Intermediate CA issue

jan.go...@enervalis.com

unread,

Jan 18, 2017, 6:15:03 AM1/18/17

to rabbitmq-users

Hello,

I'm trying to set up client certificate verification using an intermediate CA. And whatever I try I'm getting "Received fatal alert: unknown_ca". (According to a different thread in this forum it means the client doesn't trust the server's certificate.)

However, it works when removing the intermediate CA from the chain. So obviously I'm making a stupid mistake configuring the RabbitMQ server and/or client.

I've tried tweaking lots of things, but I can't seem to touch the issue's fundamentals. :-(

Is there something obvious I'm missing here ?

TIA!

---------------------------------------------------------------------------------------------

The chain is pretty simple:

* server: root -> intermediate -> amqp

* client: root -> intermediate -> client

* root is a self-signed CA certificate

* intermediate is a CA certificate, signed by root

The server configuration:

* Erlang 19.2

* RabbitMQ 3.6.6

* Configuration file:

[
 {rabbit, [
   {ssl_listeners, [{"0.0.0.0", 5671}]},
   {ssl_options, [
     {cacertfile, "/etc/rabbitmq/ca.cert.pem" },
     {certfile, "/etc/rabbitmq/server.cert.pem" },
     {keyfile, "/etc/rabbitmq/server.key.pem" },
     {verify, verify_peer},
     {depth, 2},
     {fail_if_no_peer_cert, true }
    ]}
  ]}
].

ca.cert.pem is the concatenation of the root and intermediate certificates. The example shows a depth of 2. But I've tried many depth values with the same result.

The client configuration:

* JDK 1.8.0_112 / amd64

* Java AMQP client 4.0.1

* The test code is the exact copy of the example in the website.

* The trust store contains the root, amqp (server) and intermediate certificates.

* The p12 keystore contains the client key and certficate.

Michael Klishin

unread,

Jan 18, 2017, 6:17:22 AM1/18/17

to rabbitm...@googlegroups.com, jan.go...@enervalis.com

The order of concatenation matters.

Concatenating root >> intermediate does not produce the same chain as
intermediate >> root.

On 18 January 2017 at 14:15:06, jan.go...@enervalis.com (jan.go...@enervalis.com) wrote:
> Hello,
>
> I'm trying to set up client certificate verification using an intermediate
> CA. And whatever I try I'm getting "Received fatal alert: unknown_ca".
> (According to a different thread in this forum it means the client doesn't
> trust the server's certificate.)
>
>
> However, it works when removing the intermediate CA from the chain. So
> obviously I'm making a stupid mistake configuring the RabbitMQ server
> and/or client.
>
>
> I've tried tweaking lots of things, but I can't seem to touch the issue's
> fundamentals. :-(
>
>
> Is there something obvious I'm missing here ?
>
>
> TIA!
>
> ---------------------------------------------------------------------------------------------
>
> The chain is pretty simple:

> * server: *root* -> *intermediate* -> *amqp*
> * client: *root* -> *intermediate* -> *client*
> * *root* is a self-signed CA certificate
> * *intermediate* is a CA certificate, signed by *root*

>
> The server configuration:
> * Erlang 19.2
> * RabbitMQ 3.6.6
> * Configuration file:
>
> [
> {rabbit, [
> {ssl_listeners, [{"0.0.0.0", 5671}]},
> {ssl_options, [
> {cacertfile, "/etc/rabbitmq/ca.cert.pem" },
> {certfile, "/etc/rabbitmq/server.cert.pem" },
> {keyfile, "/etc/rabbitmq/server.key.pem" },
> {verify, verify_peer},
> {depth, 2},
> {fail_if_no_peer_cert, true }
> ]}
> ]}
> ].
>

> ca.cert.pem is the concatenation of the *root* and *intermediate* certificates.

> The example shows a depth of 2. But I've tried many depth values with the
> same result.
>
> The client configuration:
> * JDK 1.8.0_112 / amd64
> * Java AMQP client 4.0.1
> * The test code is the exact copy of the example in the website.

> * The trust store contains the *root*,* amqp* (server) and *intermediate*

> certificates.
> * The p12 keystore contains the client key and certficate.
>
>

> --
> You received this message because you are subscribed to the Google Groups "rabbitmq-users"
> group.
> To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
> To post to this group, send an email to rabbitm...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

--
MK

Staff Software Engineer, Pivotal/RabbitMQ

Michael Klishin

unread,

Jan 18, 2017, 6:18:01 AM1/18/17

to rabbitm...@googlegroups.com, jan.go...@enervalis.com

You mentioned a "trust store". Do you mean the trust store plugin [1] or an OS keychain of some kind?

1. https://github.com/rabbitmq/rabbitmq-trust-store

On 18 January 2017 at 14:15:06, jan.go...@enervalis.com (jan.go...@enervalis.com) wrote:

> Hello,
>
> I'm trying to set up client certificate verification using an intermediate
> CA. And whatever I try I'm getting "Received fatal alert: unknown_ca".
> (According to a different thread in this forum it means the client doesn't
> trust the server's certificate.)
>
>
> However, it works when removing the intermediate CA from the chain. So
> obviously I'm making a stupid mistake configuring the RabbitMQ server
> and/or client.
>
>
> I've tried tweaking lots of things, but I can't seem to touch the issue's
> fundamentals. :-(
>
>
> Is there something obvious I'm missing here ?
>
>
> TIA!
>
> ---------------------------------------------------------------------------------------------
>
> The chain is pretty simple:

> * server: *root* -> *intermediate* -> *amqp*
> * client: *root* -> *intermediate* -> *client*

> * *root* is a self-signed CA certificate
> * *intermediate* is a CA certificate, signed by *root*

>
> The server configuration:
> * Erlang 19.2
> * RabbitMQ 3.6.6
> * Configuration file:
>
> [
> {rabbit, [
> {ssl_listeners, [{"0.0.0.0", 5671}]},
> {ssl_options, [
> {cacertfile, "/etc/rabbitmq/ca.cert.pem" },
> {certfile, "/etc/rabbitmq/server.cert.pem" },
> {keyfile, "/etc/rabbitmq/server.key.pem" },
> {verify, verify_peer},
> {depth, 2},
> {fail_if_no_peer_cert, true }
> ]}
> ]}
> ].
>

> ca.cert.pem is the concatenation of the *root* and *intermediate* certificates.

> The example shows a depth of 2. But I've tried many depth values with the
> same result.
>
> The client configuration:
> * JDK 1.8.0_112 / amd64
> * Java AMQP client 4.0.1
> * The test code is the exact copy of the example in the website.

> * The trust store contains the *root*,* amqp* (server) and *intermediate*

> certificates.
> * The p12 keystore contains the client key and certficate.
>
>

jan.go...@enervalis.com

unread,

Jan 18, 2017, 6:44:55 AM1/18/17

to rabbitmq-users, jan.go...@enervalis.com

My mistake. I meant the Java TrustManager. It opens the JKS keystore containing the root, intermediate and server certificates.

Identical to the example on https://www.rabbitmq.com/ssl.html, section "Levels of trust".

jan.go...@enervalis.com

unread,

Jan 18, 2017, 6:45:50 AM1/18/17

to rabbitmq-users, jan.go...@enervalis.com

For good measure I've tried both the orders already. :-) But that's not the particular issue apparently.

Michael Klishin

unread,

Jan 18, 2017, 6:48:33 AM1/18/17

to rabbitm...@googlegroups.com, jan.go...@enervalis.com, jan.go...@enervalis.com

What exactly is in the logs? Peer verification works both ways. It can be RabbitMQ refusing
to trust the client or the other way around. The depth value you configure
affects *server* verification (plus Erlang client, if configured for the `ssl` app), not clients.

On 18 January 2017 at 14:45:54, jan.go...@enervalis.com (jan.go...@enervalis.com) wrote:
> For good measure I've tried both the orders already. :-) But that's not the
> particular issue apparently.
>
> On Wednesday, January 18, 2017 at 12:17:22 PM UTC+1, Michael Klishin wrote:
> >
> > The order of concatenation matters.
> >
> > Concatenating root >> intermediate does not produce the same chain as
> > intermediate >> root.
> >
> > On 18 January 2017 at 14:15:06, jan.go...@enervalis.com <> (

jan.go...@enervalis.com

unread,

Jan 18, 2017, 7:41:23 AM1/18/17

to rabbitmq-users, jan.go...@enervalis.com

That's the log. The sasl log is empty.

=INFO REPORT==== 18-Jan-2017::12:39:20 ===
node           : rabbit@black
home dir       : /var/lib/rabbitmq
config file(s) : /etc/rabbitmq/rabbitmq.config
cookie hash    : rpDRsQVxXm0hUzR6qjFO7A==
log            : /var/log/rabbitmq/rabbit@black.log
sasl log       : /var/log/rabbitmq/rabbit@black-sasl.log
database dir   : /var/lib/rabbitmq/mnesia/rabbit@black


=INFO REPORT==== 18-Jan-2017::12:39:20 ===
Memory limit set to 6347MB of 15868MB total.


=INFO REPORT==== 18-Jan-2017::12:39:20 ===
Disk free limit set to 50MB


=INFO REPORT==== 18-Jan-2017::12:39:20 ===
Limiting to approx 924 file handles (829 sockets)


=INFO REPORT==== 18-Jan-2017::12:39:20 ===
FHC read buffering:  OFF
FHC write buffering: ON


=INFO REPORT==== 18-Jan-2017::12:39:21 ===
Priority queues enabled, real BQ is rabbit_variable_queue


=INFO REPORT==== 18-Jan-2017::12:39:21 ===
Starting rabbit_node_monitor


=INFO REPORT==== 18-Jan-2017::12:39:21 ===
msg_store_transient: using rabbit_msg_store_ets_index to provide index


=INFO REPORT==== 18-Jan-2017::12:39:21 ===
msg_store_persistent: using rabbit_msg_store_ets_index to provide index


=INFO REPORT==== 18-Jan-2017::12:39:21 ===
started TCP Listener on [::]:5672


=INFO REPORT==== 18-Jan-2017::12:39:21 ===
started SSL Listener on 0.0.0.0:5671


=INFO REPORT==== 18-Jan-2017::12:39:21 ===
Server startup complete; 0 plugins started.


=ERROR REPORT==== 18-Jan-2017::12:39:25 ===
SSL: certify: ssl_handshake.erl:1621:Fatal error: unknown ca

Michael Klishin

unread,

Jan 18, 2017, 8:03:07 AM1/18/17

to rabbitm...@googlegroups.com

Is the root CA trusted at the OS level?

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.

To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Jan Goyvaerts

unread,

Jan 18, 2017, 8:07:56 AM1/18/17

to rabbitm...@googlegroups.com

No, but neither was it when there was no intermediate CA. It's really our own local CA. The root certificate is meant to be put in a vault.

I briefly hoped RabbitMQ needed the full chain for the server certificate. But that wasn't it either.

The weird thing is that whatever I do, invariably I'm getting "unknown ca". Presumably it's something much more elementary.

(Btw, I appreciate the speedy responses ! )

To post to this group, send email to rabbitm...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
MK

Staff Software Engineer, Pivotal/RabbitMQ

--
You received this message because you are subscribed to a topic in the Google Groups "rabbitmq-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rabbitmq-users/KApzsHndBaY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to rabbitmq-users+unsubscribe@googlegroups.com.

To post to this group, send email to rabbitmq-users@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Jan Goyvaerts

Senior Software Engineer

jan.go...@enervalis.com

+32 (0) 11 39 75 79

jan.go...@enervalis.com

unread,

Jan 19, 2017, 3:54:06 AM1/19/17

to rabbitmq-users

Damn ... I really don't know what else to try to make it work with an intermediate CA !

It all works beautifully without; with only a root certificate. But that's a showstopper; we really need an internal intermediate CA. :-(

Btw, the connection handshake hangs when using keys encrypted with eas192 or eas256. Eas128 and 3des works fine.

Michael Klishin

unread,

Jan 19, 2017, 3:59:59 AM1/19/17

to rabbitm...@googlegroups.com

Chain verification algorithm is technically covered in an RFC but TLS implementations

still have subtle differences: not only the order of chain traversal is important, some

implementations (from our experience, Python) do not consider the root certificate

to be trusted unless it is according to the OS. Even if both peers use the same

root certificates, Python requires it to be added to the trusted OS store.

I suspect there can be something specific about JDK trust stores and how they

present certificates to the peer.

What does your Java code that sets all that up look like?

You can try generating a different set of certificate/key pairs with tls-gen [1]

and see if it's any different, plus use `openssl s_server` to see some

certificate information as explained in [2].

1. http://github.com/michaelklishin/tls-gen

2. http://www.rabbitmq.com/troubleshooting-ssl.html

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.

To post to this group, send email to rabbitmq-users@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Michael Klishin

unread,

Jan 19, 2017, 4:06:22 AM1/19/17

to rabbitm...@googlegroups.com

Here's how you can enable certificate chain debugging according to Oracle docs:

http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/ReadDebug.html

To post to this group, send email to rabbitm...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
MK

Staff Software Engineer, Pivotal/RabbitMQ

Jan Goyvaerts

unread,

Jan 19, 2017, 4:15:51 AM1/19/17

to rabbitm...@googlegroups.com

You mentioned the order indeed - It should be left from right, from the host to the root.

The connection works when testing with s_client <-> s_server and s_client <-> rabbitmq. So that should be okay.

The Java code is the same as in the help pages. Enabling the java's network logging shows a lot of data I'm not really familiar with. But at first sight I don't see anything unusual.

But indeed, maybe the JVM's truststore is used instead of the one passed in the code.

@Test
public void testMakeConnectionWithCertificate() throws Exception {
  final String trustPassword = properties.getProperty("trust");
  final String clientPassword = properties.getProperty("client");

  // Load the client keystore
  final KeyStore ks = KeyStore.getInstance("PKCS12");
  ks.load(new FileInputStream("/etc/rabbitmq/client.p12"), clientPassword.toCharArray());
  final KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
  kmf.init(ks, clientPassword.toCharArray());

  // Load the trust store
  final KeyStore tks = KeyStore.getInstance("JKS");
  tks.load(new FileInputStream("/etc/rabbitmq/trust.jks"), trustPassword.toCharArray());
  final TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
  tmf.init(tks);

  SSLContext c = SSLContext.getInstance("TLSv1.2");
  c.init(kmf.getKeyManagers(), tmf.getTrustManagers(), new SecureRandom());

  final ConnectionFactory factory = new ConnectionFactory();
  factory.setHost("amqp");
  factory.setVirtualHost("clients");
  factory.setPort(5671);
  factory.setSaslConfig(DefaultSaslConfig.EXTERNAL);
  factory.useSslProtocol(c);

  Connection connection = null;
  try {
    connection = factory.newConnection();
  } finally {
    if (connection != null)
      connection.close();
  }
}

To post to this group, send email to rabbitm...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
MK

Staff Software Engineer, Pivotal/RabbitMQ

--
You received this message because you are subscribed to a topic in the Google Groups "rabbitmq-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rabbitmq-users/KApzsHndBaY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to rabbitmq-users+unsubscribe@googlegroups.com.

To post to this group, send email to rabbitmq-users@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Michael Klishin

unread,

Jan 19, 2017, 4:20:27 AM1/19/17

to rabbitm...@googlegroups.com, Jan Goyvaerts

I suspect the order in which certificates are added to the JDK trust store can be
important.

Forgot to mention: our docs, our TLS test suites and tls-gen's "basic" mode do basically the same thing.
tls-gen adds intermediate certificate generation on top of that.

> >> email to rabbitmq-user...@googlegroups.com.

> >> To post to this group, send email to rabbitm...@googlegroups.com.
> >> For more options, visit https://groups.google.com/d/optout.
> >>
> >
> >
> >
> > --
> > MK
> >
> > Staff Software Engineer, Pivotal/RabbitMQ
> >
> > --
> > You received this message because you are subscribed to a topic in the
> > Google Groups "rabbitmq-users" group.
> > To unsubscribe from this topic, visit https://groups.google.com/d/
> > topic/rabbitmq-users/KApzsHndBaY/unsubscribe.
> > To unsubscribe from this group and all its topics, send an email to

> > rabbitmq-user...@googlegroups.com.

> > To post to this group, send email to rabbitm...@googlegroups.com.
> > For more options, visit https://groups.google.com/d/optout.
> >
>
>
>
> --

> *Jan Goyvaerts*
> *Senior Software Engineer*
> jan.go...@enervalis.com

>
> +32 (0) 11 39 75 79
>

> --
> You received this message because you are subscribed to the Google Groups "rabbitmq-users"
> group.

> To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
> To post to this group, send an email to rabbitm...@googlegroups.com.

jan.go...@enervalis.com

unread,

Jan 19, 2017, 7:41:47 AM1/19/17

to rabbitmq-users, jan.go...@enervalis.com

When connecting with Openssl's s_client I'm getting the output of underneath. While connecting with Openssl's s_server works.

All looks okay except for the "write:errno=104" in there.

Maybe that's an indication the server's configuration is missing something ?

CONNECTED(00000003)

depth=2 CN = root, OU = Control, O = Enervalis, L = Houthalen, ST = Limburg, C = BE, emailAddress = *******

verify return:1

depth=1 CN = intermediate, OU = Control, O = Enervalis, L = Houthalen, ST = Limburg, C = BE, emailAddress = emailAddress = *******

verify return:1

depth=0 CN = amqp, OU = Control, O = Enervalis, L = Houthalen, ST = Limburg, C = BE, emailAddress = emailAddress = *******

verify return:1

write:errno=104

---

Certificate chain

0 s:/CN=amqp/OU=Control/O=Enervalis/L=Houthalen/ST=Limburg/C=BE/emailAddress=emailAddress = *******

i:/CN=intermediate/OU=Control/O=Enervalis/L=Houthalen/ST=Limburg/C=BE/emailAddress=emailAddress = *******

1 s:/CN=intermediate/OU=Control/O=Enervalis/L=Houthalen/ST=Limburg/C=BE/emailAddress=emailAddress = *******

i:/CN=root/OU=Control/O=Enervalis/L=Houthalen/ST=Limburg/C=BE/emailAddress=emailAddress = *******

2 s:/CN=root/OU=Control/O=Enervalis/L=Houthalen/ST=Limburg/C=BE/emailAddress=emailAddress = *******

i:/CN=root/OU=Control/O=Enervalis/L=Houthalen/ST=Limburg/C=BE/emailAddress=emailAddress = *******

---

Server certificate

-----BEGIN CERTIFICATE-----

MIIGmDCCBICgAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwgZYxFTATBgNVBAMMDGlu

dGVybWVkaWF0ZTEQMA4GA1UECwwHQ29udHJvbDESMBAGA1UECgwJRW5lcnZhbGlz

MRIwEAYDVQQHDAlIb3V0aGFsZW4xEDAOBgNVBAgMB0xpbWJ1cmcxCzAJBgNVBAYT

AkJFMSQwIgYJKoZIhvcNAQkBFhVjb250cm9sQGVuZXJ2YWxpcy5jb20wHhcNMTcw

MTE5MTIzMzMyWhcNMjcwMTI3MTIzMzMyWjCBjjENMAsGA1UEAwwEYW1xcDEQMA4G

A1UECwwHQ29udHJvbDESMBAGA1UECgwJRW5lcnZhbGlzMRIwEAYDVQQHDAlIb3V0

aGFsZW4xEDAOBgNVBAgMB0xpbWJ1cmcxCzAJBgNVBAYTAkJFMSQwIgYJKoZIhvcN

AQkBFhVjb250cm9sQGVuZXJ2YWxpcy5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4IC

DwAwggIKAoICAQC0xUqa3dQwLKRZTm8F+6mhBfMPA4X/icGkwLwRvR5RFLdxPhPS

7wnEdc8VA8tOPqagr0ADdiQ7lN9Wjw3cFjBPRyvM2SFZs+ONcaS9WIQ9qP7JaMta

E5ut5ijsSp+NWGJlQxKQZ9phhFe2WyqrtgzRw4hu5/7y8S6+QHFAlhiXFrY/tdkC

70ikvNYA50IGJ+6FUs9jNEcXFdI9HcOKrkscmO0r2wODboFO0CDjjneHKYMPF1ql

v/H+Ljs22xGQ7DiHUPhgK7xUZj8HLB+bZzUCrSwgw1dVYJ0rwyBV2ZDvcfDN8jvx

T5tp23eZATvwKP1oboGp6g+rMmmjvxA46XfqLYLUHPU4YSHaeRUGkBHrCV5khlQm

yx9tjjGSeCvdkQtXc8lVwOutU/6ArvDH5luIAGfjwYBCRHvYIwcF4edm9zz0Grog

jdjUMrplYbnV9723Uywkk3IQVQiMRh4KFNJTa27MR8/f9qmpYsUZx2zVUBiumony

4EsnL8OaNPiAhEVEct+3DhixB/STV5m6H394j20qc1MXxYSsp+LtY6yX9u/mG+MR

EJcZoQru6GXJ5tGE2KhP/C4ZaXuUpwyoUkWev1Gr7efx4sQUsUbUIZP4snVAYdQy

pU9/JnN+ZTPvvdq8oe+WNdr/ti2QEtf6D/6k++fd8CrATRc26Z+VGrK8MQIDAQAB

o4H1MIHyMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgZAMDMGCWCGSAGG+EIB

DQQmFiRPcGVuU1NMIEdlbmVyYXRlZCBTZXJ2ZXIgQ2VydGlmaWNhdGUwHQYDVR0O

BBYEFFMrb5+6rygU2UmbtXvOp9SC/IfaMB8GA1UdIwQYMBaAFMIv5oRjJr/phyZ0

WK7kFRmOQXlcMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATA4

BgNVHR8EMTAvMC2gK6AphidodHRwOi8vbG9jYWxob3N0Ojk4NzYvZW5lcnZhbGlz

LmNybC5wZW0wDQYJKoZIhvcNAQELBQADggIBADexo7FNFf+M1vHY6xZoZPaLqMNS

xRHubDyd7/NLe+vhQtXLSey3MxDlzv+D4hEuHIJhe0mtBEafIDO3LKEC0DXZAhwz

Y65aJktJgFaJzilIOX9hS0fkWNErJoWLD+nE394QL9a3UEUR3/W48Ve47UfX1AXq

Q3Kx8kOJ6cSzB28SwriJ4x2/RpXd4PFmV5rA2bDrGQwE38nuD1B3GaEufEip3sOQ

IY/98UjqXh1HGc3+IUMlq9E/GZ8Oh9NS+qEIBlLg8UE+zP9IeJE7fHoeRSEedGby

0pi8+CsJZYctzC97I0SZ4DYeAwKsr8mhmHTqP+qw3g+Snx6F5bTy+6vMjgWBWg6I

hQGiwQVbinZAHqClspfqlyXuR9w5aQavlNbel9qTaLLTNZHyijXSYNNTLdwjn0ak

mgm4rXr/8FAcJVuwzZ/0cZVRx5AsWfNqfjBXdEbXMceazj0JnI/OTju1/6N5fjEV

eUd93hmB6IwB0uhenW33IsIKfnyO5aHje6B6wl7bcgy4PkTEPbXaKlj8/QTWNmDE

l3+BX9MiO9zqgDV/PNWG7uP/iktm4OE5x6Aq6zAdAEm6wqAl7kzg3gzv7AnJg31S

hem5J2aPDmzIpbCkp+aE9CGv/H2SNSncM1Y+Hqbr6yEE0Pr/IUkEwiF25UmzDail

s3Fr6LTOquW7z95G

-----END CERTIFICATE-----

subject=/CN=amqp/OU=Control/O=Enervalis/L=Houthalen/ST=Limburg/C=BE/emailAddress=emailAddress = *******

issuer=/CN=intermediate/OU=Control/O=Enervalis/L=Houthalen/ST=Limburg/C=BE/emailAddress=emailAddress = *******

---

Acceptable client certificate CA names

/CN=intermediate/OU=Control/O=Enervalis/L=Houthalen/ST=Limburg/C=BE/emailAddress=emailAddress = *******

/CN=root/OU=Control/O=Enervalis/L=Houthalen/ST=Limburg/C=BE/emailAddress=emailAddress = *******

Client Certificate Types: ECDSA sign, RSA sign, DSA sign

Requested Signature Algorithms: ECDSA+SHA512:RSA+SHA512:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA256:RSA+SHA256:ECDSA+SHA224:RSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1

Shared Requested Signature Algorithms: ECDSA+SHA512:RSA+SHA512:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA256:RSA+SHA256:ECDSA+SHA224:RSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1

Peer signing digest: SHA512

Server Temp Key: ECDH, P-256, 256 bits

---

SSL handshake has read 5841 bytes and written 4982 bytes

Verification: OK

---

New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384

Server public key is 4096 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

SSL-Session:

Protocol : TLSv1.2

Cipher : ECDHE-RSA-AES256-GCM-SHA384

Session-ID: CC904E58B2F7C0739A39385CA40D5DED7F05358D0F5296476EACDE9EE542D852

Session-ID-ctx:

Master-Key: CF642B8D8AC77788A28D508CAEA434BA0FF6469672084A8463ED1BAB2D1E7C77755BDB88B13E22327E0AF07125CCF6EF

PSK identity: None

PSK identity hint: None

SRP username: None

Start Time: 1484829264

Timeout : 7200 (sec)

Verify return code: 0 (ok)

Extended master secret: no

---

Message has been deleted

Michael Klishin

unread,

Jan 19, 2017, 7:52:20 AM1/19/17

to rabbitm...@googlegroups.com, jan.go...@enervalis.com

The Erlang version you run treats your certificate as invalid.

I don't know why, TLS alerts are extremely brief.

Try a different version and report this to the Erlang mailing list, together with logs.

On 19 Jan 2017, at 15:49, jan.go...@enervalis.com wrote:

The extended version - sorry for the long output ...

The log contains:
=ERROR REPORT==== 19-Jan-2017::13:44:05 ===
SSL: certify: ssl_handshake.erl:1617:Fatal error: bad certificate

The output on the screen

CONNECTED(00000003)
>>> ??? [length 0005]
16 03 01 00 ab
>>> TLS 1.2Handshake [length 00ab], ClientHello
01 00 00 a7 03 03 93 19 74 6e aa 4a 6f 5b 23 7e
b1 c6 3c 8c 6f ae 6d 8e 63 fc 17 87 d4 a8 5a bf
15 fc 0c 70 90 93 00 00 38 c0 2c c0 30 00 9f cc
a9 cc a8 cc aa c0 2b c0 2f 00 9e c0 24 c0 28 00
6b c0 23 c0 27 00 67 c0 0a c0 14 00 39 c0 09 c0
13 00 33 00 9d 00 9c 00 3d 00 3c 00 35 00 2f 00
ff 01 00 00 46 00 0b 00 04 03 00 01 02 00 0a 00
0a 00 08 00 1d 00 17 00 19 00 18 00 23 00 00 00
0d 00 20 00 1e 06 01 06 02 06 03 05 01 05 02 05
03 04 01 04 02 04 03 03 01 03 02 03 03 02 01 02
02 02 03 00 16 00 00 00 17 00 00
<<< ??? [length 0005]
16 03 03 00 57
<<< TLS 1.2Handshake [length 0057], ServerHello
02 00 00 53 03 03 58 80 b5 6a 26 3e b4 67 d6 48
3c cb 02 56 8b 25 4d cc 95 3e 72 dd 40 02 54 ff
a5 4f 48 c1 cc b6 20 ce d1 bb 29 26 8d 7a 85 bf
f4 e9 18 cc b9 08 e3 91 05 66 27 8c 9f 00 93 20
80 71 4b e7 ab 84 82 c0 30 00 00 0b 00 0b 00 02
01 00 ff 01 00 01 00
<<< ??? [length 0005]
16 03 03 12 c0
<<< TLS 1.2Handshake [length 12c0], Certificate
0b 00 12 bc 00 12 b9 00 06 9c 30 82 06 98 30 82
04 80 a0 03 02 01 02 02 02 10 01 30 0d 06 09 2a
86 48 86 f7 0d 01 01 0b 05 00 30 81 96 31 15 30
13 06 03 55 04 03 0c 0c 69 6e 74 65 72 6d 65 64
69 61 74 65 31 10 30 0e 06 03 55 04 0b 0c 07 43
6f 6e 74 72 6f 6c 31 12 30 10 06 03 55 04 0a 0c
09 45 6e 65 72 76 61 6c 69 73 31 12 30 10 06 03
55 04 07 0c 09 48 6f 75 74 68 61 6c 65 6e 31 10
30 0e 06 03 55 04 08 0c 07 4c 69 6d 62 75 72 67
31 0b 30 09 06 03 55 04 06 13 02 42 45 31 24 30
22 06 09 2a 86 48 86 f7 0d 01 09 01 16 15 63 6f
6e 74 72 6f 6c 40 65 6e 65 72 76 61 6c 69 73 2e
63 6f 6d 30 1e 17 0d 31 37 30 31 31 39 31 32 33
33 33 32 5a 17 0d 32 37 30 31 32 37 31 32 33 33
33 32 5a 30 81 8e 31 0d 30 0b 06 03 55 04 03 0c
04 61 6d 71 70 31 10 30 0e 06 03 55 04 0b 0c 07
43 6f 6e 74 72 6f 6c 31 12 30 10 06 03 55 04 0a
0c 09 45 6e 65 72 76 61 6c 69 73 31 12 30 10 06
03 55 04 07 0c 09 48 6f 75 74 68 61 6c 65 6e 31
10 30 0e 06 03 55 04 08 0c 07 4c 69 6d 62 75 72
67 31 0b 30 09 06 03 55 04 06 13 02 42 45 31 24
30 22 06 09 2a 86 48 86 f7 0d 01 09 01 16 15 63
6f 6e 74 72 6f 6c 40 65 6e 65 72 76 61 6c 69 73
2e 63 6f 6d 30 82 02 22 30 0d 06 09 2a 86 48 86
f7 0d 01 01 01 05 00 03 82 02 0f 00 30 82 02 0a
02 82 02 01 00 b4 c5 4a 9a dd d4 30 2c a4 59 4e
6f 05 fb a9 a1 05 f3 0f 03 85 ff 89 c1 a4 c0 bc
11 bd 1e 51 14 b7 71 3e 13 d2 ef 09 c4 75 cf 15
03 cb 4e 3e a6 a0 af 40 03 76 24 3b 94 df 56 8f
0d dc 16 30 4f 47 2b cc d9 21 59 b3 e3 8d 71 a4
bd 58 84 3d a8 fe c9 68 cb 5a 13 9b ad e6 28 ec
4a 9f 8d 58 62 65 43 12 90 67 da 61 84 57 b6 5b
2a ab b6 0c d1 c3 88 6e e7 fe f2 f1 2e be 40 71
40 96 18 97 16 b6 3f b5 d9 02 ef 48 a4 bc d6 00
e7 42 06 27 ee 85 52 cf 63 34 47 17 15 d2 3d 1d
c3 8a ae 4b 1c 98 ed 2b db 03 83 6e 81 4e d0 20
e3 8e 77 87 29 83 0f 17 5a a5 bf f1 fe 2e 3b 36
db 11 90 ec 38 87 50 f8 60 2b bc 54 66 3f 07 2c
1f 9b 67 35 02 ad 2c 20 c3 57 55 60 9d 2b c3 20
55 d9 90 ef 71 f0 cd f2 3b f1 4f 9b 69 db 77 99
01 3b f0 28 fd 68 6e 81 a9 ea 0f ab 32 69 a3 bf
10 38 e9 77 ea 2d 82 d4 1c f5 38 61 21 da 79 15
06 90 11 eb 09 5e 64 86 54 26 cb 1f 6d 8e 31 92
78 2b dd 91 0b 57 73 c9 55 c0 eb ad 53 fe 80 ae
f0 c7 e6 5b 88 00 67 e3 c1 80 42 44 7b d8 23 07
05 e1 e7 66 f7 3c f4 1a ba 20 8d d8 d4 32 ba 65
61 b9 d5 f7 bd b7 53 2c 24 93 72 10 55 08 8c 46
1e 0a 14 d2 53 6b 6e cc 47 cf df f6 a9 a9 62 c5
19 c7 6c d5 50 18 ae 9a 89 f2 e0 4b 27 2f c3 9a
34 f8 80 84 45 44 72 df b7 0e 18 b1 07 f4 93 57
99 ba 1f 7f 78 8f 6d 2a 73 53 17 c5 84 ac a7 e2
ed 63 ac 97 f6 ef e6 1b e3 11 10 97 19 a1 0a ee
e8 65 c9 e6 d1 84 d8 a8 4f fc 2e 19 69 7b 94 a7
0c a8 52 45 9e bf 51 ab ed e7 f1 e2 c4 14 b1 46
d4 21 93 f8 b2 75 40 61 d4 32 a5 4f 7f 26 73 7e
65 33 ef bd da bc a1 ef 96 35 da ff b6 2d 90 12
d7 fa 0f fe a4 fb e7 dd f0 2a c0 4d 17 36 e9 9f
95 1a b2 bc 31 02 03 01 00 01 a3 81 f5 30 81 f2
30 09 06 03 55 1d 13 04 02 30 00 30 11 06 09 60
86 48 01 86 f8 42 01 01 04 04 03 02 06 40 30 33
06 09 60 86 48 01 86 f8 42 01 0d 04 26 16 24 4f
70 65 6e 53 53 4c 20 47 65 6e 65 72 61 74 65 64
20 53 65 72 76 65 72 20 43 65 72 74 69 66 69 63
61 74 65 30 1d 06 03 55 1d 0e 04 16 04 14 53 2b
6f 9f ba af 28 14 d9 49 9b b5 7b ce a7 d4 82 fc
87 da 30 1f 06 03 55 1d 23 04 18 30 16 80 14 c2
2f e6 84 63 26 bf e9 87 26 74 58 ae e4 15 19 8e
41 79 5c 30 0e 06 03 55 1d 0f 01 01 ff 04 04 03
02 05 a0 30 13 06 03 55 1d 25 04 0c 30 0a 06 08
2b 06 01 05 05 07 03 01 30 38 06 03 55 1d 1f 04
31 30 2f 30 2d a0 2b a0 29 86 27 68 74 74 70 3a
2f 2f 6c 6f 63 61 6c 68 6f 73 74 3a 39 38 37 36
2f 65 6e 65 72 76 61 6c 69 73 2e 63 72 6c 2e 70
65 6d 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05
00 03 82 02 01 00 37 b1 a3 b1 4d 15 ff 8c d6 f1
d8 eb 16 68 64 f6 8b a8 c3 52 c5 11 ee 6c 3c 9d
ef f3 4b 7b eb e1 42 d5 cb 49 ec b7 33 10 e5 ce
ff 83 e2 11 2e 1c 82 61 7b 49 ad 04 46 9f 20 33
b7 2c a1 02 d0 35 d9 02 1c 33 63 ae 5a 26 4b 49
80 56 89 ce 29 48 39 7f 61 4b 47 e4 58 d1 2b 26
85 8b 0f e9 c4 df de 10 2f d6 b7 50 45 11 df f5
b8 f1 57 b8 ed 47 d7 d4 05 ea 43 72 b1 f2 43 89
e9 c4 b3 07 6f 12 c2 b8 89 e3 1d bf 46 95 dd e0
f1 66 57 9a c0 d9 b0 eb 19 0c 04 df c9 ee 0f 50
77 19 a1 2e 7c 48 a9 de c3 90 21 8f fd f1 48 ea
5e 1d 47 19 cd fe 21 43 25 ab d1 3f 19 9f 0e 87
d3 52 fa a1 08 06 52 e0 f1 41 3e cc ff 48 78 91
3b 7c 7a 1e 45 21 1e 74 66 f2 d2 98 bc f8 2b 09
65 87 2d cc 2f 7b 23 44 99 e0 36 1e 03 02 ac af
c9 a1 98 74 ea 3f ea b0 de 0f 92 9f 1e 85 e5 b4
f2 fb ab cc 8e 05 81 5a 0e 88 85 01 a2 c1 05 5b
8a 76 40 1e a0 a5 b2 97 ea 97 25 ee 47 dc 39 69
06 af 94 d6 de 97 da 93 68 b2 d3 35 91 f2 8a 35
d2 60 d3 53 2d dc 23 9f 46 a4 9a 09 b8 ad 7a ff
f0 50 1c 25 5b b0 cd 9f f4 71 95 51 c7 90 2c 59
f3 6a 7e 30 57 74 46 d7 31 c7 9a ce 3d 09 9c 8f
ce 4e 3b b5 ff a3 79 7e 31 15 79 47 7d de 19 81
e8 8c 01 d2 e8 5e 9d 6d f7 22 c2 0a 7e 7c 8e e5
a1 e3 7b a0 7a c2 5e db 72 0c b8 3e 44 c4 3d b5
da 2a 58 fc fd 04 d6 36 60 c4 97 7f 81 5f d3 22
3b dc ea 80 35 7f 3c d5 86 ee e3 ff 8a 4b 66 e0
e1 39 c7 a0 2a eb 30 1d 00 49 ba c2 a0 25 ee 4c
e0 de 0c ef ec 09 c9 83 7d 52 85 e9 b9 27 66 8f
0e 6c c8 a5 b0 a4 a7 e6 84 f4 21 af fc 7d 92 35
29 dc 33 56 3e 1e a6 eb eb 21 04 d0 fa ff 21 49
04 c2 21 76 e5 49 b3 0d a8 a5 b3 71 6b e8 b4 ce
aa e5 bb cf de 46 00 06 0c 30 82 06 08 30 82 03
f0 a0 03 02 01 02 02 02 10 00 30 0d 06 09 2a 86
48 86 f7 0d 01 01 0b 05 00 30 81 8e 31 0d 30 0b
06 03 55 04 03 0c 04 72 6f 6f 74 31 10 30 0e 06
03 55 04 0b 0c 07 43 6f 6e 74 72 6f 6c 31 12 30
10 06 03 55 04 0a 0c 09 45 6e 65 72 76 61 6c 69
73 31 12 30 10 06 03 55 04 07 0c 09 48 6f 75 74
68 61 6c 65 6e 31 10 30 0e 06 03 55 04 08 0c 07
4c 69 6d 62 75 72 67 31 0b 30 09 06 03 55 04 06
13 02 42 45 31 24 30 22 06 09 2a 86 48 86 f7 0d
01 09 01 16 15 63 6f 6e 74 72 6f 6c 40 65 6e 65
72 76 61 6c 69 73 2e 63 6f 6d 30 1e 17 0d 31 37
30 31 31 39 31 32 33 33 33 31 5a 17 0d 32 37 30
31 32 37 31 32 33 33 33 31 5a 30 81 96 31 15 30
13 06 03 55 04 03 0c 0c 69 6e 74 65 72 6d 65 64
69 61 74 65 31 10 30 0e 06 03 55 04 0b 0c 07 43
6f 6e 74 72 6f 6c 31 12 30 10 06 03 55 04 0a 0c
09 45 6e 65 72 76 61 6c 69 73 31 12 30 10 06 03
55 04 07 0c 09 48 6f 75 74 68 61 6c 65 6e 31 10
30 0e 06 03 55 04 08 0c 07 4c 69 6d 62 75 72 67
31 0b 30 09 06 03 55 04 06 13 02 42 45 31 24 30
22 06 09 2a 86 48 86 f7 0d 01 09 01 16 15 63 6f
6e 74 72 6f 6c 40 65 6e 65 72 76 61 6c 69 73 2e
63 6f 6d 30 82 02 22 30 0d 06 09 2a 86 48 86 f7
0d 01 01 01 05 00 03 82 02 0f 00 30 82 02 0a 02
82 02 01 00 9e f0 07 24 ca a3 d0 ff 22 45 5f 01
32 af 53 75 7d f6 98 ca 4a f9 61 ac 7b 11 d9 a2
ed 31 68 da 90 d4 2c 8b 1b 2f 51 4a 65 c9 96 f3
68 55 55 8c 10 56 ba e1 6d e9 ba 56 80 5b 0f 28
12 9e 3f e2 9f 18 72 e7 44 49 2c 2a 97 5a 9f d5
d8 5d e9 c9 69 9a fa 2d df f1 fb 26 28 c9 51 28
1c c8 84 84 8d 60 a5 5e 49 bc 0f 41 03 b4 36 f7
1c 7c ce d2 d4 c9 5e b7 39 72 6f 08 b1 06 e5 8a
66 8d da 39 f8 4e f7 25 39 42 7a 9a 24 ee d1 f2
33 99 7c 00 ee d4 d7 3c 0c ff 8f 96 f1 bc 57 e7
ae 75 7c 5a 77 de b7 1f 46 c6 77 f6 d6 63 62 26
09 8d f1 fc c0 f8 1f ad 54 30 7f a4 79 6b 8c 7b
6a 95 a4 e0 25 5e e0 d2 8e 27 48 58 6f 46 93 ae
25 4a 19 77 89 5c 57 99 f1 33 c9 fb 4b b2 d3 5f
84 d1 62 6b e1 9e ba 57 e9 b0 65 cb 30 09 10 9f
77 87 61 0e 56 e8 24 6e 62 0f 1d f8 ed 76 c5 4e
47 d7 73 7f 27 c4 22 7a cc da 02 31 57 0a df 8b
b0 7e b0 2e 8d 56 84 d7 d5 bd 52 c0 e7 3b ad c8
a4 49 8f cb 13 44 b0 e2 b8 d2 f1 b9 92 40 b0 c0
2e 75 ea b9 71 a0 d0 a3 06 f5 9a 7b 75 70 9b bf
fe 1e 83 e8 74 d8 d1 2e 3a 32 d2 ea 3f 60 ea a2
2e 6d ac d0 20 f9 81 7e 99 6e 70 7b 96 4a ff 6c
5c 89 cc 9f 72 93 28 80 7e 76 a5 e3 4a 01 88 b9
4f ff b5 13 a6 96 f6 23 60 1d 28 ff 9f 2a 5b 75
c4 45 d9 80 98 0e a8 5c a2 0e d5 39 1b 11 c0 a4
78 e7 84 bc dc 70 02 bf 37 07 87 19 74 6d 3d f4
5f 9f ca 71 6a 92 14 2d a5 32 ab 21 c5 22 27 b9
0f 66 3b f8 39 23 03 de 65 a4 f5 ae 50 a4 8a be
a8 8b 2d 7b a9 08 35 ff ff 74 7c 94 d3 0b 68 3a
51 15 c0 07 c8 8f 84 bb ff 82 a8 46 8b bf 3f f8
5f 9e cf b1 71 59 ab d5 80 80 85 de bd 42 a2 0b
92 c7 9c 14 03 5f 07 42 50 1e c3 53 d5 c0 53 d4
6e 49 4f f9 02 03 01 00 01 a3 66 30 64 30 1d 06
03 55 1d 0e 04 16 04 14 c2 2f e6 84 63 26 bf e9
87 26 74 58 ae e4 15 19 8e 41 79 5c 30 1f 06 03
55 1d 23 04 18 30 16 80 14 ee e5 d7 1b 51 e4 02
45 08 b4 cd da 3b f8 34 ea 31 53 71 35 30 12 06
03 55 1d 13 01 01 ff 04 08 30 06 01 01 ff 02 01
00 30 0e 06 03 55 1d 0f 01 01 ff 04 04 03 02 01
86 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00
03 82 02 01 00 e2 be c0 4e 0a c0 30 53 b8 b9 39
8f 52 54 1c 20 c9 a1 ea 1e 1b bb b8 0a a1 53 24
3d 7c b6 5c a8 47 d9 10 05 48 15 75 43 72 44 be
cb 93 b6 70 1b fb 4c 7a 8d a9 9d 85 8f b3 67 9a
18 41 10 06 3d fe 97 90 6d 10 06 1e e8 06 dd d4
85 8b cb dd 41 0e 98 3c c5 75 2b 7b da cb 63 4f
45 3c 18 d1 ef a7 82 5e af f5 c0 3e df 3d 56 26
93 83 0c e6 f2 47 c1 66 99 55 5e 2b 40 57 1d 2e
60 4b e5 a0 07 3b e6 43 53 a1 73 a3 37 91 de 5b
0c 62 a9 76 50 2c 6a 92 b8 7d 2b 61 52 2a 63 a2
1b 78 b4 03 f1 00 d5 0b a6 db 97 21 39 43 10 14
f2 c4 8e 69 41 92 5a 9b 6c 0f 5f 1c 40 24 51 88
e2 2f 5b 1c 07 8e db 82 fe 73 c3 86 a4 16 9a a8
6a bc 99 c9 66 67 75 e6 33 e3 3b 5a 45 9f 3a 9e
8f 66 50 bd 55 b0 85 e9 92 96 78 f9 62 f6 29 59
8e 21 37 13 46 dd 9c cd f5 4e ed d4 1c 34 8a 9d
d6 8a 1a 66 eb ef 1a 39 4a 39 e7 0b 4c b6 70 8a
16 f9 10 2e d1 78 bc c6 de e6 df 56 c3 32 ff 6a
b9 1c e3 ee 7e 3c 9d e4 05 44 e2 8c 28 18 08 c6
85 0a 16 bd dd 29 c5 07 1b a9 54 b6 aa 4b 8d 67
38 97 37 52 a4 ec 35 23 37 c2 b4 04 6a cc ca 91
0f 97 fc ab 88 22 6c 2a d4 09 3a 93 8b 76 58 7f
0d 1b 3d 91 45 20 33 21 14 6e 30 dd 9f aa 93 22
3f 12 c0 58 73 34 71 3f cd 08 5f 0a 87 d2 a6 00
f1 f6 76 51 2d 82 84 dc 2b 60 4a b2 c5 ae 79 2d
38 04 3d a2 7e 8d 75 ed f5 dd 1f 58 2f fa 19 bf
3b ee f5 58 cb 08 73 25 31 54 b4 81 8f 8a ea c2
46 31 b5 5a 0e dc 01 cb 66 12 15 95 f5 ca 0e 4b
42 f1 67 c9 d0 4d 51 70 2a cd 34 ce 14 37 e0 be
88 5d d8 ce 25 d8 f8 9a 0c b1 e8 d4 28 08 e4 fe
7c b5 5c 47 73 53 3d 33 89 a0 20 8f 38 d9 fe 8c
ea b5 df 9f 8a f8 4b 0a 6d ed 60 af cf 78 70 c6
8b f8 fc 85 62 00 06 08 30 82 06 04 30 82 03 ec
a0 03 02 01 02 02 09 00 b6 55 09 ca 89 68 c6 fc
30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30
81 8e 31 0d 30 0b 06 03 55 04 03 0c 04 72 6f 6f
74 31 10 30 0e 06 03 55 04 0b 0c 07 43 6f 6e 74
72 6f 6c 31 12 30 10 06 03 55 04 0a 0c 09 45 6e
65 72 76 61 6c 69 73 31 12 30 10 06 03 55 04 07
0c 09 48 6f 75 74 68 61 6c 65 6e 31 10 30 0e 06
03 55 04 08 0c 07 4c 69 6d 62 75 72 67 31 0b 30
09 06 03 55 04 06 13 02 42 45 31 24 30 22 06 09
2a 86 48 86 f7 0d 01 09 01 16 15 63 6f 6e 74 72
6f 6c 40 65 6e 65 72 76 61 6c 69 73 2e 63 6f 6d
30 1e 17 0d 31 37 30 31 31 39 31 32 33 33 33 31
5a 17 0d 32 37 30 31 32 37 31 32 33 33 33 31 5a
30 81 8e 31 0d 30 0b 06 03 55 04 03 0c 04 72 6f
6f 74 31 10 30 0e 06 03 55 04 0b 0c 07 43 6f 6e
74 72 6f 6c 31 12 30 10 06 03 55 04 0a 0c 09 45
6e 65 72 76 61 6c 69 73 31 12 30 10 06 03 55 04
07 0c 09 48 6f 75 74 68 61 6c 65 6e 31 10 30 0e
06 03 55 04 08 0c 07 4c 69 6d 62 75 72 67 31 0b
30 09 06 03 55 04 06 13 02 42 45 31 24 30 22 06
09 2a 86 48 86 f7 0d 01 09 01 16 15 63 6f 6e 74
72 6f 6c 40 65 6e 65 72 76 61 6c 69 73 2e 63 6f
6d 30 82 02 22 30 0d 06 09 2a 86 48 86 f7 0d 01
01 01 05 00 03 82 02 0f 00 30 82 02 0a 02 82 02
01 00 f5 24 42 97 3d 0b 37 68 be 95 0d da 57 0f
58 d1 c2 5e 25 39 fd 1b bf c7 80 8d 6c f4 f7 98
68 f6 48 1a 6f fe 9e 84 2e 9d 3c 3b 00 31 6f 4a
7c 2c fd 93 34 2c 0c 43 66 9d 7e 77 ba e4 49 75
c2 a8 7c 97 70 2f d7 78 73 db 0d 86 7d 80 7b b6
1e d1 aa 13 29 9e d0 b2 9d 48 ea 39 7b 88 25 34
43 e3 d3 69 42 27 b7 0f da 3c 66 fe 61 5f d6 db
30 2a 6e fd 63 93 5a 8b dd 0d db 5f 0d 34 1e 10
94 ba 7f ad dc 8d 44 f0 9c 15 a6 01 a1 b1 59 aa
7d be e6 b3 25 8b 15 43 f0 9e 23 20 86 a9 45 42
aa 3f f0 00 87 0d 2c 7d fc 3a 15 1f 10 e8 d8 c1
82 6e 7c 40 98 97 92 27 41 77 72 d0 b5 f1 ff a2
74 79 be 9b 66 25 f0 38 2f 97 22 4c c7 6c 3f 9a
8f 96 a7 b3 99 63 68 ed 28 1a fc 68 7b 7b fb 4d
88 4a ed 05 2d 89 80 7b 93 80 43 fa b1 fd 57 06
e9 9e 30 52 bf ce ef 63 34 a6 ed 04 1a a1 47 54
74 68 b9 6c de ce 64 b4 cb 2d cf e1 50 73 b5 6d
b2 aa 22 4a 60 0f cb 9c f4 24 bd dd 74 0f 1c a8
3c 25 81 d3 ba 7e 38 bd 76 a2 51 26 ea ca 99 11
c1 5a 36 14 2d 6a 22 69 70 a1 75 01 ae a8 86 fc
1a f9 24 bf 13 b6 74 e8 b0 32 4d a8 af 55 dd b1
62 37 8a be 89 0f 1a 44 1a 9f fa d6 5d 29 24 ee
ba 9a 34 88 79 ab 9b 76 13 0b 13 1f 09 ae 8f 15
ea 4a 59 05 c7 90 3f 60 d3 05 fc 22 89 20 7e 69
12 c4 fa 14 fc 3c 04 03 b2 74 08 90 ff 3a 0e 9f
5e 22 61 6b 99 65 46 3f 37 a1 6e ae 37 8d 2f 9d
08 5a e6 79 6b 89 e8 1e f7 45 74 ab ad 5f 93 e3
a9 da 83 d7 aa 81 c4 0e ba ff 5e 26 fc 2a c3 22
b8 89 1b c9 2a 59 54 15 36 e9 5f 35 52 02 90 38
83 38 f5 11 00 12 cc ca 4f 10 5b 22 10 73 8a b0
d3 47 04 91 13 b9 1f 78 35 dd 5e cc ae fa cc e6
15 5e 58 36 80 54 32 0a f2 ae d4 c9 ca c0 01 a1
81 ad 02 03 01 00 01 a3 63 30 61 30 1d 06 03 55
1d 0e 04 16 04 14 ee e5 d7 1b 51 e4 02 45 08 b4
cd da 3b f8 34 ea 31 53 71 35 30 1f 06 03 55 1d
23 04 18 30 16 80 14 ee e5 d7 1b 51 e4 02 45 08
b4 cd da 3b f8 34 ea 31 53 71 35 30 0f 06 03 55
1d 13 01 01 ff 04 05 30 03 01 01 ff 30 0e 06 03
55 1d 0f 01 01 ff 04 04 03 02 01 86 30 0d 06 09
2a 86 48 86 f7 0d 01 01 0b 05 00 03 82 02 01 00
0a b0 2d b5 ef d3 e6 0b 5c dd f0 84 f9 7c 12 52
76 c1 48 55 32 59 26 de ce d2 39 46 6a 7f b5 30
5e f8 5c 12 cd e5 ad 0b 16 a6 07 10 2f 0e 43 25
8e 77 06 a4 e6 b1 14 f9 8d 64 ab 3c 82 57 e3 36
e2 b4 e3 86 5b 29 fc 16 48 05 63 52 15 80 d9 39
7e 5d 32 c1 dd c6 e1 00 f7 92 d8 a8 1f ee a5 f9
b8 ff f8 ff 47 f4 19 c0 09 b6 b9 4c 92 e8 99 9c
4f df e4 e2 ea 20 6d 8f 52 92 f7 47 99 58 ed ff
2d 55 8b 09 f3 50 11 e4 00 db 2e 90 b9 b7 b5 af
21 c8 aa 75 79 8b 43 9e be 96 b3 01 ff e3 26 91
bc f9 7b 28 60 fc dd aa 73 7d 00 08 6e 20 50 9a
e8 9c 96 fa db c0 b3 c4 53 5b 28 6e 25 b4 6b 0a
0d 6d d4 d5 6c 1f 35 99 4b ea 1d 8f 71 7d cf cd
39 79 b0 5a 9a 49 f1 25 7d 28 fe c8 05 80 48 ae
8e 2c 14 a1 b0 d2 46 14 64 58 c5 3a 33 b3 2a a7
71 ea 75 65 cb 07 82 66 d0 01 48 dc a9 ae 0d f3
2e 2a 29 66 17 4b 7e 01 9f 79 78 a6 06 7e bd 6f
0e 0d de c8 1d 72 26 39 52 9a ea 51 db 45 5d d4
c7 15 6e ab eb 72 be 0b 7b e3 a2 2c 55 87 40 4f
38 9b 30 8d ae 99 80 c6 19 35 ac e5 4a 8f b9 f1
d6 6b 38 a3 52 77 b8 79 df 24 99 1b 8b 7c 05 29
a2 cd 7c 55 52 24 d8 d1 00 19 12 4d 79 04 56 17
9e 65 af 84 df ef f4 d7 9e a2 60 d6 28 a0 37 5c
54 60 73 70 da 96 5d 2c 77 90 a3 ba e9 01 2d a3
4d 68 e0 25 90 39 b3 92 6e 78 4e bc 65 57 5b cc
ac 93 74 78 00 e0 27 e0 61 27 76 9e b4 ab d6 a2
f0 e1 fe 03 f0 8e 17 a5 44 02 be 89 46 ed a3 90
a4 84 e2 dd 83 a9 5c 98 65 fd 43 d4 94 10 c6 80
5c 8a ff 50 ce 5a 0d be 52 62 d9 86 8f b8 e8 60
54 be 77 14 46 62 45 c4 e9 a3 9b 51 63 04 83 de
22 22 91 17 a0 aa 62 a9 0d 56 12 29 5f b1 6f 26
41 68 eb 7f 56 f8 8a 25 2b db 92 16 0b 76 c3 29
depth=2 CN = root, OU = Control, O = Enervalis, L = Houthalen, ST = Limburg, C = BE, emailAddress = ***********
verify return:1
depth=1 CN = intermediate, OU = Control, O = Enervalis, L = Houthalen, ST = Limburg, C = BE, emailAddress = ***********
verify return:1
depth=0 CN = amqp, OU = Control, O = Enervalis, L = Houthalen, ST = Limburg, C = BE, emailAddress = ***********
verify return:1
<<< ??? [length 0005]
16 03 03 02 4d
<<< TLS 1.2Handshake [length 024d], ServerKeyExchange
0c 00 02 49 03 00 17 41 04 cd 47 98 40 5a 73 13
bb eb 34 2b 66 ab 14 b9 f9 8b 44 d9 f9 66 7f 92
5b d7 7d ab 6d d8 d7 1c b7 dd a7 da de a1 c7 d9
32 ec 83 3e 47 92 e3 7b 27 20 c5 dc e0 72 b5 39
11 dd 19 8c 0a 0b 04 70 b4 06 01 02 00 8f 8f 9e
03 e4 7c ca b2 19 43 6e b3 41 09 e0 67 d9 7d 42
dc ad a4 01 17 03 7a e1 b5 91 47 51 7b 30 30 e0
ce 65 5f da f8 b2 58 df 07 c1 5b 87 d6 54 cf e2
59 82 6c af a2 de 52 27 aa 13 e5 29 3f 95 67 49
db 3a 82 c4 47 3d 73 2f 05 ab 31 6a e3 fd 2b 2f
9c 0f 2e db ed 8c 30 a0 0b cf 38 7a e6 c5 db ea
ed 5e f8 89 69 fb 56 70 9d b0 14 62 d1 64 56 33
08 c9 c8 70 d7 6a 55 3b 12 05 db 5c 6a f0 17 a1
13 f3 53 d1 43 a6 e1 37 9b d2 01 f6 e0 90 6b ac
b2 24 ca 53 82 53 85 e4 87 1a 2e 73 34 bf 69 5b
2e 7b 14 91 98 d7 6f ff c0 87 ad 37 5b 80 1f 58
21 bf 78 be b0 ab 5d 53 db 11 83 7a 75 a3 2f f4
41 b2 e7 fe 0f 3b 48 81 a4 52 14 de 9b 2d 84 43
ff d6 55 25 f6 64 64 70 e9 20 0e b0 3a 10 47 bd
9a 61 8e 20 c1 05 bf 54 63 c7 f8 26 40 0b 96 9c
cf 0e bf 62 0e af 79 77 8d 5d 10 9c 0f 5d 90 8d
33 cd a1 c5 ed df 13 08 ec 93 a1 a4 3c 35 74 7b
7e 78 0e fe 8d c3 ec 58 be fe 6a fb 1f 2d ab 1a
40 9f d6 95 9e 84 a2 20 fd 0d a6 67 30 64 4e a6
61 c9 cb 27 25 8b 44 c7 70 d5 47 25 0a 82 83 6f
66 4c 3d 8f a1 07 ea 4e 31 20 62 f4 ed bd 9e 02
9d fa 77 fc a5 cf 7c ab 4a c5 0c 53 63 16 cc 3c
1b df 4d 36 73 86 76 14 6e 6f 61 ec c9 4c 48 62
cc 95 9d 07 39 0c 1f 4d 30 e3 8b 0f b2 b8 d5 81
73 22 fb b6 5e 18 05 9d 07 42 4c 5c da 21 7b 54
ff 45 03 ad fb 26 6f f7 b4 da 2c 69 d4 79 4b e1
65 da 6f 67 ca 78 7d 3d d7 61 ce b5 2c aa c0 c3
52 8c c1 96 7c be 2a 94 99 9b 7d db 99 c4 7b f3
e2 0c d7 a5 9c a6 79 44 23 39 09 9f 34 5b af 1e
0d 71 54 09 2d e0 65 4e 19 2e b1 73 6f 1e bb 79
f8 88 3a 9c ad 51 ec da a1 b5 48 b2 df 63 27 ae
7d 5d 85 d4 89 51 4f 63 75 6e 18 4d a6
<<< ??? [length 0005]
16 03 03 01 50
<<< TLS 1.2Handshake [length 0150], CertificateRequest
0d 00 01 4c 03 40 01 02 00 16 06 03 06 01 05 03
05 01 04 03 04 01 03 03 03 01 02 03 02 01 02 02
01 2e 00 99 30 81 96 31 15 30 13 06 03 55 04 03
0c 0c 69 6e 74 65 72 6d 65 64 69 61 74 65 31 10
30 0e 06 03 55 04 0b 0c 07 43 6f 6e 74 72 6f 6c
31 12 30 10 06 03 55 04 0a 0c 09 45 6e 65 72 76
61 6c 69 73 31 12 30 10 06 03 55 04 07 0c 09 48
6f 75 74 68 61 6c 65 6e 31 10 30 0e 06 03 55 04
08 0c 07 4c 69 6d 62 75 72 67 31 0b 30 09 06 03
55 04 06 13 02 42 45 31 24 30 22 06 09 2a 86 48
86 f7 0d 01 09 01 16 15 63 6f 6e 74 72 6f 6c 40
65 6e 65 72 76 61 6c 69 73 2e 63 6f 6d 00 91 30
81 8e 31 0d 30 0b 06 03 55 04 03 0c 04 72 6f 6f
74 31 10 30 0e 06 03 55 04 0b 0c 07 43 6f 6e 74
72 6f 6c 31 12 30 10 06 03 55 04 0a 0c 09 45 6e
65 72 76 61 6c 69 73 31 12 30 10 06 03 55 04 07
0c 09 48 6f 75 74 68 61 6c 65 6e 31 10 30 0e 06
03 55 04 08 0c 07 4c 69 6d 62 75 72 67 31 0b 30
09 06 03 55 04 06 13 02 42 45 31 24 30 22 06 09
2a 86 48 86 f7 0d 01 09 01 16 15 63 6f 6e 74 72
6f 6c 40 65 6e 65 72 76 61 6c 69 73 2e 63 6f 6d
<<< ??? [length 0005]
16 03 03 00 04
<<< TLS 1.2Handshake [length 0004], ServerHelloDone
0e 00 00 00
>>> ??? [length 0005]
16 03 03 12 c1
>>> TLS 1.2Handshake [length 12c1], Certificate
0b 00 12 bd 00 12 ba 00 06 9d 30 82 06 99 30 82
04 81 a0 03 02 01 02 02 02 10 02 30 0d 06 09 2a
86 48 86 f7 0d 01 01 0b 05 00 30 81 96 31 15 30
13 06 03 55 04 03 0c 0c 69 6e 74 65 72 6d 65 64
69 61 74 65 31 10 30 0e 06 03 55 04 0b 0c 07 43
6f 6e 74 72 6f 6c 31 12 30 10 06 03 55 04 0a 0c
09 45 6e 65 72 76 61 6c 69 73 31 12 30 10 06 03
55 04 07 0c 09 48 6f 75 74 68 61 6c 65 6e 31 10
30 0e 06 03 55 04 08 0c 07 4c 69 6d 62 75 72 67
31 0b 30 09 06 03 55 04 06 13 02 42 45 31 24 30
22 06 09 2a 86 48 86 f7 0d 01 09 01 16 15 63 6f
6e 74 72 6f 6c 40 65 6e 65 72 76 61 6c 69 73 2e
63 6f 6d 30 1e 17 0d 31 37 30 31 31 39 31 32 33
33 33 32 5a 17 0d 31 38 30 31 32 30 31 32 33 33
33 32 5a 30 81 8f 31 0e 30 0c 06 03 55 04 03 0c
05 62 6c 61 63 6b 31 10 30 0e 06 03 55 04 0b 0c
07 43 6f 6e 74 72 6f 6c 31 12 30 10 06 03 55 04
0a 0c 09 45 6e 65 72 76 61 6c 69 73 31 12 30 10
06 03 55 04 07 0c 09 48 6f 75 74 68 61 6c 65 6e
31 10 30 0e 06 03 55 04 08 0c 07 4c 69 6d 62 75
72 67 31 0b 30 09 06 03 55 04 06 13 02 42 45 31
24 30 22 06 09 2a 86 48 86 f7 0d 01 09 01 16 15
63 6f 6e 74 72 6f 6c 40 65 6e 65 72 76 61 6c 69
73 2e 63 6f 6d 30 82 02 22 30 0d 06 09 2a 86 48
86 f7 0d 01 01 01 05 00 03 82 02 0f 00 30 82 02
0a 02 82 02 01 00 a4 ce db 44 06 46 09 bc d7 5c
44 56 be 0f 51 f8 60 bc 50 c0 68 84 6e 41 e4 03
91 67 76 4f ac 82 ea 77 80 ee 73 d7 43 6a 97 85
03 1e 8a e7 c7 ad 67 6b 0e e5 43 d8 8e e7 78 c6
49 05 46 0f 93 73 b6 66 82 92 01 ed b0 51 27 c0
65 41 18 3f af bd 80 2e c8 17 d9 66 d1 c3 4e ff
53 40 26 9d d2 17 0c 81 c8 c8 10 05 23 42 34 78
f9 3d 7a a8 75 f4 ff e5 28 66 f2 ca f8 91 d9 ef
72 3b 32 75 57 2d c3 60 38 96 08 cc 63 2b a6 67
c7 cf de 20 5a 74 4c fa dc c6 fb 12 c0 f6 85 b8
0d 0d bf 26 55 b9 87 a8 ff 32 52 b2 c4 92 3b fe
5b a8 b3 71 cd a1 db 29 82 dc b4 f5 08 ee ba 41
04 42 62 19 ce 67 75 aa 4f 30 cc c3 9e 3c fe fc
74 be d7 80 88 ac 9c 10 fc d0 c6 89 67 cc 47 62
11 24 97 49 bb 3c f4 16 4d f9 7f ba 4f 6f 3b 1d
37 18 a0 85 b9 c7 e8 3a c1 74 d4 29 7e 13 27 f9
70 94 da c3 5f 10 0b 6a 85 52 41 85 10 a0 db b7
c1 1d e1 47 b9 ec c8 4c 4a 5d d6 18 5a 6d d1 38
12 f6 ed 53 ee 20 5d 78 dc 28 44 23 10 67 50 a2
a2 40 da 69 95 d0 44 c0 37 90 5a 4d 9a d3 b3 85
59 b1 9e 34 56 f4 5f 4f 59 d6 eb d2 44 87 ab 5a
12 54 92 8f cc 03 86 af fd 29 39 72 4f 46 f6 19
f8 8b ac a4 74 41 0f ad b7 e1 5e 1f d2 bb 71 2f
b6 3f be 07 fb 0b 83 1b 2c c8 a0 d3 3d 66 61 0f
b4 d3 14 48 df a3 ee 51 c3 1f bc c7 aa 31 aa 3c
3e 0a b0 0a c2 03 d3 c0 0f fd 2e ea 95 33 83 63
c6 66 96 0a e9 25 d7 89 96 93 be 70 3c 5e 4d 6b
a2 95 62 aa b5 7c b8 d3 cf 34 d6 ea df 54 ee d9
b0 94 98 5c ff 1e 37 d6 27 0b d1 58 67 49 0a 8b
f6 9b f6 b1 11 61 a7 13 36 88 ec 81 bf 3b 66 bb
ff e2 36 46 39 fb 1f ab e2 62 1f 11 28 ee d3 da
d6 8b 47 c6 c9 c4 f8 dc 89 d1 fa d2 4a 40 47 fe
8e 64 a3 f9 2e b1 02 03 01 00 01 a3 81 f5 30 81
f2 30 09 06 03 55 1d 13 04 02 30 00 30 11 06 09
60 86 48 01 86 f8 42 01 01 04 04 03 02 07 80 30
33 06 09 60 86 48 01 86 f8 42 01 0d 04 26 16 24
4f 70 65 6e 53 53 4c 20 47 65 6e 65 72 61 74 65
64 20 43 6c 69 65 6e 74 20 43 65 72 74 69 66 69
63 61 74 65 30 1d 06 03 55 1d 0e 04 16 04 14 50
39 14 28 d3 75 42 1d da 87 76 d6 70 1b 5d 29 89
e3 d7 24 30 1f 06 03 55 1d 23 04 18 30 16 80 14
c2 2f e6 84 63 26 bf e9 87 26 74 58 ae e4 15 19
8e 41 79 5c 30 0e 06 03 55 1d 0f 01 01 ff 04 04
03 02 05 e0 30 13 06 03 55 1d 25 04 0c 30 0a 06
08 2b 06 01 05 05 07 03 02 30 38 06 03 55 1d 1f
04 31 30 2f 30 2d a0 2b a0 29 86 27 68 74 74 70
3a 2f 2f 6c 6f 63 61 6c 68 6f 73 74 3a 39 38 37
36 2f 65 6e 65 72 76 61 6c 69 73 2e 63 72 6c 2e
70 65 6d 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b
05 00 03 82 02 01 00 98 18 50 0b e2 37 81 26 f3
78 07 be 47 07 30 41 a3 1a ce a2 d3 e8 81 31 36
91 59 dc 4b 2c 3e 09 8e c1 65 56 b2 8a 5b 88 ee
bf 13 db e8 6d 63 90 bd 54 7c 45 62 96 2f 31 4c
40 c2 9b 7c 28 0c ba be de f8 f5 7e 2c 08 f7 d8
6e 86 15 9a ff 48 c3 b2 e0 a1 a5 c6 36 aa cb 3a
15 f0 b8 5f 27 cf 60 b5 68 43 ab 7f 7a ff 29 e8
85 78 43 5c 18 92 3e 5e 46 6e 80 5d de 74 a8 94
24 b3 89 02 ed 1d 30 70 42 a9 0b a8 97 64 fb 33
79 20 6f 2c 7d 6a bd b3 b4 be 25 07 36 f3 f7 2e
67 f1 fd a0 d9 a8 1e 21 c4 10 f1 d5 a9 95 a4 c6
27 d2 d4 21 7e a0 02 bc 7f 6c 26 97 7d 59 6a 87
68 da a7 87 e5 c4 bd 6f 8e 20 31 0e d6 5b f7 25
c0 b9 5d 1c d7 64 88 00 ca 21 ff 26 b2 61 a3 5e
a5 9d 01 aa 9e f8 d0 4a 89 4f e6 23 c6 90 f2 79
7f b6 97 69 72 90 93 ee 01 01 5b 95 f6 85 84 f6
04 72 47 62 5d 39 d3 a6 22 d3 c2 de c1 14 05 67
a5 63 0f fa 40 a7 1a 81 2d 2c c8 62 9e a9 b9 5e
e7 00 e1 0b db 1b 1d ea 2e be 9d fd ae 19 c9 4f
8a c4 c6 f4 25 ac 7b 08 a0 36 6b c5 5a 72 49 da
49 8f a8 b5 6e cc 58 a6 c8 41 a4 34 72 71 49 a6
c8 f3 3e 93 54 c5 ed 6f 7b b2 89 c6 52 a6 03 ae
dd 24 40 48 72 23 2c 62 01 40 67 d7 97 ba 41 36
ac 11 47 30 5a f2 5b 23 da 28 f5 c0 5c 7c be ec
c5 2d c9 60 ef 91 54 aa 15 04 7a 6d ec ea 99 97
96 d1 ab 07 ae fe 0f 3a 32 39 61 6c c2 15 a4 c4
31 4a c7 6e 42 cd 45 ed 7b c9 20 6b 49 d5 32 f7
5e e3 dc 1d a6 85 42 17 c9 8f 7a 30 95 a1 e9 90
df cd a9 98 73 9a 41 77 89 c1 b3 19 90 1f 3c 13
f1 64 65 d1 ce 3b 6b 54 13 5d 58 f9 bf 8f 8b 85
be 4a 9b 93 4b cd 44 21 2f f4 54 52 bc 26 c0 bd
1d b0 93 1e e1 52 88 09 27 fa 5b 77 f8 de 1c 50
ce b3 80 a4 e0 f0 73 00 06 0c 30 82 06 08 30 82
03 f0 a0 03 02 01 02 02 02 10 00 30 0d 06 09 2a
86 48 86 f7 0d 01 01 0b 05 00 30 81 8e 31 0d 30
0b 06 03 55 04 03 0c 04 72 6f 6f 74 31 10 30 0e
06 03 55 04 0b 0c 07 43 6f 6e 74 72 6f 6c 31 12
30 10 06 03 55 04 0a 0c 09 45 6e 65 72 76 61 6c
69 73 31 12 30 10 06 03 55 04 07 0c 09 48 6f 75
74 68 61 6c 65 6e 31 10 30 0e 06 03 55 04 08 0c
07 4c 69 6d 62 75 72 67 31 0b 30 09 06 03 55 04
06 13 02 42 45 31 24 30 22 06 09 2a 86 48 86 f7
0d 01 09 01 16 15 63 6f 6e 74 72 6f 6c 40 65 6e
65 72 76 61 6c 69 73 2e 63 6f 6d 30 1e 17 0d 31
37 30 31 31 39 31 32 33 33 33 31 5a 17 0d 32 37
30 31 32 37 31 32 33 33 33 31 5a 30 81 96 31 15
30 13 06 03 55 04 03 0c 0c 69 6e 74 65 72 6d 65
64 69 61 74 65 31 10 30 0e 06 03 55 04 0b 0c 07
43 6f 6e 74 72 6f 6c 31 12 30 10 06 03 55 04 0a
0c 09 45 6e 65 72 76 61 6c 69 73 31 12 30 10 06
03 55 04 07 0c 09 48 6f 75 74 68 61 6c 65 6e 31
10 30 0e 06 03 55 04 08 0c 07 4c 69 6d 62 75 72
67 31 0b 30 09 06 03 55 04 06 13 02 42 45 31 24
30 22 06 09 2a 86 48 86 f7 0d 01 09 01 16 15 63
6f 6e 74 72 6f 6c 40 65 6e 65 72 76 61 6c 69 73
2e 63 6f 6d 30 82 02 22 30 0d 06 09 2a 86 48 86
f7 0d 01 01 01 05 00 03 82 02 0f 00 30 82 02 0a
02 82 02 01 00 9e f0 07 24 ca a3 d0 ff 22 45 5f
01 32 af 53 75 7d f6 98 ca 4a f9 61 ac 7b 11 d9
a2 ed 31 68 da 90 d4 2c 8b 1b 2f 51 4a 65 c9 96
f3 68 55 55 8c 10 56 ba e1 6d e9 ba 56 80 5b 0f
28 12 9e 3f e2 9f 18 72 e7 44 49 2c 2a 97 5a 9f
d5 d8 5d e9 c9 69 9a fa 2d df f1 fb 26 28 c9 51
28 1c c8 84 84 8d 60 a5 5e 49 bc 0f 41 03 b4 36
f7 1c 7c ce d2 d4 c9 5e b7 39 72 6f 08 b1 06 e5
8a 66 8d da 39 f8 4e f7 25 39 42 7a 9a 24 ee d1
f2 33 99 7c 00 ee d4 d7 3c 0c ff 8f 96 f1 bc 57
e7 ae 75 7c 5a 77 de b7 1f 46 c6 77 f6 d6 63 62
26 09 8d f1 fc c0 f8 1f ad 54 30 7f a4 79 6b 8c
7b 6a 95 a4 e0 25 5e e0 d2 8e 27 48 58 6f 46 93
ae 25 4a 19 77 89 5c 57 99 f1 33 c9 fb 4b b2 d3
5f 84 d1 62 6b e1 9e ba 57 e9 b0 65 cb 30 09 10
9f 77 87 61 0e 56 e8 24 6e 62 0f 1d f8 ed 76 c5
4e 47 d7 73 7f 27 c4 22 7a cc da 02 31 57 0a df
8b b0 7e b0 2e 8d 56 84 d7 d5 bd 52 c0 e7 3b ad
c8 a4 49 8f cb 13 44 b0 e2 b8 d2 f1 b9 92 40 b0
c0 2e 75 ea b9 71 a0 d0 a3 06 f5 9a 7b 75 70 9b
bf fe 1e 83 e8 74 d8 d1 2e 3a 32 d2 ea 3f 60 ea
a2 2e 6d ac d0 20 f9 81 7e 99 6e 70 7b 96 4a ff
6c 5c 89 cc 9f 72 93 28 80 7e 76 a5 e3 4a 01 88
b9 4f ff b5 13 a6 96 f6 23 60 1d 28 ff 9f 2a 5b
75 c4 45 d9 80 98 0e a8 5c a2 0e d5 39 1b 11 c0
a4 78 e7 84 bc dc 70 02 bf 37 07 87 19 74 6d 3d
f4 5f 9f ca 71 6a 92 14 2d a5 32 ab 21 c5 22 27
b9 0f 66 3b f8 39 23 03 de 65 a4 f5 ae 50 a4 8a
be a8 8b 2d 7b a9 08 35 ff ff 74 7c 94 d3 0b 68
3a 51 15 c0 07 c8 8f 84 bb ff 82 a8 46 8b bf 3f
f8 5f 9e cf b1 71 59 ab d5 80 80 85 de bd 42 a2
0b 92 c7 9c 14 03 5f 07 42 50 1e c3 53 d5 c0 53
d4 6e 49 4f f9 02 03 01 00 01 a3 66 30 64 30 1d
06 03 55 1d 0e 04 16 04 14 c2 2f e6 84 63 26 bf
e9 87 26 74 58 ae e4 15 19 8e 41 79 5c 30 1f 06
03 55 1d 23 04 18 30 16 80 14 ee e5 d7 1b 51 e4
02 45 08 b4 cd da 3b f8 34 ea 31 53 71 35 30 12
06 03 55 1d 13 01 01 ff 04 08 30 06 01 01 ff 02
01 00 30 0e 06 03 55 1d 0f 01 01 ff 04 04 03 02
01 86 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05
00 03 82 02 01 00 e2 be c0 4e 0a c0 30 53 b8 b9
39 8f 52 54 1c 20 c9 a1 ea 1e 1b bb b8 0a a1 53
24 3d 7c b6 5c a8 47 d9 10 05 48 15 75 43 72 44
be cb 93 b6 70 1b fb 4c 7a 8d a9 9d 85 8f b3 67
9a 18 41 10 06 3d fe 97 90 6d 10 06 1e e8 06 dd
d4 85 8b cb dd 41 0e 98 3c c5 75 2b 7b da cb 63
4f 45 3c 18 d1 ef a7 82 5e af f5 c0 3e df 3d 56
26 93 83 0c e6 f2 47 c1 66 99 55 5e 2b 40 57 1d
2e 60 4b e5 a0 07 3b e6 43 53 a1 73 a3 37 91 de
5b 0c 62 a9 76 50 2c 6a 92 b8 7d 2b 61 52 2a 63
a2 1b 78 b4 03 f1 00 d5 0b a6 db 97 21 39 43 10
14 f2 c4 8e 69 41 92 5a 9b 6c 0f 5f 1c 40 24 51
88 e2 2f 5b 1c 07 8e db 82 fe 73 c3 86 a4 16 9a
a8 6a bc 99 c9 66 67 75 e6 33 e3 3b 5a 45 9f 3a
9e 8f 66 50 bd 55 b0 85 e9 92 96 78 f9 62 f6 29
59 8e 21 37 13 46 dd 9c cd f5 4e ed d4 1c 34 8a
9d d6 8a 1a 66 eb ef 1a 39 4a 39 e7 0b 4c b6 70
8a 16 f9 10 2e d1 78 bc c6 de e6 df 56 c3 32 ff
6a b9 1c e3 ee 7e 3c 9d e4 05 44 e2 8c 28 18 08
c6 85 0a 16 bd dd 29 c5 07 1b a9 54 b6 aa 4b 8d
67 38 97 37 52 a4 ec 35 23 37 c2 b4 04 6a cc ca
91 0f 97 fc ab 88 22 6c 2a d4 09 3a 93 8b 76 58
7f 0d 1b 3d 91 45 20 33 21 14 6e 30 dd 9f aa 93
22 3f 12 c0 58 73 34 71 3f cd 08 5f 0a 87 d2 a6
00 f1 f6 76 51 2d 82 84 dc 2b 60 4a b2 c5 ae 79
2d 38 04 3d a2 7e 8d 75 ed f5 dd 1f 58 2f fa 19
bf 3b ee f5 58 cb 08 73 25 31 54 b4 81 8f 8a ea
c2 46 31 b5 5a 0e dc 01 cb 66 12 15 95 f5 ca 0e
4b 42 f1 67 c9 d0 4d 51 70 2a cd 34 ce 14 37 e0
be 88 5d d8 ce 25 d8 f8 9a 0c b1 e8 d4 28 08 e4
fe 7c b5 5c 47 73 53 3d 33 89 a0 20 8f 38 d9 fe
8c ea b5 df 9f 8a f8 4b 0a 6d ed 60 af cf 78 70
c6 8b f8 fc 85 62 00 06 08 30 82 06 04 30 82 03
ec a0 03 02 01 02 02 09 00 b6 55 09 ca 89 68 c6
fc 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00
30 81 8e 31 0d 30 0b 06 03 55 04 03 0c 04 72 6f
6f 74 31 10 30 0e 06 03 55 04 0b 0c 07 43 6f 6e
74 72 6f 6c 31 12 30 10 06 03 55 04 0a 0c 09 45
6e 65 72 76 61 6c 69 73 31 12 30 10 06 03 55 04
07 0c 09 48 6f 75 74 68 61 6c 65 6e 31 10 30 0e
06 03 55 04 08 0c 07 4c 69 6d 62 75 72 67 31 0b
30 09 06 03 55 04 06 13 02 42 45 31 24 30 22 06
09 2a 86 48 86 f7 0d 01 09 01 16 15 63 6f 6e 74
72 6f 6c 40 65 6e 65 72 76 61 6c 69 73 2e 63 6f
6d 30 1e 17 0d 31 37 30 31 31 39 31 32 33 33 33
31 5a 17 0d 32 37 30 31 32 37 31 32 33 33 33 31
5a 30 81 8e 31 0d 30 0b 06 03 55 04 03 0c 04 72
6f 6f 74 31 10 30 0e 06 03 55 04 0b 0c 07 43 6f
6e 74 72 6f 6c 31 12 30 10 06 03 55 04 0a 0c 09
45 6e 65 72 76 61 6c 69 73 31 12 30 10 06 03 55
04 07 0c 09 48 6f 75 74 68 61 6c 65 6e 31 10 30
0e 06 03 55 04 08 0c 07 4c 69 6d 62 75 72 67 31
0b 30 09 06 03 55 04 06 13 02 42 45 31 24 30 22
06 09 2a 86 48 86 f7 0d 01 09 01 16 15 63 6f 6e
74 72 6f 6c 40 65 6e 65 72 76 61 6c 69 73 2e 63
6f 6d 30 82 02 22 30 0d 06 09 2a 86 48 86 f7 0d
01 01 01 05 00 03 82 02 0f 00 30 82 02 0a 02 82
02 01 00 f5 24 42 97 3d 0b 37 68 be 95 0d da 57
0f 58 d1 c2 5e 25 39 fd 1b bf c7 80 8d 6c f4 f7
98 68 f6 48 1a 6f fe 9e 84 2e 9d 3c 3b 00 31 6f
4a 7c 2c fd 93 34 2c 0c 43 66 9d 7e 77 ba e4 49
75 c2 a8 7c 97 70 2f d7 78 73 db 0d 86 7d 80 7b
b6 1e d1 aa 13 29 9e d0 b2 9d 48 ea 39 7b 88 25
34 43 e3 d3 69 42 27 b7 0f da 3c 66 fe 61 5f d6
db 30 2a 6e fd 63 93 5a 8b dd 0d db 5f 0d 34 1e
10 94 ba 7f ad dc 8d 44 f0 9c 15 a6 01 a1 b1 59
aa 7d be e6 b3 25 8b 15 43 f0 9e 23 20 86 a9 45
42 aa 3f f0 00 87 0d 2c 7d fc 3a 15 1f 10 e8 d8
c1 82 6e 7c 40 98 97 92 27 41 77 72 d0 b5 f1 ff
a2 74 79 be 9b 66 25 f0 38 2f 97 22 4c c7 6c 3f
9a 8f 96 a7 b3 99 63 68 ed 28 1a fc 68 7b 7b fb
4d 88 4a ed 05 2d 89 80 7b 93 80 43 fa b1 fd 57
06 e9 9e 30 52 bf ce ef 63 34 a6 ed 04 1a a1 47
54 74 68 b9 6c de ce 64 b4 cb 2d cf e1 50 73 b5
6d b2 aa 22 4a 60 0f cb 9c f4 24 bd dd 74 0f 1c
a8 3c 25 81 d3 ba 7e 38 bd 76 a2 51 26 ea ca 99
11 c1 5a 36 14 2d 6a 22 69 70 a1 75 01 ae a8 86
fc 1a f9 24 bf 13 b6 74 e8 b0 32 4d a8 af 55 dd
b1 62 37 8a be 89 0f 1a 44 1a 9f fa d6 5d 29 24
ee ba 9a 34 88 79 ab 9b 76 13 0b 13 1f 09 ae 8f
15 ea 4a 59 05 c7 90 3f 60 d3 05 fc 22 89 20 7e
69 12 c4 fa 14 fc 3c 04 03 b2 74 08 90 ff 3a 0e
9f 5e 22 61 6b 99 65 46 3f 37 a1 6e ae 37 8d 2f
9d 08 5a e6 79 6b 89 e8 1e f7 45 74 ab ad 5f 93
e3 a9 da 83 d7 aa 81 c4 0e ba ff 5e 26 fc 2a c3
22 b8 89 1b c9 2a 59 54 15 36 e9 5f 35 52 02 90
38 83 38 f5 11 00 12 cc ca 4f 10 5b 22 10 73 8a
b0 d3 47 04 91 13 b9 1f 78 35 dd 5e cc ae fa cc
e6 15 5e 58 36 80 54 32 0a f2 ae d4 c9 ca c0 01
a1 81 ad 02 03 01 00 01 a3 63 30 61 30 1d 06 03
55 1d 0e 04 16 04 14 ee e5 d7 1b 51 e4 02 45 08
b4 cd da 3b f8 34 ea 31 53 71 35 30 1f 06 03 55
1d 23 04 18 30 16 80 14 ee e5 d7 1b 51 e4 02 45
08 b4 cd da 3b f8 34 ea 31 53 71 35 30 0f 06 03
55 1d 13 01 01 ff 04 05 30 03 01 01 ff 30 0e 06
03 55 1d 0f 01 01 ff 04 04 03 02 01 86 30 0d 06
09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 82 02 01
00 0a b0 2d b5 ef d3 e6 0b 5c dd f0 84 f9 7c 12
52 76 c1 48 55 32 59 26 de ce d2 39 46 6a 7f b5
30 5e f8 5c 12 cd e5 ad 0b 16 a6 07 10 2f 0e 43
25 8e 77 06 a4 e6 b1 14 f9 8d 64 ab 3c 82 57 e3
36 e2 b4 e3 86 5b 29 fc 16 48 05 63 52 15 80 d9
39 7e 5d 32 c1 dd c6 e1 00 f7 92 d8 a8 1f ee a5
f9 b8 ff f8 ff 47 f4 19 c0 09 b6 b9 4c 92 e8 99
9c 4f df e4 e2 ea 20 6d 8f 52 92 f7 47 99 58 ed
ff 2d 55 8b 09 f3 50 11 e4 00 db 2e 90 b9 b7 b5
af 21 c8 aa 75 79 8b 43 9e be 96 b3 01 ff e3 26
91 bc f9 7b 28 60 fc dd aa 73 7d 00 08 6e 20 50
9a e8 9c 96 fa db c0 b3 c4 53 5b 28 6e 25 b4 6b
0a 0d 6d d4 d5 6c 1f 35 99 4b ea 1d 8f 71 7d cf
cd 39 79 b0 5a 9a 49 f1 25 7d 28 fe c8 05 80 48
ae 8e 2c 14 a1 b0 d2 46 14 64 58 c5 3a 33 b3 2a
a7 71 ea 75 65 cb 07 82 66 d0 01 48 dc a9 ae 0d
f3 2e 2a 29 66 17 4b 7e 01 9f 79 78 a6 06 7e bd
6f 0e 0d de c8 1d 72 26 39 52 9a ea 51 db 45 5d
d4 c7 15 6e ab eb 72 be 0b 7b e3 a2 2c 55 87 40
4f 38 9b 30 8d ae 99 80 c6 19 35 ac e5 4a 8f b9
f1 d6 6b 38 a3 52 77 b8 79 df 24 99 1b 8b 7c 05
29 a2 cd 7c 55 52 24 d8 d1 00 19 12 4d 79 04 56
17 9e 65 af 84 df ef f4 d7 9e a2 60 d6 28 a0 37
5c 54 60 73 70 da 96 5d 2c 77 90 a3 ba e9 01 2d
a3 4d 68 e0 25 90 39 b3 92 6e 78 4e bc 65 57 5b
cc ac 93 74 78 00 e0 27 e0 61 27 76 9e b4 ab d6
a2 f0 e1 fe 03 f0 8e 17 a5 44 02 be 89 46 ed a3
90 a4 84 e2 dd 83 a9 5c 98 65 fd 43 d4 94 10 c6
80 5c 8a ff 50 ce 5a 0d be 52 62 d9 86 8f b8 e8
60 54 be 77 14 46 62 45 c4 e9 a3 9b 51 63 04 83
de 22 22 91 17 a0 aa 62 a9 0d 56 12 29 5f b1 6f
26 41 68 eb 7f 56 f8 8a 25 2b db 92 16 0b 76 c3
29
>>> ??? [length 0005]
16 03 03 00 46
>>> TLS 1.2Handshake [length 0046], ClientKeyExchange
10 00 00 42 41 04 9a aa 32 48 09 53 0c bc f3 fb
4c e4 c1 bf f1 d0 fa e4 fd 81 3b 39 9e d0 64 69
05 7a bc 2a 6a e7 a0 79 79 12 63 a9 9f 20 b1 25
f4 d5 25 bc 94 fd fc 39 72 de 12 dd 2c 8f e7 b5
4c bf f8 92 4b 5c
>>> ??? [length 0005]
16 03 03 02 08
>>> TLS 1.2Handshake [length 0208], CertificateVerify
0f 00 02 04 06 01 02 00 79 99 35 c8 b6 0b 23 fe
7b 9e 3a 93 d4 2d 08 7d 56 9e 5e ee c8 c8 90 9f
19 61 3b 85 21 df 74 5a bb 32 02 79 64 9d c1 b5
1e 6e 75 3b a8 3f 1b 49 17 97 0b 6d c9 2b c9 28
6b 7e 7c 46 11 66 d6 ab 2b cf 90 1f 8b 58 f4 58
08 95 86 e3 90 e4 4a 47 89 fd 4e 3c 8f 8a ca 3f
13 b0 70 39 44 ff 1e 44 5f 64 aa a7 9a 55 3a 89
9e 14 39 f9 9d 9f 5c 8e 0c fa 90 dc 0c 6b ad a7
10 e4 f7 e5 3f 6d 60 4b 84 54 4f db 51 e5 11 a6
c6 11 b0 a5 49 ca 7c 00 4d 90 ae bd 8b 1b 81 b4
34 8a 85 d2 65 fc 44 db 18 45 43 e6 96 4b 5d 9a
91 a0 ec b7 f9 df cd 23 ff d2 1b fa 40 c1 b9 af
b3 8d 15 d3 1d fc 2c c3 1e ff 30 03 37 78 89 f4
f3 a2 60 38 ea b4 4b 3c 36 3a 3e 06 27 cb 48 94
38 a0 08 3e e9 43 26 d8 88 72 0b e9 bc a7 13 39
6c 57 1a cf 0f 0c cd 32 3e ad 36 23 0c 1f 5f 94
bb 45 7c bb 17 a2 e1 7b 97 36 a0 14 3a f3 09 58
1f 5e a0 25 44 b2 34 19 75 4d c0 b9 3c 7e 1e 97
e4 d8 aa ec 8f 70 cf d0 56 71 bc dd 0e 4a 24 d8
6c 1e be a5 d1 1d bc 6a 5b e8 82 79 6a df 39 ac
e3 8f 3e 63 4e 9c 65 2b 87 a1 24 7d 62 ee ea 41
8e 6f 44 ac f3 ab c0 65 42 f4 75 21 a1 7a 2d c2
be 4d 73 f0 70 13 67 b6 a4 87 36 9f 92 22 76 57
0b 7a 98 04 f9 b1 18 6f 1d 11 4e 83 30 83 11 c4
a5 2e 43 62 da d7 17 e0 d1 5a 97 7a dd 08 a4 77
7f bd 97 ab fe ad 13 0f 84 a3 98 0c 33 f9 2d 3e
d5 f6 2a ef f5 38 85 0a 44 e0 b8 70 a6 de 91 c4
4f 9c 5e 94 36 21 6e 5c 54 87 49 34 96 aa a3 24
b9 a9 36 fc 87 a0 b8 6d 4d 5c c8 c7 19 03 54 ae
0f f2 9d aa 85 da bc b2 37 04 52 e9 89 48 71 d9
01 7b 9b 17 dc 1a 0e 8f 90 08 91 de 40 19 b7 e5
4d 02 a8 2e 1f 6e dc 3e 9c 9f 5f d9 20 b4 c0 d9
15 a9 15 47 ba 28 43 0d
>>> ??? [length 0005]
14 03 03 00 01
>>> TLS 1.2ChangeCipherSpec [length 0001]
01
>>> ??? [length 0005]
16 03 03 00 28
>>> TLS 1.2Handshake [length 0010], Finished
14 00 00 0c b8 e9 f9 98 db 20 68 cc dc 55 47 87

write:errno=104
---
Certificate chain

0 s:/CN=amqp/OU=Control/O=Enervalis/L=Houthalen/ST=Limburg/C=BE/emailAddress=***********
i:/CN=intermediate/OU=Control/O=Enervalis/L=Houthalen/ST=Limburg/C=BE/emailAddress=***********
1 s:/CN=intermediate/OU=Control/O=Enervalis/L=Houthalen/ST=Limburg/C=BE/emailAddress=***********
i:/CN=root/OU=Control/O=Enervalis/L=Houthalen/ST=Limburg/C=BE/emailAddress=***********
2 s:/CN=root/OU=Control/O=Enervalis/L=Houthalen/ST=Limburg/C=BE/emailAddress=***********
i:/CN=root/OU=Control/O=Enervalis/L=Houthalen/ST=Limburg/C=BE/emailAddress=***********

subject=/CN=amqp/OU=Control/O=Enervalis/L=Houthalen/ST=Limburg/C=BE/emailAddress=***********
issuer=/CN=intermediate/OU=Control/O=Enervalis/L=Houthalen/ST=Limburg/C=BE/emailAddress=***********

---
Acceptable client certificate CA names

/CN=intermediate/OU=Control/O=Enervalis/L=Houthalen/ST=Limburg/C=BE/emailAddress=***********
/CN=root/OU=Control/O=Enervalis/L=Houthalen/ST=Limburg/C=BE/emailAddress=***********

Client Certificate Types: ECDSA sign, RSA sign, DSA sign
Requested Signature Algorithms: ECDSA+SHA512:RSA+SHA512:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA256:RSA+SHA256:ECDSA+SHA224:RSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
Shared Requested Signature Algorithms: ECDSA+SHA512:RSA+SHA512:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA256:RSA+SHA256:ECDSA+SHA224:RSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5841 bytes and written 4982 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384

Session-ID: CED1BB29268D7A85BFF4E918CCB908E3910566278C9F00932080714BE7AB8482
Session-ID-ctx:
Master-Key: FD7B4212F6F0492E5C51F7AD5E5A7AF1FE97BC6408F578907D4059EA0815DE8A8B4C6971A3E948E44D3CE448513C8EC4

PSK identity: None
PSK identity hint: None
SRP username: None

Start Time: 1484830058

Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---

--

jan.go...@enervalis.com

unread,

Jan 19, 2017, 7:56:33 AM1/19/17

to rabbitmq-users, jan.go...@enervalis.com

3rd try - cutting the hex output. Please ignore the previous two messages.

The log contains:

=ERROR REPORT==== 19-Jan-2017::13:44:05 ===

CONNECTED(00000003)

>>> ??? [length 0005]

16 03 01 00 ab

>>> TLS 1.2Handshake [length 00ab], ClientHello

01 00 00 a7 03 03 93 19 74 6e aa 4a 6f 5b 23 7e

b1 c6 3c 8c 6f ae 6d 8e 63 fc 17 87 d4 a8 5a bf

15 fc 0c 70 90 93 00 00 38 c0 2c c0 30 00 9f cc

....

0a 00 08 00 1d 00 17 00 19 00 18 00 23 00 00 00

0d 00 20 00 1e 06 01 06 02 06 03 05 01 05 02 05

03 04 01 04 02 04 03 03 01 03 02 03 03 02 01 02

02 02 03 00 16 00 00 00 17 00 00

<<< ??? [length 0005]

16 03 03 00 57

<<< TLS 1.2Handshake [length 0057], ServerHello

02 00 00 53 03 03 58 80 b5 6a 26 3e b4 67 d6 48

3c cb 02 56 8b 25 4d cc 95 3e 72 dd 40 02 54 ff

a5 4f 48 c1 cc b6 20 ce d1 bb 29 26 8d 7a 85 bf

f4 e9 18 cc b9 08 e3 91 05 66 27 8c 9f 00 93 20

80 71 4b e7 ab 84 82 c0 30 00 00 0b 00 0b 00 02

01 00 ff 01 00 01 00

<<< ??? [length 0005]

16 03 03 12 c0

<<< TLS 1.2Handshake [length 12c0], Certificate

0b 00 12 bc 00 12 b9 00 06 9c 30 82 06 98 30 82

04 80 a0 03 02 01 02 02 02 10 01 30 0d 06 09 2a

86 48 86 f7 0d 01 01 0b 05 00 30 81 96 31 15 30

13 06 03 55 04 03 0c 0c 69 6e 74 65 72 6d 65 64

....

54 be 77 14 46 62 45 c4 e9 a3 9b 51 63 04 83 de

22 22 91 17 a0 aa 62 a9 0d 56 12 29 5f b1 6f 26

41 68 eb 7f 56 f8 8a 25 2b db 92 16 0b 76 c3 29

depth=2 CN = root, OU = Control, O = Enervalis, L = Houthalen, ST = Limburg, C = BE, emailAddress = ***********

verify return:1

depth=1 CN = intermediate, OU = Control, O = Enervalis, L = Houthalen, ST = Limburg, C = BE, emailAddress = ***********

verify return:1

depth=0 CN = amqp, OU = Control, O = Enervalis, L = Houthalen, ST = Limburg, C = BE, emailAddress = ***********

verify return:1

<<< ??? [length 0005]

16 03 03 02 4d

<<< TLS 1.2Handshake [length 024d], ServerKeyExchange

0c 00 02 49 03 00 17 41 04 cd 47 98 40 5a 73 13

bb eb 34 2b 66 ab 14 b9 f9 8b 44 d9 f9 66 7f 92

5b d7 7d ab 6d d8 d7 1c b7 dd a7 da de a1 c7 d9

....

0d 71 54 09 2d e0 65 4e 19 2e b1 73 6f 1e bb 79

f8 88 3a 9c ad 51 ec da a1 b5 48 b2 df 63 27 ae

7d 5d 85 d4 89 51 4f 63 75 6e 18 4d a6

<<< ??? [length 0005]

16 03 03 01 50

<<< TLS 1.2Handshake [length 0150], CertificateRequest

0d 00 01 4c 03 40 01 02 00 16 06 03 06 01 05 03

05 01 04 03 04 01 03 03 03 01 02 03 02 01 02 02

01 2e 00 99 30 81 96 31 15 30 13 06 03 55 04 03

....

09 06 03 55 04 06 13 02 42 45 31 24 30 22 06 09

2a 86 48 86 f7 0d 01 09 01 16 15 63 6f 6e 74 72

6f 6c 40 65 6e 65 72 76 61 6c 69 73 2e 63 6f 6d

<<< ??? [length 0005]

16 03 03 00 04

<<< TLS 1.2Handshake [length 0004], ServerHelloDone

0e 00 00 00

>>> ??? [length 0005]

16 03 03 12 c1

>>> TLS 1.2Handshake [length 12c1], Certificate

0b 00 12 bd 00 12 ba 00 06 9d 30 82 06 99 30 82

04 81 a0 03 02 01 02 02 02 10 02 30 0d 06 09 2a

86 48 86 f7 0d 01 01 0b 05 00 30 81 96 31 15 30

....

60 54 be 77 14 46 62 45 c4 e9 a3 9b 51 63 04 83

de 22 22 91 17 a0 aa 62 a9 0d 56 12 29 5f b1 6f

26 41 68 eb 7f 56 f8 8a 25 2b db 92 16 0b 76 c3

29

>>> ??? [length 0005]

16 03 03 00 46

>>> TLS 1.2Handshake [length 0046], ClientKeyExchange

10 00 00 42 41 04 9a aa 32 48 09 53 0c bc f3 fb

4c e4 c1 bf f1 d0 fa e4 fd 81 3b 39 9e d0 64 69

05 7a bc 2a 6a e7 a0 79 79 12 63 a9 9f 20 b1 25

f4 d5 25 bc 94 fd fc 39 72 de 12 dd 2c 8f e7 b5

4c bf f8 92 4b 5c

>>> ??? [length 0005]

16 03 03 02 08

>>> TLS 1.2Handshake [length 0208], CertificateVerify

0f 00 02 04 06 01 02 00 79 99 35 c8 b6 0b 23 fe

7b 9e 3a 93 d4 2d 08 7d 56 9e 5e ee c8 c8 90 9f

19 61 3b 85 21 df 74 5a bb 32 02 79 64 9d c1 b5

....

0f f2 9d aa 85 da bc b2 37 04 52 e9 89 48 71 d9

01 7b 9b 17 dc 1a 0e 8f 90 08 91 de 40 19 b7 e5

4d 02 a8 2e 1f 6e dc 3e 9c 9f 5f d9 20 b4 c0 d9

15 a9 15 47 ba 28 43 0d

>>> ??? [length 0005]

14 03 03 00 01

>>> TLS 1.2ChangeCipherSpec [length 0001]

01

>>> ??? [length 0005]

16 03 03 00 28

>>> TLS 1.2Handshake [length 0010], Finished

14 00 00 0c b8 e9 f9 98 db 20 68 cc dc 55 47 87

write:errno=104

---

Certificate chain

0 s:/CN=amqp/OU=Control/O=Enervalis/L=Houthalen/ST=Limburg/C=BE/emailAddress=***********

i:/CN=intermediate/OU=Control/O=Enervalis/L=Houthalen/ST=Limburg/C=BE/emailAddress=***********

1 s:/CN=intermediate/OU=Control/O=Enervalis/L=Houthalen/ST=Limburg/C=BE/emailAddress=***********

i:/CN=root/OU=Control/O=Enervalis/L=Houthalen/ST=Limburg/C=BE/emailAddress=***********

2 s:/CN=root/OU=Control/O=Enervalis/L=Houthalen/ST=Limburg/C=BE/emailAddress=***********

i:/CN=root/OU=Control/O=Enervalis/L=Houthalen/ST=Limburg/C=BE/emailAddress=***********

---

Server certificate

-----BEGIN CERTIFICATE-----

MIIGmDCCBICgAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwgZYxFTATBgNVBAMMDGlu

dGVybWVkaWF0ZTEQMA4GA1UECwwHQ29udHJvbDESMBAGA1UECgwJRW5lcnZhbGlz

MRIwEAYDVQQHDAlIb3V0aGFsZW4xEDAOBgNVBAgMB0xpbWJ1cmcxCzAJBgNVBAYT

....

eUd93hmB6IwB0uhenW33IsIKfnyO5aHje6B6wl7bcgy4PkTEPbXaKlj8/QTWNmDE

l3+BX9MiO9zqgDV/PNWG7uP/iktm4OE5x6Aq6zAdAEm6wqAl7kzg3gzv7AnJg31S

hem5J2aPDmzIpbCkp+aE9CGv/H2SNSncM1Y+Hqbr6yEE0Pr/IUkEwiF25UmzDail

s3Fr6LTOquW7z95G

-----END CERTIFICATE-----

subject=/CN=amqp/OU=Control/O=Enervalis/L=Houthalen/ST=Limburg/C=BE/emailAddress=***********

issuer=/CN=intermediate/OU=Control/O=Enervalis/L=Houthalen/ST=Limburg/C=BE/emailAddress=***********

---

Acceptable client certificate CA names

/CN=intermediate/OU=Control/O=Enervalis/L=Houthalen/ST=Limburg/C=BE/emailAddress=***********

/CN=root/OU=Control/O=Enervalis/L=Houthalen/ST=Limburg/C=BE/emailAddress=***********

Client Certificate Types: ECDSA sign, RSA sign, DSA sign

Requested Signature Algorithms: ECDSA+SHA512:RSA+SHA512:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA256:RSA+SHA256:ECDSA+SHA224:RSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1

Shared Requested Signature Algorithms: ECDSA+SHA512:RSA+SHA512:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA256:RSA+SHA256:ECDSA+SHA224:RSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1

Peer signing digest: SHA512

Server Temp Key: ECDH, P-256, 256 bits

---

SSL handshake has read 5841 bytes and written 4982 bytes

Verification: OK

---

New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384

Server public key is 4096 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

SSL-Session:

Protocol : TLSv1.2

Cipher : ECDHE-RSA-AES256-GCM-SHA384

Session-ID: CED1BB29268D7A85BFF4E918CCB908E3910566278C9F00932080714BE7AB8482

Session-ID-ctx:

Master-Key: FD7B4212F6F0492E5C51F7AD5E5A7AF1FE97BC6408F578907D4059EA0815DE8A8B4C6971A3E948E44D3CE448513C8EC4

PSK identity: None

PSK identity hint: None

SRP username: None

Start Time: 1484830058

Michael Klishin

unread,

Jan 19, 2017, 8:50:51 AM1/19/17

to rabbitm...@googlegroups.com, jan.go...@enervalis.com

Jan,

It might be easier to use gist.github.com instead.

This way you can report it to the OTP team easier as well.

jan.go...@enervalis.com

unread,

Jan 19, 2017, 8:52:54 AM1/19/17

to rabbitmq-users, jan.go...@enervalis.com

I've tried all minor Erlang versions tween 19.2 and 18.2 with the same result. :-)

Maybe another clue is that it works when changing "verify_peer" to "verify_none" in the RabbitMQ configuration file. But maybe this is delegated straight to Erlang too ?

Michael Klishin

unread,

Jan 19, 2017, 8:54:39 AM1/19/17

to rabbitm...@googlegroups.com

All TLS options are. When peer verification is disabled, certificate exchange isn't

performed at all.

On Thu, Jan 19, 2017 at 4:52 PM, <jan.go...@enervalis.com> wrote:

I've tried all minor Erlang versions tween 19.2 and 18.2 with the same result. :-)

Maybe another clue is that it works when changing "verify_peer" to "verify_none" in the RabbitMQ configuration file. But maybe this is delegated straight to Erlang too ?

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.

To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

jan.go...@enervalis.com

unread,

Jan 20, 2017, 5:05:29 AM1/20/17

to rabbitmq-users

Hello Michael,

It still fails (errno=104) when using tld-gen's certificate settings. So now I'll try the very same files of tld-gen, using the intermediate generated certificates and keys.

So, if I have this right, the RabbitMQ server cacert setting for tld-gen is the concatenation of ca2, ca1, root, in that order.

Correct ?

Thanks,

Jan

jan.go...@enervalis.com

unread,

Jan 20, 2017, 5:07:17 AM1/20/17

to rabbitmq-users

I mean tls-gen. Not tld-gen of course. :-)

jan.go...@enervalis.com

unread,

Jan 20, 2017, 8:35:17 AM1/20/17

to rabbitmq-users

Hello Michael,

Right... I *think* I narrowed it down to the trust store of the Java SSL client. I can't seem to provide the right format.

Because the tls-gen intermediate files allow for openssl s_client to connect. With peer verification enabled. And TWO intermediate CA.

However, using the very same certificate files I still fail to connect from Java. Only using Java's SSL socket factory. So I'm not even using the RabbitMQ client code.

The key keystore seems unlikely the culprit of this problem. So leaves the trust keystore.

Any idea What I might be missing here ?

TIA

Jan

Michael Klishin

unread,

Jan 20, 2017, 8:43:30 AM1/20/17

to rabbitm...@googlegroups.com, jan.go...@enervalis.com

I discussed this internally with the team and we are not sure what's going on. We will reach out to
a few Spring team members, maybe they'd be able to help.

> --
> You received this message because you are subscribed to the Google Groups "rabbitmq-users"
> group.

> To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
> To post to this group, send an email to rabbitm...@googlegroups.com.

Jan Goyvaerts

unread,

Jan 20, 2017, 10:50:20 AM1/20/17

to Michael Klishin, rabbitm...@googlegroups.com

Thanks a lot for the help !!!!!

In the meantime I could make the tls-gen files work on RabbitMQ ! When creating the pkcs12 keystore the options '-chain' and '-CAfile' must be included. Otherwise it won't work. For some reason it wants the whole certificate chain for the client certificate. Once this known it was easy to make it work for me too.

Now I'm stuck with the CRL check. When enabled it says 'bad certificate'. So I need to tell him what certificate to use I presume.

[

{ssl, [{versions, ['tlsv1.2']}]},

{rabbit, [

{auth_mechanisms, ['EXTERNAL']},

{ssl_cert_login_from, common_name},

{ssl_listeners, [{"0.0.0.0", 5671}]},

{ssl_options, [

{cacertfile, "/etc/rabbitmq/ca.cert.pem"},

{certfile, "/etc/rabbitmq/server.cert.pem"},

{keyfile, "/etc/rabbitmq/server.key.pem"},

{password, "##PWD##"},

{depth, 2},

{verify, verify_peer},

{fail_if_no_peer_cert, true},

{crl_check, true},

{crl_cache, {ssl_crl_cache, {internal, [{http, 5000}]}}},

{versions, ['tlsv1.2']}

]}

].

And now I'm off for the weekend. I'm brain dead of this headbashing ! :-)

On Fri, Jan 20, 2017 at 2:43 PM, Michael Klishin <mkli...@pivotal.io> wrote:

I discussed this internally with the team and we are not sure what's going on. We will reach out to
a few Spring team members, maybe they'd be able to help.

On 20 January 2017 at 16:35:20, jan.go...@enervalis.com (jan.go...@enervalis.com) wrote:
> Hello Michael,
>
> Right... I *think* I narrowed it down to the trust store of the Java SSL
> client. I can't seem to provide the right format.
>
> Because the tls-gen intermediate files allow for openssl s_client to
> connect. With peer verification enabled. And TWO intermediate CA.
>
> However, using the very same certificate files I still fail to connect from
> Java. Only using Java's SSL socket factory. So I'm not even using the
> RabbitMQ client code.
>
> The key keystore seems unlikely the culprit of this problem. So leaves the
> trust keystore.
>
> Any idea What I might be missing here ?
>
> TIA
>
> Jan
>
>
> --
> You received this message because you are subscribed to the Google Groups "rabbitmq-users"
> group.

> To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
> To post to this group, send an email to rabbitmq-users@googlegroups.com.

> For more options, visit https://groups.google.com/d/optout.
>

--
MK

Staff Software Engineer, Pivotal/RabbitMQ

--

Jan Goyvaerts

Senior Software Engineer

jan.go...@enervalis.com

Michael Klishin

unread,

Jan 20, 2017, 11:09:24 AM1/20/17

to Jan Goyvaerts, rabbitm...@googlegroups.com

Glad you managed to sort it out!

We should add this to the docs. Would you be able to provide a shell
session of what you had to do, from running `make` in tls-gen to finish?

On 20 January 2017 at 18:50:18, Jan Goyvaerts (jan.go...@enervalis.com) wrote:
> Thanks a lot for the help !!!!!
>
> In the meantime I could make the tls-gen files work on RabbitMQ ! When
> creating the pkcs12 keystore the options '-chain' and '-CAfile' must be
> included. Otherwise it won't work. For some reason it wants the whole
> certificate chain for the client certificate. Once this known it was easy
> to make it work for me too.
>
> Now I'm stuck with the CRL check. When enabled it says 'bad certificate'.
> So I need to tell him what certificate to use I presume.
>
> [
> {ssl, [{versions, ['tlsv1.2']}]},
> {rabbit, [
> {auth_mechanisms, ['EXTERNAL']},
> {ssl_cert_login_from, common_name},
> {ssl_listeners, [{"0.0.0.0", 5671}]},
> {ssl_options, [
> {cacertfile, "/etc/rabbitmq/ca.cert.pem"},
> {certfile, "/etc/rabbitmq/server.cert.pem"},
> {keyfile, "/etc/rabbitmq/server.key.pem"},
> {password, "##PWD##"},
> {depth, 2},
> {verify, verify_peer},
> {fail_if_no_peer_cert, true},

> *{crl_check, true},*

> {crl_cache, {ssl_crl_cache, {internal, [{http, 5000}]}}},
> {versions, ['tlsv1.2']}
> ]}
> ]}
> ].
>
> And now I'm off for the weekend. I'm brain dead of this headbashing ! :-)
>
>
> On Fri, Jan 20, 2017 at 2:43 PM, Michael Klishin

> > an email to rabbitmq-user...@googlegroups.com.
> > > To post to this group, send an email to rabbitm...@googlegroups.com.

> > > For more options, visit https://groups.google.com/d/optout.
> > >
> >
> > --
> > MK
> >
> > Staff Software Engineer, Pivotal/RabbitMQ
> >
> >
> >
>
>
> --

> *Jan Goyvaerts*
> *Senior Software Engineer*
> jan.go...@enervalis.com
>

> +32 (0) 11 39 75 79
>

jan.go...@enervalis.com

unread,

Jan 23, 2017, 3:32:43 AM1/23/17

to rabbitmq-users, jan.go...@enervalis.com

Hello Michael,

I intended to write a blog entry somewhere anyway. But I'm not out of the woods just yet: revocation triggers an invalid certificate error. Once that is sorted out I'll write an extensive howto about it :-)

Just one last question: the 'cacert' setting in rabbitmq.config, is it meant to be a single certificate or a chain of certificates ?

Thanks,

Jan

Michael Klishin

unread,

Jan 23, 2017, 4:24:34 AM1/23/17

to rabbitm...@googlegroups.com, jan.go...@enervalis.com

Hi Jan,

Revocation is a whole separate can of worms (that most users don't care to open, FWIW).
Can we get at least a couple of lines that populate the trust store using a tls-gen-produced chain?
We would definitely appreciate a blog post and can perhaps arrange a guest post for our own blog
but most people land on our doc guides, not blog, when researching issues.

`cacertfile` can contain a chain. From Erlang ssl library docs [1]:

«Path to a file containing PEM-encoded CA certificates. The CA certificates are used
during server authentication and when building the client certificate chain…»

1. http://erlang.org/doc/man/ssl.html

Jan Goyvaerts

unread,

Jan 23, 2017, 5:01:19 AM1/23/17

to Michael Klishin, rabbitm...@googlegroups.com

I'm busy with something else at the moment. But this week surely I'll send something; because this *has* to work here ! :-)

Concerning crl, I've found the CRL RabbitMQ configuration in SO. I presume it's only partial.

https://serverfault.com/questions/752233/rabbitmq-crl-configuration

{crl_check, true},

{crl_cache, {ssl_crl_cache, {internal, [{http, 5000}]}}},

A problem I have for instance is that crl remains broken when the crl web server is down when rabbitmq starts. The amqps channel is primordial for our business. It must remain up and running 100% - ish of the time. But the web servers will go down for maintenance once in while. So the crl url will be unavailable.

Is there somewhere a complete list of options we can use for RabbitMQ ? Or is the rabbitMQ config file passed to Erlang as is ?

> To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
> To post to this group, send an email to rabbitmq-users@googlegroups.com.

> For more options, visit https://groups.google.com/d/optout.
>

--
MK

Staff Software Engineer, Pivotal/RabbitMQ

--

Jan Goyvaerts

Senior Software Engineer

jan.go...@enervalis.com

Michael Klishin

unread,

Jan 23, 2017, 5:24:25 AM1/23/17

to Jan Goyvaerts, rabbitm...@googlegroups.com

It is passed as is.

There is also https://github.com/rabbitmq/rabbitmq-trust-store/, which assumes you only

use leaf certificates and have a known set of them ahead of time.

CRL is a lot of pain and according to some very experienced security people, it just doesn't work

in practice. Things like revocation service availability is one example: I'm not even sure how

you can avoid making your availability depend on CRL service availability.

There are many things that are pluggable in RabbitMQ but beyond peer verification

function there isn't much to plug into for TLS.

> To post to this group, send an email to rabbitm...@googlegroups.com.

> For more options, visit https://groups.google.com/d/optout.
>

--
MK

Staff Software Engineer, Pivotal/RabbitMQ

--
Jan Goyvaerts
Senior Software Engineer
jan.go...@enervalis.com
+32 (0) 11 39 75 79

Reply all

Reply to author

Forward