RabbitMQ SSL hostname verification in java client

Pradeep Mn

unread,

Feb 10, 2016, 4:38:49 AM2/10/16

to rabbitmq-users, prade...@quest-global.com, sheeba.k...@quest-global.com

Hi All,

We have a RabbitMQ java client which securely connect to the RabbitMQ server. Currently it seems the hostname verification is not happening in client and in server side. Irrespective of what we put in the CN name of the ceritifcate, we are able to establish a connection.

We need help in enabling hostname verification in java client as well as in RabbitMQ server.

RabbitMQ version : 3.5.2

Erlang : 17.0

Java : Java 7

Client Side :

SSLContext sslContext = SSLContext.getInstance(XFabricConstants.TRANSPORT_LAYER_SECURITY);

sslContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), null);

factory.useSslProtocol(sslContext);

Server Side Settings:

[{rabbit,[{loopback_users, []},{tcp_listeners,[5672]},{ssl_listeners,[5671]},{ssl_options,[{cacertfile,"C:/Users/Administrator/AppData/Roaming/RabbitMQ/Cert/root.pem"},{certfile,"C:/Users/Administrator/AppData/Roaming/RabbitMQ/Cert/cert.pem"},{keyfile,"C:/Users/Administrator/AppData/Roaming/RabbitMQ/Cert/key.pem"},{verify,verify_peer},{fail_if_no_peer_cert,true}]}]}].

Michael Klishin

unread,

Feb 10, 2016, 4:51:09 AM2/10/16

to rabbitm...@googlegroups.com, Pradeep Mn, sheeba.k...@quest-global.com, prade...@quest-global.com

On 10 February 2016 at 12:38:53, Pradeep Mn (pradee...@gmail.com) wrote:
> [{rabbit,[{loopback_users, []},{tcp_listeners,[5672]},{ssl_listeners,[5671]},{ssl_options,[{cacertfile,"C:/Users/Administrator/AppData/Roaming/RabbitMQ/Cert/root.pem"},{certfile,"C:/Users/Administrator/AppData/Roaming/RabbitMQ/Cert/cert.pem"},{keyfile,"C:/Users/Administrator/AppData/Roaming/RabbitMQ/Cert/key.pem"},{verify,verify_peer},{fail_if_no_peer_cert,true}]}]}].

This config looks correct. Make sure that RabbitMQ indeed uses this config file and
your restart RabbitMQ when it changes.

As for configuring it on the client end, it's quite convoluted in the JDK,
see https://tersesystems.com/2014/03/23/fixing-hostname-verification/ and
http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html#HostnameVerifier

and don't forget to update JDK key store when certificates change.
--
MK

Staff Software Engineer, Pivotal/RabbitMQ

Michael Klishin

unread,

Feb 10, 2016, 4:57:28 AM2/10/16

to rabbitm...@googlegroups.com, Pradeep Mn, sheeba.k...@quest-global.com, prade...@quest-global.com

On 10 February 2016 at 12:50:53, Michael Klishin (mkli...@pivotal.io) wrote:
> This config looks correct. Make sure that RabbitMQ indeed uses
> this config file and
> your restart RabbitMQ when it changes.

…and the easiest way to experiment with TLS connections is still
openssl s_client (s_server can be useful, too, but you already have things set up
on the RabbitMQ end):

http://www.rabbitmq.com/troubleshooting-ssl.html

I'm not sure about the state of OpenSSL on Windows but it surely works
in msys2 [1] and on nearly every other OS.

1. https://msys2.github.io/

Pradeep Mn

unread,

Feb 10, 2016, 5:14:27 AM2/10/16

to rabbitmq-users, pradee...@gmail.com, sheeba.k...@quest-global.com, prade...@quest-global.com

Thanks for the response.

So are we sure that the hostname verification (against certificate CN name) happens in the RabbitMQ server. I have already ensured that the settings are correct.

I will try do enable hostname validation in java client side with the reference you have provided.

Balázs Várhegyi

unread,

Mar 1, 2016, 11:07:13 AM3/1/16

to rabbitmq-users, pradee...@gmail.com, sheeba.k...@quest-global.com, prade...@quest-global.com

Hi,

Found an example implementation of it: https://gist.github.com/jfwilson/709b74000a79eb52177b
hereby thanks to Jamie Wilson.

Reply all

Reply to author

Forward