RabbitMQ Error Log: tls_alert insufficient security
2,495 views
Skip to first unread message
mach...@gmail.com
Nov 9, 2015, 3:10:02 PM11/9/15
to rabbitmq-users
I've had a long 3 work days fighting to get SSL working with RabbitMQ. At first I was having CA verification errors. I may have "solved" (worked around really) that by using a 3rd party signed cert instead of a self signed one. The cacert, cert, and key files are all in pem format and all check out fine with basic tests. That is, they match each other, and I can use them for openssl server client tests OK. They also work with Apache. So I KNOW these work.
I get:
So I know Erlang is SSL aware. What could I be missing here?
Using them in RabbitMQ, however gives the error below. I've been playing with the rabbitmq conf file and allowing/disallowing different SSL versions and cipher suites. So far no luck.
=ERROR REPORT==== 9-Nov-2015::19:57:18 ===
Error on AMQP connection <0.354.0>:
{ssl_upgrade_error,{tls_alert,"insufficient security"}}
=ERROR REPORT==== 9-Nov-2015::19:57:19 ===
SSL: hello: tls_handshake.erl:114:Fatal error: insufficient securityIf I run:
rabbitmqctl eval 'ssl:cipher_suites(openssl).' | grep -i rsa
I get:
["ECDHE-ECDSA-AES256-SHA384","ECDHE-RSA-AES256-SHA384", "ECDH-ECDSA-AES256-SHA384","ECDH-RSA-AES256-SHA384","DHE-RSA-AES256-SHA256", "DHE-DSS-AES256-SHA256","AES256-SHA256","ECDHE-ECDSA-AES128-SHA256", "ECDHE-RSA-AES128-SHA256","ECDH-ECDSA-AES128-SHA256", "ECDH-RSA-AES128-SHA256","DHE-RSA-AES128-SHA256","DHE-DSS-AES128-SHA256", "AES128-SHA256","ECDHE-ECDSA-AES256-SHA","ECDHE-RSA-AES256-SHA", "DHE-RSA-AES256-SHA","DHE-DSS-AES256-SHA","ECDH-ECDSA-AES256-SHA", "ECDH-RSA-AES256-SHA","AES256-SHA","ECDHE-ECDSA-DES-CBC3-SHA", "ECDHE-RSA-DES-CBC3-SHA","EDH-RSA-DES-CBC3-SHA","EDH-DSS-DES-CBC3-SHA", "ECDH-ECDSA-DES-CBC3-SHA","ECDH-RSA-DES-CBC3-SHA","DES-CBC3-SHA", "ECDHE-ECDSA-AES128-SHA","ECDHE-RSA-AES128-SHA","DHE-RSA-AES128-SHA", "DHE-DSS-AES128-SHA","ECDH-ECDSA-AES128-SHA","ECDH-RSA-AES128-SHA", "AES128-SHA","ECDHE-ECDSA-RC4-SHA","ECDHE-RSA-RC4-SHA","RC4-SHA","RC4-MD5", "EDH-RSA-DES-CBC-SHA","ECDH-ECDSA-RC4-SHA","ECDH-RSA-RC4-SHA","DES-CBC-SHA"]
Michael Klishin
Nov 9, 2015, 3:44:45 PM11/9/15
to rabbitm...@googlegroups.com, mach...@gmail.com
On 9 November 2015 at 23:10:04, mach...@gmail.com (mach...@gmail.com) wrote:
> So I know Erlang is SSL aware. What could I be missing here?
You have a list of server cipher suites now. You need to compare this to the list of suites supported
> So I know Erlang is SSL aware. What could I be missing here?
by client.
I could find a few reports that indicate that R16B03 and earlier version do not support certain elliptic curve
suites, for instance https://groups.google.com/d/msg/rabbitmq-users/oO86u0LXbiI/m4riVMVCwy8J.
Do you run 17.0+?
--
MK
Staff Software Engineer, Pivotal/RabbitMQ
mach...@gmail.com
Nov 9, 2015, 3:53:15 PM11/9/15
to rabbitmq-users, mach...@gmail.com
I'm trying a few different versions. Did erlang OTP 17.5.3 and 18.1. Same result. Error log still says
{ssl_upgrade_error,{tls_alert,"insufficient security"}}
SSL: hello: tls_handshake.erl:114:Fatal error: insufficient security
Cipher suite lists after upgrade:
5> io:format("~p", [ssl:cipher_suites(erlang)]).
[{ecdhe_ecdsa,aes_256_gcm,null},
{ecdhe_rsa,aes_256_gcm,null},
{ecdhe_ecdsa,aes_256_cbc,sha384},
{ecdhe_rsa,aes_256_cbc,sha384},
{ecdh_ecdsa,aes_256_gcm,null},
{ecdh_rsa,aes_256_gcm,null},
{ecdh_ecdsa,aes_256_cbc,sha384},
{ecdh_rsa,aes_256_cbc,sha384},
{dhe_rsa,aes_256_gcm,null},
{dhe_dss,aes_256_gcm,null},
{dhe_rsa,aes_256_cbc,sha256},
{dhe_dss,aes_256_cbc,sha256},
{rsa,aes_256_gcm,null},
{rsa,aes_256_cbc,sha256},
{ecdhe_ecdsa,aes_128_gcm,null},
{ecdhe_rsa,aes_128_gcm,null},
{ecdhe_ecdsa,aes_128_cbc,sha256},
{ecdhe_rsa,aes_128_cbc,sha256},
{ecdh_ecdsa,aes_128_gcm,null},
{ecdh_rsa,aes_128_gcm,null},
{ecdh_ecdsa,aes_128_cbc,sha256},
{ecdh_rsa,aes_128_cbc,sha256},
{dhe_rsa,aes_128_gcm,null},
{dhe_dss,aes_128_gcm,null},
{dhe_rsa,aes_128_cbc,sha256},
{dhe_dss,aes_128_cbc,sha256},
{rsa,aes_128_gcm,null},
{rsa,aes_128_cbc,sha256},
{ecdhe_ecdsa,aes_256_cbc,sha},
{ecdhe_rsa,aes_256_cbc,sha},
{dhe_rsa,aes_256_cbc,sha},
{dhe_dss,aes_256_cbc,sha},
{ecdh_ecdsa,aes_256_cbc,sha},
{ecdh_rsa,aes_256_cbc,sha},
{rsa,aes_256_cbc,sha},
{ecdhe_ecdsa,'3des_ede_cbc',sha},
{ecdhe_rsa,'3des_ede_cbc',sha},
{dhe_rsa,'3des_ede_cbc',sha},
{dhe_dss,'3des_ede_cbc',sha},
{ecdh_ecdsa,'3des_ede_cbc',sha},
{ecdh_rsa,'3des_ede_cbc',sha},
{rsa,'3des_ede_cbc',sha},
{ecdhe_ecdsa,aes_128_cbc,sha},
{ecdhe_rsa,aes_128_cbc,sha},
{dhe_rsa,aes_128_cbc,sha},
{dhe_dss,aes_128_cbc,sha},
{ecdh_ecdsa,aes_128_cbc,sha},
{ecdh_rsa,aes_128_cbc,sha},
{rsa,aes_128_cbc,sha},
{dhe_rsa,des_cbc,sha},
{rsa,des_cbc,sha}]ok
6> io:format("~p", [ssl:cipher_suites(openssl)]).
["ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-RSA-AES256-GCM-SHA384",
"ECDHE-ECDSA-AES256-SHA384","ECDHE-RSA-AES256-SHA384",
"ECDH-ECDSA-AES256-GCM-SHA384","ECDH-RSA-AES256-GCM-SHA384",
"ECDH-ECDSA-AES256-SHA384","ECDH-RSA-AES256-SHA384",
"DHE-RSA-AES256-GCM-SHA384","DHE-DSS-AES256-GCM-SHA384",
"DHE-RSA-AES256-SHA256","DHE-DSS-AES256-SHA256","AES256-GCM-SHA384",
"AES256-SHA256","ECDHE-ECDSA-AES128-GCM-SHA256",
"ECDHE-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES128-SHA256",
"ECDHE-RSA-AES128-SHA256","ECDH-ECDSA-AES128-GCM-SHA256",
"ECDH-RSA-AES128-GCM-SHA256","ECDH-ECDSA-AES128-SHA256",
"ECDH-RSA-AES128-SHA256","DHE-RSA-AES128-GCM-SHA256",
"DHE-DSS-AES128-GCM-SHA256","DHE-RSA-AES128-SHA256","DHE-DSS-AES128-SHA256",
"AES128-GCM-SHA256","AES128-SHA256","ECDHE-ECDSA-AES256-SHA",
"ECDHE-RSA-AES256-SHA","DHE-RSA-AES256-SHA","DHE-DSS-AES256-SHA",
"ECDH-ECDSA-AES256-SHA","ECDH-RSA-AES256-SHA","AES256-SHA",
"ECDHE-ECDSA-DES-CBC3-SHA","ECDHE-RSA-DES-CBC3-SHA","EDH-RSA-DES-CBC3-SHA",
"EDH-DSS-DES-CBC3-SHA","ECDH-ECDSA-DES-CBC3-SHA","ECDH-RSA-DES-CBC3-SHA",
"DES-CBC3-SHA","ECDHE-ECDSA-AES128-SHA","ECDHE-RSA-AES128-SHA",
"DHE-RSA-AES128-SHA","DHE-DSS-AES128-SHA","ECDH-ECDSA-AES128-SHA",
"ECDH-RSA-AES128-SHA","AES128-SHA","EDH-RSA-DES-CBC-SHA","DES-CBC-SHA"]ok
7>
Michael Klishin
Nov 9, 2015, 3:55:38 PM11/9/15
to rabbitm...@googlegroups.com, mach...@gmail.com
On 9 November 2015 at 23:53:18, mach...@gmail.com (mach...@gmail.com) wrote:
> Same result. Error log still says
>
> {ssl_upgrade_error,{tls_alert,"insufficient security"}}
> SSL: hello: tls_handshake.erl:114:Fatal error: insufficient
> security
Can your client be using SSLv3? What client is this with? Does Sensu use amqp gem?
> Same result. Error log still says
>
> {ssl_upgrade_error,{tls_alert,"insufficient security"}}
> SSL: hello: tls_handshake.erl:114:Fatal error: insufficient
> security
Michael Klishin
Nov 9, 2015, 4:01:07 PM11/9/15
to rabbitm...@googlegroups.com, mach...@gmail.com
On 9 November 2015 at 23:53:18, mach...@gmail.com (mach...@gmail.com) wrote:
> Does Sensu use amqp gem?
So Sensu uses amqp gem and EventMachine. EventMachine is abandonware that
> Does Sensu use amqp gem?
has very limited ability to configure TLS parameters, so I wouldn’t be surprised if it used SSLv3
or cipher suites that are considered really insecure these days by default.
It may be easier to run TLS through stunnel [1] with it.
1. https://www.stunnel.org
mach...@gmail.com
Nov 9, 2015, 4:55:01 PM11/9/15
to rabbitmq-users, mach...@gmail.com
OK, that makes sense. I was slowly arriving at a similar conclusion. You're faster than me ;)
I'll look into using stunnel. It'll be my first time with it. I'll update in a bit...
mach...@gmail.com
Nov 10, 2015, 7:26:39 PM11/10/15
to rabbitmq-users, mach...@gmail.com
OK, I installed stunnel. Never used it before. I have it working - meaning I can start it using a concat'ed cert and key file. It is accepting on port 5673 and sending to 5671. I'm not really sure if that means it's working tho. Is there a good way to test that this is set up right? I pretty much followed these instructions
While I see no big issues in the error logs, Sensu still seems frozen in time and not really updating anything.
Michael Klishin
Nov 10, 2015, 8:05:27 PM11/10/15
to rabbitm...@googlegroups.com, mach...@gmail.com
Make your client connect to stunnel, go to
RabbitMQ management UI and see that connection uses TLS.
RabbitMQ management UI and see that connection uses TLS.
Amithpn
Aug 3, 2017, 6:09:34 AM8/3/17
to rabbitmq-users, mach...@gmail.com
I see this in RabbitMQ management UI:
Listening ports
| Protocol | Bound to | Port |
|---|---|---|
| amqp | :: | 5672 |
| clustering | :: | 25672 |
| mqtt | :: | 1883 |
| mqtt/ssl | :: | 8883 |
I guess TLS is enabled on port 8883.
Michael Klishin
Aug 3, 2017, 7:46:17 AM8/3/17
to rabbitm...@googlegroups.com
Please start new threads for new questions.
or cipher suite that's not supported by the server. If you configure RabbitMQ to only allow
TLSv1.2 connections but client tries to use SSLv3 or TLSv1, this is the alert you are going to get.
--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages