Issues with SSL connection

jocelyn fournier

unread,

Aug 5, 2014, 3:34:20 AM8/5/14

to rabbitm...@googlegroups.com

Hi,

I'm trying to make RabbitMQ SSL connection working, but so far, it fails...

I'm using a SSL certificate from Comodo (wildcard domain).

To test my certificate I've tried a direct communication with openssl :

openssl s_client -connect localhost:8443 -CAfile /etc/ssl/codizy/sf_bundle.crt

+

openssl s_server -accept 8443 -cert /etc/ssl/codizy/codizy.com.crt -key /etc/ssl/codizy/codizy.key -CAfile /etc/ssl/codizy/sf_bundle.crt

All is working properly with openssl.

So I've configured RabbitMQ to work with SSL. My config file :

[
{rabbit, [
{ssl_listeners, [5671]},
{ssl_options, [{cacertfile,"/etc/ssl/codizy/sf_bundle.crt"},
{certfile,"/etc/ssl/codizy/codizy.com.crt"},
{keyfile,"/etc/ssl/codizy/codizy.key"},
{verify,verify_peer},
{fail_if_no_peer_cert,false}]}
]}
].

After restarting RabbitMQ, it listens to the 5671 properly.

However, each time I'm trying to communicate with RabbitMQ (either with a RabbitMQ client or directly with openssl s_client), I'm getting the following error in the log :

** Reason for termination =
** {function_clause,[{ssl_certificate,signature_type,
[{1,2,840,113549,1,1,11}],
[{file,"ssl_certificate.erl"},
{line,174}]},
{ssl_cipher,filter,2,
[{file,"ssl_cipher.erl"},{line,401}]},
{ssl_handshake,select_session,8,
[{file,"ssl_handshake.erl"},{line,593}]},
{ssl_handshake,hello,4,
[{file,"ssl_handshake.erl"},{line,152}]},
{ssl_connection,hello,2,
[{file,"ssl_connection.erl"},{line,413}]},
{ssl_connection,next_state,4,
[{file,"ssl_connection.erl"},
{line,1929}]},
{gen_fsm,handle_msg,7,[{file,"gen_fsm.erl"},{line,494}]},
{proc_lib,init_p_do_apply,3,
[{file,"proc_lib.erl"},{line,227}]}]}

=ERROR REPORT==== 31-Jul-2014::23:17:14 ===
error on AMQP connection <0.2773.0>: {ssl_upgrade_failure,
{{function_clause,
[{ssl_certificate,signature_type,
[{1,2,840,113549,1,1,11}],
[{file,"ssl_certificate.erl"},
{line,174}]},
{ssl_cipher,filter,2,
[{file,"ssl_cipher.erl"},
{line,401}]},
{ssl_handshake,select_session,8,
[{file,"ssl_handshake.erl"},
{line,593}]},
{ssl_handshake,hello,4,
[{file,"ssl_handshake.erl"},
{line,152}]},
{ssl_connection,hello,2,
[{file,"ssl_connection.erl"},
{line,413}]},
{ssl_connection,next_state,4,
[{file,"ssl_connection.erl"},
{line,1929}]},
{gen_fsm,handle_msg,7,
[{file,"gen_fsm.erl"},{line,494}]},
{proc_lib,init_p_do_apply,3,
[{file,"proc_lib.erl"},
{line,227}]}]},
{gen_fsm,sync_send_all_state_event,
[<0.2774.0>,start,5000]}}}

With openssl s_client, I'm getting the following error :

openssl s_client -CAfile /etc/ssl/codizy/sf_bundle_mq.crt -connect xxxx:5671 -ssl3 <9:17:47

CONNECTED(00000003)

139801188603560:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:

---

no peer certificate available

---

No client certificate CA names sent

---

SSL handshake has read 0 bytes and written 0 bytes

---

New, (NONE), Cipher is (NONE)

Secure Renegotiation IS NOT supported

Compression: NONE

Expansion: NONE

SSL-Session:

Protocol : SSLv3

Cipher : 0000

Session-ID:

Session-ID-ctx:

Master-Key:

Key-Arg : None

PSK identity: None

PSK identity hint: None

SRP username: None

Start Time: 1407223738

Timeout : 7200 (sec)

Verify return code: 0 (ok)

---

RabbitMQ status info :

Status of node rabbit@xxx ...

[{pid,5976},

{running_applications,

[{rabbitmq_management,"RabbitMQ Management Console","2.8.4"},

{xmerl,"XML parser","1.3.1"},

{rabbitmq_management_agent,"RabbitMQ Management Agent","2.8.4"},

{amqp_client,"RabbitMQ AMQP Client","2.8.4"},

{rabbit,"RabbitMQ","2.8.4"},

{ssl,"Erlang/OTP SSL application","5.0.1"},

{public_key,"Public key infrastructure","0.15"},

{crypto,"CRYPTO version 2","2.1"},

{os_mon,"CPO CXC 138 46","2.2.9"},

{sasl,"SASL CXC 138 11","2.2.1"},

{rabbitmq_mochiweb,"RabbitMQ Mochiweb Embedding","2.8.4"},

{webmachine,"webmachine","1.7.0-rmq2.8.4-hg"},

{mochiweb,"MochiMedia Web Server","1.3-rmq2.8.4-git"},

{inets,"INETS CXC 138 49","5.9"},

{mnesia,"MNESIA CXC 138 12","4.7"},

{stdlib,"ERTS CXC 138 10","1.18.1"},

{kernel,"ERTS CXC 138 10","2.15.1"}]},

{os,{unix,linux}},

{erlang_version,

"Erlang R15B01 (erts-5.9.1) [source] [64-bit] [smp:8:8] [async-threads:30] [kernel-poll:true]\n"},

{memory,

[{total,108145440},

{processes,15789588},

{processes_used,15789532},

{system,92355852},

{atom,752537},

{atom_used,732672},

{binary,37384},

{code,19511124},

{ets,1225248}]},

{vm_memory_high_watermark,0.399999999997041},

{vm_memory_limit,27036054323},

{disk_free_limit,1000000000},

{disk_free,3103305728},

{file_descriptors,

[{total_limit,99900},

{total_used,4},

{sockets_limit,89908},

{sockets_used,2}]},

{processes,[{limit,1048576},{used,190}]},

{run_queue,0},

{uptime,840}]

...done.

Any help would be greatly appreciated !

Thanks and regards,

Jocelyn Fournier

Michael Klishin

unread,

Aug 5, 2014, 3:45:00 AM8/5/14

to rabbitm...@googlegroups.com, jocelyn fournier

On 5 August 2014 at 11:34:32, jocelyn fournier (jocelyn....@gmail.com) wrote:
> >
> {erlang_version,
>
>
> "Erlang R15B01 (erts-5.9.1) [source] [64-bit] [smp:8:8] [async-threads:30]
> [kernel-poll:true]\n"},

Jocelyn,

A quick search suggests R15B01 does not support sha256-with-rsa, which is likely
what your certificate uses.

Please try 17.1. To find out what your certificate uses, run

openssl x509 -in [path/to/the/certificate] -text -noout

and look for "Signature Algorithm".
--
MK

Staff Software Engineer, Pivotal/RabbitMQ

jocelyn fournier

unread,

Aug 5, 2014, 4:35:43 AM8/5/14

to rabbitm...@googlegroups.com, jocelyn....@gmail.com

Hi Michael,

Thanks for the suggestion, I'll try with a newer version of erlang.

Indeed, the certificate used is a sha256WithRSAEncryption :

openssl x509 -in /etc/ssl/codizy/codizy.com.crt -text -noout <10:31:05

Certificate:

Data:

Version: 3 (0x2)

Serial Number:

26:44:3d:9b:db:a4:b1:49:3e:4a:0d:1c:1a:cb:07:59

Signature Algorithm: sha256WithRSAEncryption

Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA

Validity

Not Before: Jul 4 00:00:00 2014 GMT

Not After : Jul 4 23:59:59 2015 GMT

That would be great to add a line about this potential issue in https://www.rabbitmq.com/troubleshooting-ssl.html :)

Thanks,

Jocelyn

Michael Klishin

unread,

Aug 5, 2014, 4:44:18 AM8/5/14

to rabbitm...@googlegroups.com, jocelyn fournier

On 5 August 2014 at 12:35:49, jocelyn fournier (jocelyn....@gmail.com) wrote:
> > That would be great to add a line about this potential issue in
> https://www.rabbitmq.com/troubleshooting-ssl.html :)

Done.

jocelyn fournier

unread,

Aug 5, 2014, 4:52:39 AM8/5/14

to rabbitm...@googlegroups.com, jocelyn....@gmail.com

a small update on https://www.rabbitmq.com/which-erlang.html as well would be great ;)

With the new erlang it works properly now (it complains about the client certificate, but it's an expected behaviour).

Thanks a lot !

Jocelyn

Michael Klishin

unread,

Aug 5, 2014, 5:03:42 AM8/5/14

to rabbitm...@googlegroups.com, jocelyn fournier

On 5 August 2014 at 12:52:52, jocelyn fournier (jocelyn....@gmail.com) wrote:
> > a small update on https://www.rabbitmq.com/which-erlang.html
> as well would be great ;)

Done. We'll recommend R16B01+ for TLS, it would be easier for everybody.

Reply all

Reply to author

Forward