RabbitMQ TLS handshake_time error with Docker
602 views
Skip to first unread message
박재진
Dec 3, 2021, 9:12:06 AM12/3/21
to rabbitmq-users
Hi. im pretty newbee with rabbitmq.
and sorry for my english.
using tls-gen all pem files are generated and testing it with openssl is OK.
so *.pem files has no problem i think.
but when test with rabbitmq container, logs show me there is handshake_timeout error.
seems to be rabbitmq still in hello stage of handshake.
i followed RabbitMQ's troubleshooting document.
but no chance can fix it.
google said, handshake timeout means there is something is blocking handshake communication. and PROBLEM is i have no idea how can figure it out.
any help would be greatly appreciate
thanks.
yon...@laposte.net
Dec 3, 2021, 9:15:17 AM12/3/21
to rabbitm...@googlegroups.com
is the non SSL connection working? There might have the network issue.
De : "박재진"
A : "rabbitmq-users"
Envoyé: vendredi 3 Décembre 2021 22:12
Objet : [rabbitmq-users] RabbitMQ TLS handshake_time error with Docker
A : "rabbitmq-users"
Envoyé: vendredi 3 Décembre 2021 22:12
Objet : [rabbitmq-users] RabbitMQ TLS handshake_time error with Docker
--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/6cd90b32-440c-4499-b28c-ce88cad9bdcfn%40googlegroups.com.
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/6cd90b32-440c-4499-b28c-ce88cad9bdcfn%40googlegroups.com.
박재진
Dec 5, 2021, 7:59:38 PM12/5/21
to rabbitmq-users
yes non SSL communication is working perfectly. -_-;
2021년 12월 3일 금요일 오후 11시 15분 17초 UTC+9에 yon...@laposte.net님이 작성:
Arnaud Cogoluègnes
Dec 6, 2021, 2:45:08 AM12/6/21
to rabbitmq-users
We need more information: version for Erlang, RabbitMQ, client library, broker configuration, and code sample.
You can use tls-gen [1] to create a sample project, reproduce the problem, and share with us.
박재진
Dec 6, 2021, 2:47:12 AM12/6/21
to rabbitmq-users
i've just change to my linux distribution from Manjaro to Ubuntu.
and i don't know why. it just working.
Think problem is solved.
2021년 12월 6일 월요일 오후 4시 45분 8초 UTC+9에 Arnaud Cogoluègnes님이 작성:
박재진
Dec 6, 2021, 6:33:11 AM12/6/21
to rabbitmq-users
i'm sorry, i thought problem was solved. but after some test, handshake is still not ok.
my docker-compose.yml ->
container_name: rabbitmq
hostname: "rabbitmq.service.local"
image: rabbitmq:management-alpine
depends_on:
- dns_server
ports:
- 5672:5672
- 5671:5671
- 15692:15692
- 15672:15672
environment:
- RABBITMQ_DEFAULT_USER=jjpark
- RABBITMQ_DEFAULT_PASS=jltech49867
volumes:
- /opt/rabbitmq/data:/var/lib/rabbitmq
- /opt/rabbitmq/log:/var/log/rabbitmq
- ./config/cert-server:/var/lib/rabbitmq/cert
- ./config/rabbitmq:/etc/rabbitmq/conf.d
restart: unless-stopped
rabbitmq.conf ->
listeners.tcp.default = 5672
listeners.ssl.default = 5671
ssl_options.cacertfile=/var/lib/rabbitmq/cert/server-ca.pem
ssl_options.certfile=/var/lib/rabbitmq/cert/server-cert.pem
ssl_options.keyfile=/var/lib/rabbitmq/cert/server-key.pem
ssl_options.verify=verify_peer
ssl_options.password=1234567890
ssl_options.fail_if_no_peer_cert = true
ssl_handshake_timeout=20000
loopback_users.guest = true
log.file.level=debug
listeners.ssl.default = 5671
ssl_options.cacertfile=/var/lib/rabbitmq/cert/server-ca.pem
ssl_options.certfile=/var/lib/rabbitmq/cert/server-cert.pem
ssl_options.keyfile=/var/lib/rabbitmq/cert/server-key.pem
ssl_options.verify=verify_peer
ssl_options.password=1234567890
ssl_options.fail_if_no_peer_cert = true
ssl_handshake_timeout=20000
loopback_users.guest = true
log.file.level=debug
rabbitmq-diagnostics --silent tls_version :
tlsv1.3
tlsv1.2
tlsv1.1
tlsv1
tlsv1.2
tlsv1.1
tlsv1
rabbitmq-diagnostics --silent tls-versions:
[{ssl_app,"10.5.3"},
{supported,['tlsv1.3','tlsv1.2']},
{supported_dtls,['dtlsv1.2']},
{available,['tlsv1.3','tlsv1.2','tlsv1.1',tlsv1]},
{available_dtls,['dtlsv1.2',dtlsv1]},
{implemented,['tlsv1.3','tlsv1.2','tlsv1.1',tlsv1]},
{implemented_dtls,['dtlsv1.2',dtlsv1]}]
{supported,['tlsv1.3','tlsv1.2']},
{supported_dtls,['dtlsv1.2']},
{available,['tlsv1.3','tlsv1.2','tlsv1.1',tlsv1]},
{available_dtls,['dtlsv1.2',dtlsv1]},
{implemented,['tlsv1.3','tlsv1.2','tlsv1.1',tlsv1]},
{implemented_dtls,['dtlsv1.2',dtlsv1]}]
rabbitmq-diagnostics cipher_suites --format openssl --silent
TLS_AES_256_GCM_SHA384
TLS_AES_128_GCM_SHA256
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_128_CCM_SHA256
TLS_AES_128_CCM_8_SHA256
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-CCM
ECDHE-ECDSA-AES256-CCM8
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA384
ECDHE-ECDSA-CHACHA20-POLY1305
ECDHE-RSA-CHACHA20-POLY1305
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-CCM
ECDHE-ECDSA-AES128-CCM8
ECDH-ECDSA-AES256-GCM-SHA384
ECDH-RSA-AES256-GCM-SHA384
ECDH-ECDSA-AES256-SHA384
ECDH-RSA-AES256-SHA384
ECDH-ECDSA-AES128-GCM-SHA256
ECDH-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA256
ECDH-ECDSA-AES128-SHA256
ECDH-RSA-AES128-SHA256
DHE-RSA-AES256-GCM-SHA384
DHE-DSS-AES256-GCM-SHA384
DHE-RSA-AES256-SHA256
DHE-DSS-AES256-SHA256
DHE-RSA-AES128-GCM-SHA256
DHE-DSS-AES128-GCM-SHA256
DHE-RSA-CHACHA20-POLY1305
DHE-RSA-AES128-SHA256
DHE-DSS-AES128-SHA256
ECDHE-ECDSA-AES256-SHA
ECDHE-RSA-AES256-SHA
ECDH-ECDSA-AES256-SHA
ECDH-RSA-AES256-SHA
ECDHE-ECDSA-AES128-SHA
ECDHE-RSA-AES128-SHA
ECDH-ECDSA-AES128-SHA
ECDH-RSA-AES128-SHA
DHE-RSA-AES256-SHA
DHE-DSS-AES256-SHA
DHE-RSA-AES128-SHA
DHE-DSS-AES128-SHA
TLS_AES_128_GCM_SHA256
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_128_CCM_SHA256
TLS_AES_128_CCM_8_SHA256
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-CCM
ECDHE-ECDSA-AES256-CCM8
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA384
ECDHE-ECDSA-CHACHA20-POLY1305
ECDHE-RSA-CHACHA20-POLY1305
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-CCM
ECDHE-ECDSA-AES128-CCM8
ECDH-ECDSA-AES256-GCM-SHA384
ECDH-RSA-AES256-GCM-SHA384
ECDH-ECDSA-AES256-SHA384
ECDH-RSA-AES256-SHA384
ECDH-ECDSA-AES128-GCM-SHA256
ECDH-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA256
ECDH-ECDSA-AES128-SHA256
ECDH-RSA-AES128-SHA256
DHE-RSA-AES256-GCM-SHA384
DHE-DSS-AES256-GCM-SHA384
DHE-RSA-AES256-SHA256
DHE-DSS-AES256-SHA256
DHE-RSA-AES128-GCM-SHA256
DHE-DSS-AES128-GCM-SHA256
DHE-RSA-CHACHA20-POLY1305
DHE-RSA-AES128-SHA256
DHE-DSS-AES128-SHA256
ECDHE-ECDSA-AES256-SHA
ECDHE-RSA-AES256-SHA
ECDH-ECDSA-AES256-SHA
ECDH-RSA-AES256-SHA
ECDHE-ECDSA-AES128-SHA
ECDHE-RSA-AES128-SHA
ECDH-ECDSA-AES128-SHA
ECDH-RSA-AES128-SHA
DHE-RSA-AES256-SHA
DHE-DSS-AES256-SHA
DHE-RSA-AES128-SHA
DHE-DSS-AES128-SHA
testing generated pem files with openssl is good.
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2318 bytes and written 363 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: F6002BC16DF93390C0E0844F8C299B04348B069C322DB10FC6FEB203A1D7B334
Session-ID-ctx:
Resumption PSK: 5B1BB265DFBD52801CC93A389C3522161F48EC6348846193A5AAD44CDA22A862FFAA7C2F1B5A1CB17F8C2D9D6F215EF1
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 42 53 5f 58 24 a9 ca 02-d3 d3 ce 3a 66 44 c3 b1 BS_X$......:fD..
0010 - b5 ad 39 2c 95 b6 50 55-c7 3b 1c eb bc dc e0 0d ..9,..PU.;......
0020 - af e3 c5 a4 84 bb 11 b8-db bb f2 08 d1 5a 3a e2 .............Z:.
0030 - 69 4d 3a de 7b 28 6f 81-21 36 16 50 1e 64 8e 9c iM:.{(o.!6.P.d..
0040 - 77 a2 c3 28 98 9f 2a 9d-18 b3 a1 a6 ac 25 91 5f w..(..*......%._
0050 - be 28 5f 18 bb 78 66 a5-fc ef 08 5d 96 15 de e9 .(_..xf....]....
0060 - f2 5c 44 67 e6 df b8 29-08 77 2d 7e 7f c8 41 88 .\Dg...).w-~..A.
0070 - 17 b2 65 45 9f a6 43 25-93 01 a2 d6 05 02 11 fd ..eE..C%........
0080 - 70 7e 62 f5 4f c0 ed ce-5e 27 c5 10 8d 3c 5f f1 p~b.O...^'...<_.
0090 - 0f 59 5a a8 e0 e1 ad d7-1c db 56 cc 3d 01 f7 1a .YZ.......V.=...
00a0 - a4 fe 17 45 2e ff ab 4f-12 00 25 40 97 a0 0c ce ...E...O..%@....
00b0 - 4d 09 a3 82 23 4c 6f d3-1c 6a e6 5e b2 51 74 ad M...#Lo..j.^.Qt.
Start Time: 1638790158
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2318 bytes and written 363 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: F6002BC16DF93390C0E0844F8C299B04348B069C322DB10FC6FEB203A1D7B334
Session-ID-ctx:
Resumption PSK: 5B1BB265DFBD52801CC93A389C3522161F48EC6348846193A5AAD44CDA22A862FFAA7C2F1B5A1CB17F8C2D9D6F215EF1
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 42 53 5f 58 24 a9 ca 02-d3 d3 ce 3a 66 44 c3 b1 BS_X$......:fD..
0010 - b5 ad 39 2c 95 b6 50 55-c7 3b 1c eb bc dc e0 0d ..9,..PU.;......
0020 - af e3 c5 a4 84 bb 11 b8-db bb f2 08 d1 5a 3a e2 .............Z:.
0030 - 69 4d 3a de 7b 28 6f 81-21 36 16 50 1e 64 8e 9c iM:.{(o.!6.P.d..
0040 - 77 a2 c3 28 98 9f 2a 9d-18 b3 a1 a6 ac 25 91 5f w..(..*......%._
0050 - be 28 5f 18 bb 78 66 a5-fc ef 08 5d 96 15 de e9 .(_..xf....]....
0060 - f2 5c 44 67 e6 df b8 29-08 77 2d 7e 7f c8 41 88 .\Dg...).w-~..A.
0070 - 17 b2 65 45 9f a6 43 25-93 01 a2 d6 05 02 11 fd ..eE..C%........
0080 - 70 7e 62 f5 4f c0 ed ce-5e 27 c5 10 8d 3c 5f f1 p~b.O...^'...<_.
0090 - 0f 59 5a a8 e0 e1 ad d7-1c db 56 cc 3d 01 f7 1a .YZ.......V.=...
00a0 - a4 fe 17 45 2e ff ab 4f-12 00 25 40 97 a0 0c ce ...E...O..%@....
00b0 - 4d 09 a3 82 23 4c 6f d3-1c 6a e6 5e b2 51 74 ad M...#Lo..j.^.Qt.
Start Time: 1638790158
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
but
when i doing
openssl s_client -connect localhost:5671 -cert client-cert.pem -key client-key.pem -CAfile client-ca.pem
logs are as followed
---
No client certificate CA names sent
Requested Signature Algorithms: RSA+SHA1:ECDSA+SHA1:RSA+SHA256:RSA+SHA384:RSA+SHA512:Ed448:Ed25519:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512
Shared Requested Signature Algorithms: RSA+SHA256:RSA+SHA384:RSA+SHA512:Ed448:Ed25519:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2385 bytes and written 2380 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
closed
No client certificate CA names sent
Requested Signature Algorithms: RSA+SHA1:ECDSA+SHA1:RSA+SHA256:RSA+SHA384:RSA+SHA512:Ed448:Ed25519:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512
Shared Requested Signature Algorithms: RSA+SHA256:RSA+SHA384:RSA+SHA512:Ed448:Ed25519:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2385 bytes and written 2380 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
closed
and rabbitmq's logs was
2021-12-06 11:31:22.912985+00:00 [info] <0.982.0> Supervisor {<0.982.0>,rabbit_connection_sup}: child helper_sup started (<0.983.0>): {rabbit_connection_helper_sup,start_link,[]}
2021-12-06 11:31:22.913129+00:00 [info] <0.982.0> Supervisor {<0.982.0>,rabbit_connection_sup}: child reader started (<0.984.0>): {rabbit_reader,start_link,[<0.983.0>,{acceptor,{0,0,0,0,0,0,0,0},5671}]}
2021-12-06 11:31:32.919662+00:00 [info] <0.984.0> accepting AMQP connection <0.984.0> (172.18.0.1:55624 -> 172.18.0.5:5671)
2021-12-06 11:31:32.919824+00:00 [erro] <0.984.0> closing AMQP connection <0.984.0> (172.18.0.1:55624 -> 172.18.0.5:5671):
2021-12-06 11:31:32.919824+00:00 [erro] <0.984.0> {handshake_timeout,handshake}
2021-12-06 11:31:32.920357+00:00 [dbug] <0.991.0> Closing all channels from connection '172.18.0.1:55624 -> 172.18.0.5:5671' because it has been closed
2021-12-06 11:31:22.913129+00:00 [info] <0.982.0> Supervisor {<0.982.0>,rabbit_connection_sup}: child reader started (<0.984.0>): {rabbit_reader,start_link,[<0.983.0>,{acceptor,{0,0,0,0,0,0,0,0},5671}]}
2021-12-06 11:31:32.919662+00:00 [info] <0.984.0> accepting AMQP connection <0.984.0> (172.18.0.1:55624 -> 172.18.0.5:5671)
2021-12-06 11:31:32.919824+00:00 [erro] <0.984.0> closing AMQP connection <0.984.0> (172.18.0.1:55624 -> 172.18.0.5:5671):
2021-12-06 11:31:32.919824+00:00 [erro] <0.984.0> {handshake_timeout,handshake}
2021-12-06 11:31:32.920357+00:00 [dbug] <0.991.0> Closing all channels from connection '172.18.0.1:55624 -> 172.18.0.5:5671' because it has been closed
if needed other info
just name it.
thanks for your helps.
2021년 12월 6일 월요일 오후 4시 47분 12초 UTC+9에 박재진님이 작성:
Arnaud Cogoluègnes
Dec 6, 2021, 7:28:45 AM12/6/21
to rabbitmq-users
You should try with an actual AMQP client. The {handshake_timeout,handshake} error is likely to be a timeout for the AMQP handshake, not from TLS, because OpenSSL does not send anything after it established the TLS connection and the AMQP network adapter expects some AMQP frames.
Reply all
Reply to author
Forward
0 new messages