rabbitmq-server 3.6.5 not working with golang 1.7 tls

[ZP L]

Hi All:

We all know tls is very important for encryption, according to https://www.rabbitmq.com/ssl.html, I have changed rabbitmq.conf as:

[

  {rabbit, [

     {tcp_listeners, [5672]},

     {loopback_users, []},

     {ssl_listeners, [5671]},

     {ssl_options, [{cacertfile,"/etc/rabbitmq/jfg_ca.crt"},

                    {certfile,"/etc/rabbitmq/server.pem"},

                    {keyfile,"/etc/rabbitmq/server.key"},

                    {verify,verify_peer},

                    {fail_if_no_peer_cert,true}]}

   ]}

].

 

Since we used golang as our main programe language, we chose https://github.com/streadway/amqp as our client side.  code samples:

func getURI(mq MQConf) string {

if !mq.SSL {

return fmt.Sprintf("amqp://%s:%s@%s:%d/", mq.User, mq.Password, mq.IP, mq.Port)

}

return fmt.Sprintf("amqps://%s:%d", mq.IP, mq.SSLPort)

}

func connectMQ(conf MQConf) (*amqp.Connection, *amqp.Channel, error) {

var tcpConn *amqp.Connection

var err error

if conf.SSL {

pool := x509.NewCertPool()

caCrt, err := ioutil.ReadFile(conf.CACert)

if err != nil {

return nil, nil, err

}

pool.AppendCertsFromPEM(caCrt)

cliCrt, err := tls.LoadX509KeyPair(conf.ClientCert, conf.ClientKey)

if err != nil {

return nil, nil, err

}

tcpConn, err = amqp.DialTLS(getURI(conf), &tls.Config{

RootCAs:          pool,

Certificates:     []tls.Certificate{cliCrt},

ServerName:       "XXXX",

CurvePreferences: []tls.CurveID{},

})

if err != nil {

return nil, nil, err

}

But our golang client always complaining and can't make the connection:

connect mq failed:tls: server selected unsupported curve

It's seems a low level tls handshake fail, so I captured a few packages with wireshark, here's the details:

Client send "Client Hello" with 3 curves, 0x0017, 0x0018, 0x0019

server send "Server Key Exchange" with another curve:

I'm not sure if this is allowed in TLS handeshake procedure, but apparently golang client terminated the connection.

Is there anything I can do, maybe setting a curve id in rabbitmq.conf?

[Michael Klishin]

First of all, RabbitMQ does not implement TLS, the Erlang runtime and standard library do.

[1] explains how to limit the cipher suites RabbitMQ will use. There's a separate troubleshooting guide [2].

Also give Erlang 19.1.x a try, even though it may be that it's the *client* that does not support a particular cipher suite.

1. http://www.rabbitmq.com/ssl.html

2. http://www.rabbitmq.com/troubleshooting-ssl.html