TLS v1.3 with ECC and RSA based Certificates, TLS v1.2 with ECC certificates fails using Erlang 26.1.2 for RabbitMQ 3.12.12
觀看次數:172 次
跳至第一則未讀訊息
RabbitMQIssueTrack User
2024年3月20日 上午7:42:073月20日
收件者︰ rabbitm...@googlegroups.com
Hi Support Team,
1. I was using RabbitMQ v3.11.0 with Erlang v25.1 in Windows 10.
<rabbit:admin id="containerAdmin" connection-factory="connectionFactory" />
<rabbit:connection-factory id="connectionFactory"
connection-factory="clientConnectionFactory" host="localhost" port="5671" />
<bean id="clientConnectionFactory"
class="org.springframework.amqp.rabbit.connection.RabbitConnectionFactoryBean">
<property name="useSSL" value="true" />
<property name="sslAlgorithm" value="TLSv1.2" />
<property name="saslConfig"
value="#{T(com.rabbitmq.client.DefaultSaslConfig).EXTERNAL}" />
<property name="keyStore" value="file:${HOME}/SSLCertificates/client/keycert.p12"/>
<property name="keyStorePassphrase" value="Password"/>
</bean>
1. I was using RabbitMQ v3.11.0 with Erlang v25.1 in Windows 10.
RabbitMQ was working fine to create Queues, Shovels and communication using TLS v1.2 with ECC and RSA based certificates.
2. Later I upgraded to RabbitMQ v3.12.12 with v26.1.2 in Windows 10.
a. RabbitMQ works fine with TLS v1.2 with RSA based certificates but fails with ECC based certificates.
a. RabbitMQ works fine with TLS v1.2 with RSA based certificates but fails with ECC based certificates.
b. RabbitMQ does not work with TLS v1.3 with both ECC and RSA based certificates.
Using the below lines for the connection :
<rabbit:admin id="containerAdmin" connection-factory="connectionFactory" />
<rabbit:connection-factory id="connectionFactory"
connection-factory="clientConnectionFactory" host="localhost" port="5671" />
<bean id="clientConnectionFactory"
class="org.springframework.amqp.rabbit.connection.RabbitConnectionFactoryBean">
<property name="useSSL" value="true" />
<property name="sslAlgorithm" value="TLSv1.2" />
<property name="saslConfig"
value="#{T(com.rabbitmq.client.DefaultSaslConfig).EXTERNAL}" />
<property name="keyStore" value="file:${HOME}/SSLCertificates/client/keycert.p12"/>
<property name="keyStorePassphrase" value="Password"/>
</bean>
I have followed the thread https://groups.google.com/g/rabbitmq-users/c/4qqaOO-QZf4/m/JF5KdQGTBQAJ but could not help.
I have attached the logs for TLSv1.2 ECC cert, TLSv1.3 ECC cert, TLSv1.3 RSA cert and advanced.config file.
Help to proceed on this.
Help to proceed on this.
Luke Bakken
2024年3月20日 上午11:13:353月20日
收件者︰ rabbitmq-users
Hello,
Thanks for using RabbitMQ. Please tell us exactly how you are generating your certificates. Both RSA and ECC.
RabbitMQIssueTrack User
2024年3月21日 上午3:37:093月21日
收件者︰ rabbitm...@googlegroups.com
Hi,
Bouncy Castle Java code to create certificates.
For RSA we are using 2048 keylength.
For ECC we are using secp384r1 prime256v1 curves.
Also we use self signed CA as parent.
Java Spring is used, client to connect to RabbitMQ.
Bouncy Castle Java code to create certificates.
For RSA we are using 2048 keylength.
For ECC we are using secp384r1 prime256v1 curves.
Also we use self signed CA as parent.
Java Spring is used, client to connect to RabbitMQ.
--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/9d1697ca-1162-42a5-a126-2849827b1fccn%40googlegroups.com.
Luke Bakken
2024年3月21日 下午3:08:103月21日
收件者︰ rabbitmq-users
Hello -
I realize I should have been a lot more explicit about the information I need to assist you.
- Figure out what "Bouncy Castle" is
- Figure out how to use it
- Figure out how to incorporate it into a self-signed CA
- Then, test it out using two different versions of RabbitMQ and Erlang on Windows. You didn't provide your client code, or similar example code.
...all for free.
You must make it as easy as possible for me to reproduce your issue. At the bare minimum -
- Provide a complete set of RSA certs that demonstrate a working example
- Provide ECC certs that work with Erlang 25.1, but fail with 26
- Your RabbitMQ configuration
- Java version
- Code that I can clone, compile, and run to see the issue. If it is based on Spring, ensure I can compile and run the code using Maven. Don't assume I know how to create the relevant Java keystores, either.
Assume that I have no time to set up an environment (which I don't), but I do have some time to investigate if I can reproduce the issue with a minimal amount of set-up.
Thanks,
Luke
RabbitMQIssueTrack User
2024年4月1日 上午8:11:144月1日
收件者︰ rabbitmq-users
Hi,
I have attached the ECC certificates (with curves prime256v1 and secp384r1) and advanced.config that I have used with RabbitMQ and Erlang 26.x.
I have also captured and attached the RabbitMQ logs for both ECC 256 and ECC 384.
I have performed the below steps:
1. Installed RabbitMQ 3.12.12 with Erlang 26.1.2
2. In the advanced.config file, enabled only TLSv1.3 and used the attached certificates. Refer attachment for the files.
3. Manually created a couple of Topic Exchange and queues using the RabbitMQ management UI.
4. Restarted RabbitMQ and I can see the error in the log file.
Please note I have not used any client for this test. Just started RabbitMQ with the ECC certificates and TLSv1.3.
I am currently writing a JAVA Client to reproduce the error with RSA certificates and TLSv1.3.
I will share the RSA certificates with the simple Java client in a couple of days.
I have attached the ECC certificates (with curves prime256v1 and secp384r1) and advanced.config that I have used with RabbitMQ and Erlang 26.x.
I have also captured and attached the RabbitMQ logs for both ECC 256 and ECC 384.
I have performed the below steps:
1. Installed RabbitMQ 3.12.12 with Erlang 26.1.2
2. In the advanced.config file, enabled only TLSv1.3 and used the attached certificates. Refer attachment for the files.
3. Manually created a couple of Topic Exchange and queues using the RabbitMQ management UI.
4. Restarted RabbitMQ and I can see the error in the log file.
Please note I have not used any client for this test. Just started RabbitMQ with the ECC certificates and TLSv1.3.
I am currently writing a JAVA Client to reproduce the error with RSA certificates and TLSv1.3.
I will share the RSA certificates with the simple Java client in a couple of days.
Thank You,
RabbitMQIssueTrack User
2024年4月1日 上午11:00:544月1日
收件者︰ rabbitm...@googlegroups.com
Hi,
I have attached the ECC certificates (with curves prime256v1 and secp384r1) and advanced.config that I have used with RabbitMQ and Erlang 26.x.
I have also captured and attached the RabbitMQ logs for both ECC 256 and ECC 384.
I have performed the below steps:
1. Installed RabbitMQ 3.12.12 with Erlang 26.1.2
2. In the advanced.config file, enabled only TLSv1.3 and used the attached certificates. Refer attachment for the files.
3. Manually created a couple of Topic Exchange and queues using the RabbitMQ management UI.
4. Restarted RabbitMQ and I can see the error in the log file.
Please note I have not used any client for this test. Just started RabbitMQ with the ECC certificates and TLSv1.3.
I am currently writing a JAVA Client to reproduce the error with RSA certificates and TLSv1.3.
I will share the RSA certificates with the simple Java client in a couple of days.
I have attached the ECC certificates (with curves prime256v1 and secp384r1) and advanced.config that I have used with RabbitMQ and Erlang 26.x.
I have also captured and attached the RabbitMQ logs for both ECC 256 and ECC 384.
I have performed the below steps:
1. Installed RabbitMQ 3.12.12 with Erlang 26.1.2
2. In the advanced.config file, enabled only TLSv1.3 and used the attached certificates. Refer attachment for the files.
3. Manually created a couple of Topic Exchange and queues using the RabbitMQ management UI.
4. Restarted RabbitMQ and I can see the error in the log file.
Please note I have not used any client for this test. Just started RabbitMQ with the ECC certificates and TLSv1.3.
I am currently writing a JAVA Client to reproduce the error with RSA certificates and TLSv1.3.
I will share the RSA certificates with the simple Java client in a couple of days.
Thank You,
--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/e9f7bffa-2413-473c-9da2-2057de623f27n%40googlegroups.com.
RabbitMQIssueTrack User
2024年4月12日 上午1:54:374月12日
收件者︰ rabbitmq-users
Hi Luke,
Did you get time to check on this?
Please let me know if you are able to reproduce the issue for ECC certificates while using the Erlang 26.1.2.
Did you get time to check on this?
Please let me know if you are able to reproduce the issue for ECC certificates while using the Erlang 26.1.2.
Luke Bakken
2024年4月12日 上午11:13:484月12日
收件者︰ rabbitmq-users
Please note that the support you receive on this mailing list is free-of-charge.
I can only work on these items if I am not busy working on customer issues, or RabbitMQ itself.
Please be patient.
Luke Bakken
2024年4月16日 下午6:22:234月16日
收件者︰ rabbitmq-users
This discussion may be relevant - https://github.com/erlang/otp/issues/8376
Luke Bakken
2024年6月10日 下午12:04:346月10日
收件者︰ rabbitmq-users
Hello,
I have a repo with scripts to run RabbitMQ and OpenSSL to demonstrate that the ECC certs you provided work correctly.
I'm using RabbitMQ 3.13.3 / Erlang 26.2.5 on Windows 11
If you would like me to continue providing assistance, fork my repository, and open a pull request to add a Java application that demonstrates the issue.
Luke Bakken
2024年6月10日 下午12:04:436月10日
收件者︰ rabbitmq-users
回覆所有人
回覆作者
轉寄
0 則新訊息