Enabling TLS Encryption in Java
1,172 views
Skip to first unread message
Prateek Singh
Jul 19, 2017, 4:20:00 PM7/19/17
to rabbitmq-users
Hi,
I've been following the tutorial at "https://www.rabbitmq.com/ssl.html" to try to send encrypted messages using RabbitMQ. However, I am running into a problem. First, here is the sample program I am using (from the tutorial under the "Connecting without validating certificates" heading of the aforementioned site):
import java.io.*;
import java.security.*;
import com.rabbitmq.client.*;
public class Example1
{
public static void main(String[] args) throws Exception
{
ConnectionFactory factory = new ConnectionFactory();
factory.setHost("localhost");
factory.setPort(5671);
factory.useSslProtocol();
// Tells the library to setup the default Key and Trust managers for you
// which do not do any form of remote server trust verification
Connection conn = factory.newConnection();
Channel channel = conn.createChannel();
//non-durable, exclusive, auto-delete queue
channel.queueDeclare("rabbitmq-java-test", false, true, true, null);
channel.basicPublish("", "rabbitmq-java-test", null, "Hello, World".getBytes());
GetResponse chResponse = channel.basicGet("rabbitmq-java-test", false);
if(chResponse == null) {
System.out.println("No message retrieved");
} else {
byte[] body = chResponse.getBody();
System.out.println("Recieved: " + new String(body));
}
channel.close();
conn.close();
}
}
Additionally, here is my current rabbit.config file:
%% Disable SSLv3.0 and TLSv1.0 support.
[
{ssl, [{versions, ['tlsv1.2', 'tlsv1.1']}]},
{rabbit, [
{ssl_listeners, [5671]},
{ssl_options, [{cacertfile,"/mnt/c/Users/Prateek/Desktop/mq_practice/testca/ca_cert.pem"},
{certfile, "/mnt/c/Users/Prateek/Desktop/mq_practice/server/cert.pem"},
{keyfile, "/mnt/c/Users/Prateek/Desktop/mq_practice/server/key.pem"},
{versions, ['tlsv1.2', 'tlsv1.1']}
]}
]}
].
To run this program, I am using the following commands:
javac -cp amqp-client-4.1.1.jar Example1
then,
java -cp .:amqp-client-4.1.1.jar:slf4j-api-1.7.25.jar:slf4j-simple-1.7.25.jar Example1
Now for the problem. Here is the output I am getting:
[main] WARN com.rabbitmq.client.TrustEverythingTrustManager - This trust manager trusts every certificate, effectively disabling peer verification. This is convenient for local development but prone to man-in-the-middle attacks. Please see http://www.rabbitmq.com/ssl.html#validating-cerficates to learn more about peer certificate validation.
Exception in thread "main" java.net.SocketTimeoutException: Read timed out
at java.net.SocketInputStream.socketRead0(Native Method)
at java.net.SocketInputStream.socketRead(SocketInputStream.java:116)
at java.net.SocketInputStream.read(SocketInputStream.java:171)
at java.net.SocketInputStream.read(SocketInputStream.java:141)
at sun.security.ssl.InputRecord.readFully(InputRecord.java:465)
at sun.security.ssl.InputRecord.read(InputRecord.java:503)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:747)
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
at java.io.DataOutputStream.flush(DataOutputStream.java:123)
at com.rabbitmq.client.impl.SocketFrameHandler.sendHeader(SocketFrameHandler.java:147)
at com.rabbitmq.client.impl.SocketFrameHandler.sendHeader(SocketFrameHandler.java:153)
at com.rabbitmq.client.impl.AMQConnection.start(AMQConnection.java:292)
at com.rabbitmq.client.impl.recovery.RecoveryAwareAMQConnectionFactory.newConnection(RecoveryAwareAMQConnectionFactory.java:63)
at com.rabbitmq.client.impl.recovery.AutorecoveringConnection.init(AutorecoveringConnection.java:99)
at com.rabbitmq.client.ConnectionFactory.newConnection(ConnectionFactory.java:911)
at com.rabbitmq.client.ConnectionFactory.newConnection(ConnectionFactory.java:870)
at com.rabbitmq.client.ConnectionFactory.newConnection(ConnectionFactory.java:828)
at com.rabbitmq.client.ConnectionFactory.newConnection(ConnectionFactory.java:979)
at Example1.main(Example1.java:18)
I understand that the warning should be expected, but I have spend days trying to figure out why I am getting this SocketTimeoutException. Does anyone have insights? I don't even need all of the certificate verification working right now, I'd just like to get an encrypted connection going. I'll be happy to supply any needed information if asked. Thanks!
Michael Klishin
Jul 19, 2017, 4:23:05 PM7/19/17
to rabbitm...@googlegroups.com
See server logs.
See https://groups.google.com/d/msg/rabbitmq-users/p-Md6yvCZ5s/wEsg6lLuAwAJ for an explanation about
what RabbitMQ will and will not log. The log will also list every listener that is activated
(mentions what port the node will listen on) and http://www.rabbitmq.com/configure.html explains
how to verify your config file (or that it is found and loaded at all).
See https://www.rabbitmq.com/amqp-wireshark.html for some advice on how to use Wireshark. It can decrypt traffic
if you provide it with the private key.
Before you try to connect to port 5671 with TLS, make sure that you can connect to 5672 without it.
--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
MK
Staff Software Engineer, Pivotal/RabbitMQ
Prateek Singh
Jul 19, 2017, 5:04:19 PM7/19/17
to rabbitmq-users
Thanks for the quick reply! So a few things:
1) Without using TLS (excluding the useSslProtocol() call and using the port 5672) I do indeed get the expected output, "Received: Hello, World".
2) The log file shows me the following when the node is started:
=INFO REPORT==== 19-Jul-2017::11:59:12 ===
started TCP Listener on [::]:5672
=INFO REPORT==== 19-Jul-2017::11:59:12 ===
started TCP Listener on 0.0.0.0:5672
=INFO REPORT==== 19-Jul-2017::11:59:12 ===
started SSL Listener on [::]:5671
=INFO REPORT==== 19-Jul-2017::11:59:12 ===
started SSL Listener on 0.0.0.0:5671
The corresponding information on the management UI looks like this:
| Protocol | Bound to | Port |
|---|---|---|
| amqp | 0.0.0.0 | 5672 |
| amqp | :: | 5672 |
| amqp/ssl | 0.0.0.0 | 5671 |
| amqp/ssl | :: | 5671 |
| clustering | :: | 25672 |
| http | 0.0.0.0 | 15672 |
| http | :: | 15672 |
3) I have updated my rabbit.config file to the following:
[
{rabbit, [
{ssl_listeners, [5671]},
{ssl_options, [{cacertfile,"/mnt/c/Users/Prateek/Desktop/mq_practice/testca/cacert.pem"},
{certfile,"/mnt/c/Users/Prateek/Desktop/mq_practice/server/cert.pem"},
{keyfile,"/mnt/c/Users/Prateek/Desktop/mq_practice/server/key.pem"},
{verify,verify_peer},
{fail_if_no_peer_cert,false}]}
]}
].
However, the problem remains. Any other thoughts / things to try?
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To post to this group, send email to rabbitm...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Michael Klishin
Jul 19, 2017, 9:00:32 PM7/19/17
to rabbitm...@googlegroups.com
See what server logs around the time of connection.
See if you can connect to target port at all, e.g. using telnet. Take a traffic capture with tcpdump.To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.
Michael Klishin
Jul 19, 2017, 9:02:54 PM7/19/17
to rabbitm...@googlegroups.com
…and then there is a guide that demonstrates how to use `openssl s_client` to simulate
TCP-with-TLS client connections (which is a better option than telnet):
Prateek Singh
Jul 20, 2017, 5:13:46 PM7/20/17
to rabbitmq-users
1) Server log immediately after starting the broker:
=INFO REPORT==== 20-Jul-2017::12:38:44 ===
Starting RabbitMQ 3.6.10 on Erlang 20.0
Copyright (C) 2007-2017 Pivotal Software, Inc.
Licensed under the MPL. See http://www.rabbitmq.com/
=INFO REPORT==== 20-Jul-2017::12:38:44 ===
node : rabbit@Sora
home dir : C:\WINDOWS
config file(s) : c:/Users/Prateek/AppData/Roaming/RabbitMQ/rabbitmq.config
cookie hash : su9bPcDhUpJjwTRMSODM7g==
log : C:/Users/Prateek/AppData/Roaming/RabbitMQ/log/RABBIT~1.LOG
sasl log : C:/Users/Prateek/AppData/Roaming/RabbitMQ/log/RABBIT~2.LOG
database dir : c:/Users/Prateek/AppData/Roaming/RabbitMQ/db/RABBIT~1
=INFO REPORT==== 20-Jul-2017::12:38:48 ===
Memory limit set to 3238MB of 8096MB total.
=INFO REPORT==== 20-Jul-2017::12:38:48 ===
Enabling free disk space monitoring
=INFO REPORT==== 20-Jul-2017::12:38:48 ===
Disk free limit set to 50MB
=INFO REPORT==== 20-Jul-2017::12:38:48 ===
Limiting to approx 8092 file handles (7280 sockets)
=INFO REPORT==== 20-Jul-2017::12:38:48 ===
FHC read buffering: OFF
FHC write buffering: ON
=INFO REPORT==== 20-Jul-2017::12:38:48 ===
Waiting for Mnesia tables for 30000 ms, 9 retries left
=INFO REPORT==== 20-Jul-2017::12:38:48 ===
Waiting for Mnesia tables for 30000 ms, 9 retries left
=INFO REPORT==== 20-Jul-2017::12:38:48 ===
Priority queues enabled, real BQ is rabbit_variable_queue
=INFO REPORT==== 20-Jul-2017::12:38:48 ===
Starting rabbit_node_monitor
=INFO REPORT==== 20-Jul-2017::12:38:48 ===
Management plugin: using rates mode 'basic'
=INFO REPORT==== 20-Jul-2017::12:38:48 ===
msg_store_transient: using rabbit_msg_store_ets_index to provide index
=INFO REPORT==== 20-Jul-2017::12:38:48 ===
msg_store_persistent: using rabbit_msg_store_ets_index to provide index
=INFO REPORT==== 20-Jul-2017::12:38:48 ===
started TCP Listener on [::]:5672
=INFO REPORT==== 20-Jul-2017::12:38:48 ===
started TCP Listener on 0.0.0.0:5672
=INFO REPORT==== 20-Jul-2017::12:38:48 ===
started SSL Listener on [::]:5671
=INFO REPORT==== 20-Jul-2017::12:38:48 ===
started SSL Listener on 0.0.0.0:5671
=WARNING REPORT==== 20-Jul-2017::12:38:48 ===
Could not find handle.exe, please install from sysinternals
=INFO REPORT==== 20-Jul-2017::12:38:48 ===
Management plugin started. Port: 15672
=INFO REPORT==== 20-Jul-2017::12:38:48 ===
Statistics database started.
=INFO REPORT==== 20-Jul-2017::12:38:48 ===
Server startup complete; 7 plugins started.
* rabbitmq_management
* rabbitmq_management_agent
* rabbitmq_auth_mechanism_ssl
* rabbitmq_web_dispatch
* cowboy
* amqp_client
* cowlib
2) I went through the troubleshooting page and I found something interesting. I was successful up to the "Attempt TLS Connection to Broker" portion of the page, but I do not get the "accepting AMQP connection" entry in my server log file as the page says I should. Perhaps this is where the problem is? Maybe my broker is not configured correctly?
3) I am not so sure how to use tcpdump to capture traffic on Windows, do you suggest any resources for this?
Michael Klishin
Jul 20, 2017, 5:18:47 PM7/20/17
to rabbitm...@googlegroups.com
1. It has no inbound connections. TLS connections are expected on port 5671 and you are running on an unsupported version of Erlang (which is not the root cause here, I'm quite certain).
2. https://groups.google.com/forum/#!msg/rabbitmq-users/p-Md6yvCZ5s/wEsg6lLuAwAJ explains what the broker will log. So TCP connections do not get through on port 5671.
Check your firewall and such.
3. See https://www.rabbitmq.com/amqp-wireshark.html and https://groups.google.com/d/msg/rabbitmq-users/dTw6A9uVz_o/RmEFe639BAAJ. And google for "Wireshark".
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.
Prateek Singh
Jul 20, 2017, 7:40:10 PM7/20/17
to rabbitmq-users
Ok, so I went to "Windows Firewall with Advanced Security" on my computer and created a new inbound rule to allow connections on ports 5671-5672. Then, I managed to track some of the traffic using Wireshark. I've attached an image of some of the output that I thought might be important.
Michael Klishin
Jul 20, 2017, 7:48:26 PM7/20/17
to rabbitm...@googlegroups.com
The server closes connection to port 5671. Establishing the connection
prior that takes 2 seconds (but it seems to succeed).
That's about as much as I can tell from this capture.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.
Prateek Singh
Jul 20, 2017, 7:53:18 PM7/20/17
to rabbitmq-users
Would it help if I sent the .pcap file itself? Also it seems like this information from Wireshark may not be helpful since it only shows the TCP connection to the port and gives no information about the TLS encryption, correct?
Michael Klishin
Jul 20, 2017, 8:09:36 PM7/20/17
to rabbitm...@googlegroups.com
If you provide Wireshark with a private key it can decrypt traffic.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.
Andrei Mikhailov
Feb 21, 2018, 11:02:10 AM2/21/18
to rabbitmq-users
I think I had the same problem. Solved by updating to
`esl-erlang_20.2.2-1~debian~stretch_amd64.deb`
from [Erlang website](https://www.erlang-solutions.com/resources/download.html)
and `rabbitmq-server_3.7.3-1_all.deb`
from [RabbitMQ website](https://www.rabbitmq.com/download.html)
Is there something wrong with `rabbitmq-server` on Debian Stretch ?
Michael Klishin
Feb 22, 2018, 10:07:27 AM2/22/18
to rabbitm...@googlegroups.com
Hi Andrei,
Please start new threads for new questions. This is mailing list etiquette 101.http://www.rabbitmq.com/troubleshooting-ssl.html.
--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages