:44:54 AM10/19/17
to rabbitm...@googlegroups.com
Please start new topics for new questions.
> A call to SSPI failed, see inner exception
has a suggestion right in the message.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages