Shovel TLS configuration problems

120 views
Skip to first unread message

Joseph L. Casale

unread,
Apr 21, 2021, 10:55:36 AM4/21/21
to rabbitmq-users
I have a cluster with TLS configured for client, internode, and management API connections.
Functionality for the above works fine, except for dynamic shovels created using the management API.

My advanced config is set as follows:

[
    {amqp_client, [
        {ssl_options, [
            {cacertfile, "C:/RabbitMQ/ca.example.com.pem"},
            {certfile, "C:/RabbitMQ/host.example.com-cert.pem"},
            {keyfile, "C:/RabbitMQ/host.example.com-key.pem"},
            {password, "..."},
            {secure_renegotiate, true},
            {verify, verify_peer},
            {fail_if_no_peer_cert, true},
            {versions, ['tlsv1.2', 'tlsv1.3']}
        ]}
    ]}
].

These SSL options are the same used in the internode config.

are supposed to be merged with the amqps URI when no query parameters are set.

The documents don't cover a few of these parameters and most specifically, I don't see a confirmation that a protected key is possible.

Does anyone have an idea of what I may be missing? The logs emit the following error:

{tls_alert,{handshake_failure,"TLS client: In state cipher received SERVER ALERT: Fatal - Handshake Failure\n"}}

Thanks,
jlc

Michal Kuratczyk

unread,
Apr 21, 2021, 12:48:31 PM4/21/21
to rabbitm...@googlegroups.com
Hi,

I guess that's because you have TLSv1.3 enabled. Please review https://www.rabbitmq.com/ssl.html#tls1.3
TL;DR TLSv1.3 is generally an all or nothing proposition - if you want to have it enabled, everything should be using TLSv1.3.

Best,

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/c51da39b-3060-4eaf-a776-9289f5d8b0dcn%40googlegroups.com.


--
Michał
RabbitMQ team

Joseph L. Casale

unread,
Apr 21, 2021, 2:08:11 PM4/21/21
to rabbitmq-users
Hi,
Thanks for the pointer, I understood that by having both, clients could negotiate the level they wanted.

I set the internode and server configuration now to only tls1.2 however that did not change anything. I am still receiving the same error in the log once the shovel is created.

Any other thoughts on what I may be missing?

Thanks,
jlc
Reply all
Reply to author
Forward
0 new messages