Enable TLS debug tracing
455 views
Skip to first unread message
Patrick
Mar 15, 2022, 12:56:31 PM3/15/22
to rabbitmq-users
Hi,
I am using rabbitmq 3.6.15 and erlang 20.1.5 and I ran into a SSL handshake problem in CertificateVerify message. I want to enable the SSL handshaking logging on the RabbitMQ side by adding these cfg in the rabbitmq.config file but it didn't generate any logs
{log_levels, [{connection, debug}, {queue, debug}]},
{log,
[{file, [{level, debug}]},
{categories,
[{connection,
[{level, debug}]
},
{queue,
[{level, debug}]
}
]
}]
}
{log,
[{file, [{level, debug}]},
{categories,
[{connection,
[{level, debug}]
},
{queue,
[{level, debug}]
}
]
}]
}
Can someone help me on how to enable the SSL debugging/tracing?
Thanks
Patrick
Woon Yung Liu
Mar 16, 2022, 4:10:47 AM3/16/22
to rabbitmq-users
Hi,
From what I know, this TLS debugging functionality you seek was introduced with Erlang OTP 22.0: https://www.erlang.org/blog/ssl-logging-in-otp-22/
However, I am personally unsure of how to get those messages to appear.
What I have been doing, is to use Wireshark/tcpdump to make a packet capture. If you use TLS before TLS 1.3, it is possible to observe the handshake process.
You could also perhaps make use of openssl's s_client & s_server functionality, to simulate a TLS client/server. By doing so, you can get more information about how the TLS handshaking went, from the perspective of the client/server. If you replace RabbitMQ with openssl s_server, I believe using the -msg option will result in useful, human-readable information getting printed.
Good luck!
Best Regards,
Woon Yung
Woon Yung Liu
Mar 16, 2022, 2:07:25 PM3/16/22
to rabbitmq-users
Hi again,
In case you or anyone is trying to enable the TLS debug tracing functionality of Erlang OTP 22+, it can be simply enabled by setting log_level of ssl_options to "debug". It may be possible to use the new configuration file format, but I used advanced.config:
{ssl_options, [
...
{log_level, debug}
{log_level, debug}
...
]}
Those debug messages appear in the console, not the log file. I spent a long time trying to figure out why it wasn't working, so I would like to write about it here.
In my case, I was using Windows. In order to get access to the console messages, I started RabbitMQ manually through the rabbitmq-server script instead.
Best Regards,
Woon Yung
Woon Yung
Patrick
Mar 21, 2022, 3:20:54 PM3/21/22
to rabbitmq-users
Hi Woon,
Thanks for the information. At the end, I upgraded RabbitMQ to 3.9.1.3 and Erlang to 24 and the SSL handshake error is gone.
Thanks for your help!
Patrick
Reply all
Reply to author
Forward
0 new messages