no_client_certificate_provided if ssl_options.fail_if_no_peer_cert was set true
504 views
Skip to first unread message
Stefan Pappalardo
Mar 28, 2022, 10:56:53 AM3/28/22
to rabbitmq-users
Hello Everybody,
We want to configure RabbitMQ to be as secure as possible by enabling transport encryption and peer verification. Transport encryption works as expected and peer verification was turned on. But it fails when setting ssl_options.fail_if_no_peer_cert from false to true. Here is some more relevant information...
Message Broker Server: RabbitMQ 3.9.8 (Erlang OTP 24.1.7) on Windows Server 2016
Error message in RabbitMQ server log file
2022-03-28 14:41:26.644000+02:00 [noti] <0.28124.0> TLS server: In state certify at tls_dtls_connection.erl:316 generated SERVER ALERT: Fatal - Handshake Failure
2022-03-28 14:41:26.644000+02:00 [noti] <0.28124.0> - no_client_certificate_provided
2022-03-28 14:41:26.644000+02:00 [noti] <0.28124.0> - no_client_certificate_provided
ssl specific part in rabbitmq.conf
listeners.tcp = none
listeners.ssl.default = 5671
ssl_options.verify = verify_peer
ssl_options.fail_if_no_peer_cert = true
ssl_options.cacertfile = D:\\Data\\RabbitMQ\\cacerts.pem
ssl_options.certfile = D:\\Data\\RabbitMQ\\clcert.pem
ssl_options.keyfile = D:\\Data\\RabbitMQ\\clkey.pem
listeners.ssl.default = 5671
ssl_options.verify = verify_peer
ssl_options.fail_if_no_peer_cert = true
ssl_options.cacertfile = D:\\Data\\RabbitMQ\\cacerts.pem
ssl_options.certfile = D:\\Data\\RabbitMQ\\clcert.pem
ssl_options.keyfile = D:\\Data\\RabbitMQ\\clkey.pem
Certificate
Server certificate signed by company's CA (managed by Window's certmgr)
cacerts.pem, clcert.pem and clkey.pem was extracted via opnessl from pfx file that was exported from certmgr before.
Message Broker Client: Blue Prism Hub v4.5 on Windows Server 2016 with IIS 10
Certificate
Server certificate signed by company's CA (managed by Window's certmgr)
What I already tried
- Replaced the Server certificate by a Client and Server certificate
- Added the CertificateThumbprint of certificate in appsettings.json of client software
- Granted service user full access to certificate's private key
Solution approaches
- Is there any way to configure RabbitMQ to use Window's certificate store instead of pem files.?
- Does the client certificate need to be added to the pem files on RMQ server?
Any idea is welcome. :-)
Luke Bakken
Mar 28, 2022, 12:02:57 PM3/28/22
to rabbitmq-users
Hello,
I don't know anything about "Blue Prism Hub" but the most likely scenario is that the application is not correctly presenting a client certificate. Hopefully the application can log if it can find the correct client cert in the Windows cert store or not.
Erlang on Windows has no knowledge of the Windows certificate store. The CA that signed your client certificate must be part of the bundle in the file pointed to by the cacertfile setting (
D:/Data/RabbitMQ/cacerts.pem - forward slashes are preferred).
The certfile and keyfile settings should point to files containing your server certificate and private key. Based on the file names below you are using the client certificates. You could use the client cert here but if your application tries to verify the server certificate's CN value against the host name it will fail. In addition, client certificates don't typically have the required keyUsage configuration for server certificates - https://github.com/rabbitmq/tls-gen/blob/master/basic/openssl.cnf#L66
The certfile and keyfile settings should point to files containing your server certificate and private key. Based on the file names below you are using the client certificates. You could use the client cert here but if your application tries to verify the server certificate's CN value against the host name it will fail. In addition, client certificates don't typically have the required keyUsage configuration for server certificates - https://github.com/rabbitmq/tls-gen/blob/master/basic/openssl.cnf#L66
I don't know anything about "Blue Prism Hub" but the most likely scenario is that the application is not correctly presenting a client certificate. Hopefully the application can log if it can find the correct client cert in the Windows cert store or not.
You can test this by using OpenSSL to connect to RabbitMQ (https://www.rabbitmq.com/troubleshooting-ssl.html) -
openssl s_client -connect SERVER_HOST:5671 -cert clcert.pem -key clkey.pem -CAfile cacerts.pem -verify 8 -verify_hostname SERVER_CERT_CN_NAME
Redirect the output from the above command into a text file and attach the file to your response.
Solution approaches
- Is there any way to configure RabbitMQ to use Window's certificate store instead of pem files.?
No
- Does the client certificate need to be added to the pem files on RMQ server?
No
Thanks,
Luke
Stefan Pappalardo
Mar 30, 2022, 9:02:57 AM3/30/22
to rabbitmq-users
Hi Luke,
Here is the output (attachment not working, obfuscation needed). Verify return code: 0 (ok) near the end let me think that it's working as expected.
If yo it could be a client software or configuration issue.
$ openssl.exe s_client -connect <obfuscated>:5671 -cert clcert.pem -key clkey.pem -CAfile cacerts.pem -verify 8 -verify_hostname <obfuscated>.com
verify depth is 8
CONNECTED(00000004)
Can't use SSL_get_servername
depth=2 C = DE, L = <obfuscated>, O = <obfuscated>, CN = <obfuscated> Inhouse Root CA 2
verify return:1
depth=1 C = DE, L = <obfuscated>, O = <obfuscated>, CN = <obfuscated> Inhouse Sub CA 11
verify return:1
depth=0 C = DE, ST = <obfuscated>, L = <obfuscated>, O = <obfuscated>, OU = GS-DC, CN = <obfuscated>.com, emailAddress = <obfuscated>.com
verify return:1
---
Certificate chain
0 s:C = DE, ST = <obfuscated>, L = <obfuscated>, O = <obfuscated>, OU = <obfuscated>, CN = <obfuscated>.com, emailAddress = <obfuscated>.com
i:C = DE, L = <obfuscated>, O = <obfuscated>, CN = <obfuscated> Inhouse Sub CA 11
1 s:C = DE, L = <obfuscated>, O = <obfuscated>, CN = <obfuscated> Inhouse Sub CA 11
i:C = DE, L = <obfuscated>, O = <obfuscated>, CN = <obfuscated> Inhouse Root CA 2
2 s:C = DE, L = <obfuscated>, O = <obfuscated>, CN = <obfuscated> Inhouse Root CA 2
i:C = DE, L = <obfuscated>, O = <obfuscated>, CN = <obfuscated> Inhouse Root CA 2
---
Server certificate
-----BEGIN CERTIFICATE-----
<obfuscated>
-----END CERTIFICATE-----
subject=C = DE, ST = <obfuscated>, L = <obfuscated>, O = <obfuscated>, OU = GS-DC, CN = <obfuscated>.com, emailAddress = <obfuscated>.com
issuer=C = DE, L = <obfuscated>, O = <obfuscated>, CN = <obfuscated> Inhouse Sub CA 11
---
No client certificate CA names sent
Requested Signature Algorithms: RSA+SHA1:ECDSA+SHA1:RSA+SHA256:RSA+SHA384:RSA+SHA512:Ed448:Ed25519:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512
Shared Requested Signature Algorithms: RSA+SHA256:RSA+SHA384:RSA+SHA512:Ed448:Ed25519:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 6002 bytes and written 6505 bytes
Verification: OK
Verified peername: <obfuscated>.com
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
read:errno=104
verify depth is 8
CONNECTED(00000004)
Can't use SSL_get_servername
depth=2 C = DE, L = <obfuscated>, O = <obfuscated>, CN = <obfuscated> Inhouse Root CA 2
verify return:1
depth=1 C = DE, L = <obfuscated>, O = <obfuscated>, CN = <obfuscated> Inhouse Sub CA 11
verify return:1
depth=0 C = DE, ST = <obfuscated>, L = <obfuscated>, O = <obfuscated>, OU = GS-DC, CN = <obfuscated>.com, emailAddress = <obfuscated>.com
verify return:1
---
Certificate chain
0 s:C = DE, ST = <obfuscated>, L = <obfuscated>, O = <obfuscated>, OU = <obfuscated>, CN = <obfuscated>.com, emailAddress = <obfuscated>.com
i:C = DE, L = <obfuscated>, O = <obfuscated>, CN = <obfuscated> Inhouse Sub CA 11
1 s:C = DE, L = <obfuscated>, O = <obfuscated>, CN = <obfuscated> Inhouse Sub CA 11
i:C = DE, L = <obfuscated>, O = <obfuscated>, CN = <obfuscated> Inhouse Root CA 2
2 s:C = DE, L = <obfuscated>, O = <obfuscated>, CN = <obfuscated> Inhouse Root CA 2
i:C = DE, L = <obfuscated>, O = <obfuscated>, CN = <obfuscated> Inhouse Root CA 2
---
Server certificate
-----BEGIN CERTIFICATE-----
<obfuscated>
-----END CERTIFICATE-----
subject=C = DE, ST = <obfuscated>, L = <obfuscated>, O = <obfuscated>, OU = GS-DC, CN = <obfuscated>.com, emailAddress = <obfuscated>.com
issuer=C = DE, L = <obfuscated>, O = <obfuscated>, CN = <obfuscated> Inhouse Sub CA 11
---
No client certificate CA names sent
Requested Signature Algorithms: RSA+SHA1:ECDSA+SHA1:RSA+SHA256:RSA+SHA384:RSA+SHA512:Ed448:Ed25519:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512
Shared Requested Signature Algorithms: RSA+SHA256:RSA+SHA384:RSA+SHA512:Ed448:Ed25519:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 6002 bytes and written 6505 bytes
Verification: OK
Verified peername: <obfuscated>.com
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
read:errno=104
Luke Bakken
Mar 30, 2022, 9:20:28 AM3/30/22
to rabbitmq-users
What was logged by RabbitMQ at the same time?
I should have suggested that you change the logging level to debug as well. This goes into your rabbitmq.conf file:
log.file.level = debug
A restart is required.
It's been long enough that I've used client cert auth that I will double-check what openssl reports in this case.
Luke
Peer signature type: RSA-PSSWha
Stefan Pappalardo
Mar 30, 2022, 11:41:10 AM3/30/22
to rabbitmq-users
I guess I got it to working now with the following steps:
- add the client certificate to IIS web sites
- grant application pool's identity full permission to private key of client certificate
- add thumbprint of client certificate to 11 appsettings.json files
Many thanks for pointing into the right direction. :-)
Luke Bakken
Mar 30, 2022, 12:00:03 PM3/30/22
to rabbitmq-users
Well done! Thank you for reporting back to the list.
Reply all
Reply to author
Forward
0 new messages