ssl handshake issue ssl_handshake.erl:169:Fatal error: internal error

[Emanuel Hategan]

Hello everyone, I'm stuck on getting ssl to work for my rabbitmq setup. Any help is apreciated.

Keys and cert are ok as the openssl commands work: 

openssl s_server -accept 9443 -key /etc/ca-certificates/rabbit.key  -cert /etc/ca-certificates/rabbit.pem

openssl s_client -connect localhost:9443 -CAfile ~/Projects/developer-accounts/accounts-api/src/main/resources/ca-chain.cert.pem -tls1_2

however, when I try openssl s_client on the actual server, it errors.

openssl s_client -connect localhost:5671 -CAfile ~/Projects/developer-accounts/accounts-api/src/main/resources/ca-chain.cert.pem -tls1_2

CONNECTED(00000003)

140170305365664:error:14094438:SSL routines:SSL3_READ_BYTES:tlsv1 alert internal error:s3_pkt.c:1262:SSL alert number 80

140170305365664:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:598:

---

no peer certificate available

Setup: 

---------

OS: Ubuntu 14.04

RabbitMQ: latest version available on the website as of today: rabbitmq-server_3.5.6-1_all.deb configured as folows: 

Erlang: 18.1

RabbitMQ CONFIG: 

---------------------------

[

  {rabbit,                    [{ssl_listeners,               [5671]},

                               {collect_statistics_interval, 10000}]},

  {ssl_options,               [{keyfile, "/etc/ca-certificates/rabbit.key"},

                               {certfile, "/etc/ca-certificates/rabbit.pem"},

                               {verify, verify_none}]},

  {log_levels,                [{channel, debug},

                               {connection, debug}]},

  {rabbitmq_management, [ {listener, [{port, 15671}, {ssl,      false}]}]}

].

RabbitMQ LOG: 

---------------------

=INFO REPORT==== 9-Nov-2015::12:46:47 ===

Starting RabbitMQ 3.5.6 on Erlang 18.1

Copyright (C) 2007-2015 Pivotal Software, Inc.

Licensed under the MPL.  See http://www.rabbitmq.com/

=INFO REPORT==== 9-Nov-2015::12:46:47 ===

node           : rabbit@aglientu

home dir       : /var/lib/rabbitmq

config file(s) : /etc/rabbitmq/rabbitmq.config

cookie hash    : vtXGC3VRLoXI6IeHZSQlaA==

log            : /var/log/rabbitmq/rab...@aglientu.log

sasl log       : /var/log/rabbitmq/rab...@aglientu-sasl.log

database dir   : /var/lib/rabbitmq/mnesia/rabbit@aglientu

=INFO REPORT==== 9-Nov-2015::12:46:47 ===

Memory limit set to 6383MB of 15957MB total.

=INFO REPORT==== 9-Nov-2015::12:46:47 ===

Disk free limit set to 50MB

=INFO REPORT==== 9-Nov-2015::12:46:47 ===

Limiting to approx 924 file handles (829 sockets)

=INFO REPORT==== 9-Nov-2015::12:46:47 ===

FHC read buffering:  ON

FHC write buffering: ON

=INFO REPORT==== 9-Nov-2015::12:46:47 ===

Priority queues enabled, real BQ is rabbit_variable_queue

=INFO REPORT==== 9-Nov-2015::12:46:48 ===

Management plugin: using rates mode 'basic'

=INFO REPORT==== 9-Nov-2015::12:46:48 ===

msg_store_transient: using rabbit_msg_store_ets_index to provide index

=INFO REPORT==== 9-Nov-2015::12:46:48 ===

msg_store_persistent: using rabbit_msg_store_ets_index to provide index

=INFO REPORT==== 9-Nov-2015::12:46:48 ===

started TCP Listener on [::]:5672

=INFO REPORT==== 9-Nov-2015::12:46:48 ===

started SSL Listener on [::]:5671

=INFO REPORT==== 9-Nov-2015::12:46:48 ===

Management plugin started. Port: 15671

=INFO REPORT==== 9-Nov-2015::12:46:48 ===

Statistics database started.

=INFO REPORT==== 9-Nov-2015::12:46:48 ===

Server startup complete; 8 plugins started.

 * rabbitmq_shovel_management

 * rabbitmq_management

 * rabbitmq_web_dispatch

 * rabbitmq_shovel

 * amqp_client

 * rabbitmq_management_agent

 * webmachine

 * mochiweb

=ERROR REPORT==== 9-Nov-2015::12:47:07 ===

SSL: hello: ssl_handshake.erl:169:Fatal error: internal error

=ERROR REPORT==== 9-Nov-2015::12:47:12 ===

Error on AMQP connection <0.342.0>:

{ssl_upgrade_error,{tls_alert,"internal error"}}

[Michael Klishin]

On 9 November 2015 at 15:56:32, Emanuel Hategan (emanuel...@gmail.com) wrote:
> =ERROR REPORT==== 9-Nov-2015::12:47:07 ===
> SSL: hello: ssl_handshake.erl:169:Fatal error: internal
> error
>
> =ERROR REPORT==== 9-Nov-2015::12:47:12 ===
> Error on AMQP connection <0.342.0>:

> {ssl_upgrade_error,{tls_alert,"internal error”}}

Alert 80 and the above suggest it is a TLS implementation issue. Please ask on erlang-users
and/or try 17.5. 
--
MK

Staff Software Engineer, Pivotal/RabbitMQ

[Emanuel Hategan]

Thank you for your help. 

After switching to erlang 17.5, error is almost the same: 

In rabbitmq log I see: 

---------------------------

=ERROR REPORT==== 9-Nov-2015::14:14:24 ===

SSL: hello: ssl_handshake.erl:167:Fatal error: internal error

=ERROR REPORT==== 9-Nov-2015::14:14:29 ===

Error on AMQP connection <0.341.0>:

{ssl_upgrade_error,{tls_alert,"internal error"}}

-----------------------

openssl s_client -connect localhost:5671 -CAfile ~/Projects/developer-accounts/accounts-api/src/main/resources/ca-chain.cert.pem -tls1_2

CONNECTED(00000003)

140392952727200:error:14094438:SSL routines:SSL3_READ_BYTES:tlsv1 alert internal error:s3_pkt.c:1262:SSL alert number 80

140392952727200:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:598:

---

no peer certificate available

I'll try to ask on erlang users as you suggested. 

Emanuel

[Emanuel Hategan]

Eventually figured it out... 

I have to admit it was a simple configuration issue: the ssl_options section should be under rabbit section not outside it as I have initially tried. 

Thank you anyway for trying to help. I appreciate it.

Emanuel 

[Michael Klishin]

On 9 November 2015 at 18:24:03, Emanuel Hategan (emanuel...@gmail.com) wrote:
> Eventually figured it out...
> I have to admit it was a simple configuration issue: the ssl_options
> section should be under rabbit section not outside it as I have
> initially tried.
>
> Thank you anyway for trying to help. I appreciate it.

We hope YAML-based configuration and maybe even basic config validation will be done by 3.7.0 .

[Emanuel Hategan]

After giving it more thought, I'm thinking rabbitmq should fail if ssl_listener is specified but no ssl_options.