Warnings concerning certificate chain verification and server name indication

[wei...@org.dkrz.de]

We are running a RabbitMQ server federation with one downstream and 4 upstream nodes, but since upgrading the downstream from 3.6.x to 3.7.13, we are encountering warnings in our logs (spamming, every couple of seconds):

2019-03-20 10:03:15.575 [warning] <0.6869.0> Connection (<0.6869.0>): Certificate chain verification is not enabled for this TLS connection. Please see https://rabbitmq.com/ssl.html for more information.
2019-03-20 10:03:15.600 [warning] <0.6868.0> Connection (<0.6868.0>): Server name indication is not enabled for this TLS connection. Please see https://rabbitmq.com/ssl.html for more information.

The server has a valid (non self-signed) SSL certificate. Our security expert tells me that it is strange that these things are not enabled by default, but apparently, this is the case for erlang.

I read the ssl and other manual pages and as first consequence, I set in rabbitmq.conf:

ssl_options.verify               = verify_peer
ssl_options.fail_if_no_peer_cert = true

The warnings persisted. Since our server is the exit point of a federation (federated exchanges), I did more reading and eventually thought that the culprit may be the built-in AMQP client of the federation plugin that connects to upstream servers and will also require configuration. The upstream servers also have valid TLS cerficates. One of them is local, just upgraded to 3.7.13 as well.
So I added to advanced.conf:

{amqp_client,
[
{ssl_options, [
{cacertfile, "..."},
{certfile, "..."},
{keyfile, "..."},

{verify, verify_peer},

{depth, 4}

]}]},

This, however, causes additional errors to appear in the [info] log (the known warnings also persist):

2019-03-20 10:51:45.299 [info] <0.1716.0> TLS client: In state certify at ssl_handshake.erl:1295 generated CLIENT ALERT: Fatal - Unknown CA
2019-03-20 10:51:45.319 [info] <0.1732.0> TLS client: In state certify at ssl_handshake.erl:1297 generated CLIENT ALERT: Fatal - Handshake Failure - {bad_cert,hostname_check_failed}

I should add that the cacertfile contains the full chain with root, so I'm not sure why there is the Unknown CA error.

I also tried what read to me as an alternative way, including the ssl infos in the federation upstream URI:

amqps://user:password@fqdn/virtual-host?cacertfile=...&certfile=...&keyfile=...&server_name_indication=fqdn

This leads to errors in the upstream server's log:

SERVER ALERT: Fatal - Handshake Failure - {bad_cert,invalid_ext_key_usage}

Another thread in this forum where this error is mentioned - https://groups.google.com/forum/#!topic/rabbitmq-users/D1-Xr0DuTOk - reads to me as if I'm mixing up client and server certificates here. But I'm starting to think I am misunderstanding something entirely; I don't believe we need client certificates just to get rid of the original warnings, do we? What am I missing?
Any help appreciated.

[Michael Klishin]

I believe the warning comes from the Erlang *client* (used by Shovel and Federation plugins), not the server (TLS listener/connection).

"" means that your certificate has x.509 certificate usage extensions that do not match its actual use, e.g. the certificate is limited

to be used by servers and you tried using it for Federation. [1][2] are relevant.

You can inspect certificate key usage and other information with openssl CLI tools [3]

1. https://groups.google.com/forum/#!topic/rabbitmq-users/D1-Xr0DuTOk

2. https://stackoverflow.com/questions/23746135/rabbitmq-handshake-error-when-attempting-to-use-ssl-certificates

3. https://www.sslshopper.com/article-most-common-openssl-commands.html

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To post to this group, send email to rabbitm...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

MK

Staff Software Engineer, Pivotal/RabbitMQ