TLS v1.3 with ECC and RSA based Certificates, TLS v1.2 with ECC certificates fails using Erlang 26.1.2 for RabbitMQ 3.12.12
172 views
Skip to first unread message
RabbitMQIssueTrack User
Mar 20, 2024, 7:42:07 AMMar 20
to rabbitm...@googlegroups.com
Hi Support Team,
1. I was using RabbitMQ v3.11.0 with Erlang v25.1 in Windows 10.
<rabbit:admin id="containerAdmin" connection-factory="connectionFactory" />
<rabbit:connection-factory id="connectionFactory"
connection-factory="clientConnectionFactory" host="localhost" port="5671" />
<bean id="clientConnectionFactory"
class="org.springframework.amqp.rabbit.connection.RabbitConnectionFactoryBean">
<property name="useSSL" value="true" />
<property name="sslAlgorithm" value="TLSv1.2" />
<property name="saslConfig"
value="#{T(com.rabbitmq.client.DefaultSaslConfig).EXTERNAL}" />
<property name="keyStore" value="file:${HOME}/SSLCertificates/client/keycert.p12"/>
<property name="keyStorePassphrase" value="Password"/>
</bean>
1. I was using RabbitMQ v3.11.0 with Erlang v25.1 in Windows 10.
RabbitMQ was working fine to create Queues, Shovels and communication using TLS v1.2 with ECC and RSA based certificates.
2. Later I upgraded to RabbitMQ v3.12.12 with v26.1.2 in Windows 10.
a. RabbitMQ works fine with TLS v1.2 with RSA based certificates but fails with ECC based certificates.
a. RabbitMQ works fine with TLS v1.2 with RSA based certificates but fails with ECC based certificates.
b. RabbitMQ does not work with TLS v1.3 with both ECC and RSA based certificates.
Using the below lines for the connection :
<rabbit:admin id="containerAdmin" connection-factory="connectionFactory" />
<rabbit:connection-factory id="connectionFactory"
connection-factory="clientConnectionFactory" host="localhost" port="5671" />
<bean id="clientConnectionFactory"
class="org.springframework.amqp.rabbit.connection.RabbitConnectionFactoryBean">
<property name="useSSL" value="true" />
<property name="sslAlgorithm" value="TLSv1.2" />
<property name="saslConfig"
value="#{T(com.rabbitmq.client.DefaultSaslConfig).EXTERNAL}" />
<property name="keyStore" value="file:${HOME}/SSLCertificates/client/keycert.p12"/>
<property name="keyStorePassphrase" value="Password"/>
</bean>
I have followed the thread https://groups.google.com/g/rabbitmq-users/c/4qqaOO-QZf4/m/JF5KdQGTBQAJ but could not help.
I have attached the logs for TLSv1.2 ECC cert, TLSv1.3 ECC cert, TLSv1.3 RSA cert and advanced.config file.
Help to proceed on this.
Help to proceed on this.
Luke Bakken
Mar 20, 2024, 11:13:35 AMMar 20
to rabbitmq-users
Hello,
Thanks for using RabbitMQ. Please tell us exactly how you are generating your certificates. Both RSA and ECC.
RabbitMQIssueTrack User
Mar 21, 2024, 3:37:09 AMMar 21
to rabbitm...@googlegroups.com
Hi,
Bouncy Castle Java code to create certificates.
For RSA we are using 2048 keylength.
For ECC we are using secp384r1 prime256v1 curves.
Also we use self signed CA as parent.
Java Spring is used, client to connect to RabbitMQ.
Bouncy Castle Java code to create certificates.
For RSA we are using 2048 keylength.
For ECC we are using secp384r1 prime256v1 curves.
Also we use self signed CA as parent.
Java Spring is used, client to connect to RabbitMQ.
--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/9d1697ca-1162-42a5-a126-2849827b1fccn%40googlegroups.com.
Luke Bakken
Mar 21, 2024, 3:08:10 PMMar 21
to rabbitmq-users
Hello -
I realize I should have been a lot more explicit about the information I need to assist you.
- Figure out what "Bouncy Castle" is
- Figure out how to use it
- Figure out how to incorporate it into a self-signed CA
- Then, test it out using two different versions of RabbitMQ and Erlang on Windows. You didn't provide your client code, or similar example code.
...all for free.
You must make it as easy as possible for me to reproduce your issue. At the bare minimum -
- Provide a complete set of RSA certs that demonstrate a working example
- Provide ECC certs that work with Erlang 25.1, but fail with 26
- Your RabbitMQ configuration
- Java version
- Code that I can clone, compile, and run to see the issue. If it is based on Spring, ensure I can compile and run the code using Maven. Don't assume I know how to create the relevant Java keystores, either.
Assume that I have no time to set up an environment (which I don't), but I do have some time to investigate if I can reproduce the issue with a minimal amount of set-up.
Thanks,
Luke
RabbitMQIssueTrack User
Apr 1, 2024, 8:11:14 AMApr 1
to rabbitmq-users
Hi,
I have attached the ECC certificates (with curves prime256v1 and secp384r1) and advanced.config that I have used with RabbitMQ and Erlang 26.x.
I have also captured and attached the RabbitMQ logs for both ECC 256 and ECC 384.
I have performed the below steps:
1. Installed RabbitMQ 3.12.12 with Erlang 26.1.2
2. In the advanced.config file, enabled only TLSv1.3 and used the attached certificates. Refer attachment for the files.
3. Manually created a couple of Topic Exchange and queues using the RabbitMQ management UI.
4. Restarted RabbitMQ and I can see the error in the log file.
Please note I have not used any client for this test. Just started RabbitMQ with the ECC certificates and TLSv1.3.
I am currently writing a JAVA Client to reproduce the error with RSA certificates and TLSv1.3.
I will share the RSA certificates with the simple Java client in a couple of days.
I have attached the ECC certificates (with curves prime256v1 and secp384r1) and advanced.config that I have used with RabbitMQ and Erlang 26.x.
I have also captured and attached the RabbitMQ logs for both ECC 256 and ECC 384.
I have performed the below steps:
1. Installed RabbitMQ 3.12.12 with Erlang 26.1.2
2. In the advanced.config file, enabled only TLSv1.3 and used the attached certificates. Refer attachment for the files.
3. Manually created a couple of Topic Exchange and queues using the RabbitMQ management UI.
4. Restarted RabbitMQ and I can see the error in the log file.
Please note I have not used any client for this test. Just started RabbitMQ with the ECC certificates and TLSv1.3.
I am currently writing a JAVA Client to reproduce the error with RSA certificates and TLSv1.3.
I will share the RSA certificates with the simple Java client in a couple of days.
Thank You,
RabbitMQIssueTrack User
Apr 1, 2024, 11:00:54 AMApr 1
to rabbitm...@googlegroups.com
Hi,
I have attached the ECC certificates (with curves prime256v1 and secp384r1) and advanced.config that I have used with RabbitMQ and Erlang 26.x.
I have also captured and attached the RabbitMQ logs for both ECC 256 and ECC 384.
I have performed the below steps:
1. Installed RabbitMQ 3.12.12 with Erlang 26.1.2
2. In the advanced.config file, enabled only TLSv1.3 and used the attached certificates. Refer attachment for the files.
3. Manually created a couple of Topic Exchange and queues using the RabbitMQ management UI.
4. Restarted RabbitMQ and I can see the error in the log file.
Please note I have not used any client for this test. Just started RabbitMQ with the ECC certificates and TLSv1.3.
I am currently writing a JAVA Client to reproduce the error with RSA certificates and TLSv1.3.
I will share the RSA certificates with the simple Java client in a couple of days.
I have attached the ECC certificates (with curves prime256v1 and secp384r1) and advanced.config that I have used with RabbitMQ and Erlang 26.x.
I have also captured and attached the RabbitMQ logs for both ECC 256 and ECC 384.
I have performed the below steps:
1. Installed RabbitMQ 3.12.12 with Erlang 26.1.2
2. In the advanced.config file, enabled only TLSv1.3 and used the attached certificates. Refer attachment for the files.
3. Manually created a couple of Topic Exchange and queues using the RabbitMQ management UI.
4. Restarted RabbitMQ and I can see the error in the log file.
Please note I have not used any client for this test. Just started RabbitMQ with the ECC certificates and TLSv1.3.
I am currently writing a JAVA Client to reproduce the error with RSA certificates and TLSv1.3.
I will share the RSA certificates with the simple Java client in a couple of days.
Thank You,
--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/e9f7bffa-2413-473c-9da2-2057de623f27n%40googlegroups.com.
RabbitMQIssueTrack User
Apr 12, 2024, 1:54:37 AMApr 12
to rabbitmq-users
Hi Luke,
Did you get time to check on this?
Please let me know if you are able to reproduce the issue for ECC certificates while using the Erlang 26.1.2.
Did you get time to check on this?
Please let me know if you are able to reproduce the issue for ECC certificates while using the Erlang 26.1.2.
Luke Bakken
Apr 12, 2024, 11:13:48 AMApr 12
to rabbitmq-users
Please note that the support you receive on this mailing list is free-of-charge.
I can only work on these items if I am not busy working on customer issues, or RabbitMQ itself.
Please be patient.
Luke Bakken
Apr 16, 2024, 6:22:23 PMApr 16
to rabbitmq-users
This discussion may be relevant - https://github.com/erlang/otp/issues/8376
Luke Bakken
Jun 10, 2024, 12:04:34 PMJun 10
to rabbitmq-users
Hello,
I have a repo with scripts to run RabbitMQ and OpenSSL to demonstrate that the ECC certs you provided work correctly.
I'm using RabbitMQ 3.13.3 / Erlang 26.2.5 on Windows 11
If you would like me to continue providing assistance, fork my repository, and open a pull request to add a Java application that demonstrates the issue.
Luke Bakken
Jun 10, 2024, 12:04:43 PMJun 10
to rabbitmq-users
Reply all
Reply to author
Forward
0 new messages