SSLV3_ALERT_HANDSHAKE_FAILURE

[Jeremy Gooch]

Hi,

I'm another user with SSL and client certificates problems, I'm afraid.

We're using RabbitMQ 3.6.10 on Erlang 20.0 and a Python 3.6.0 Pika 0.10.0 client.  We can get SSL encryption to work, with client-side basic auth.  But when we change up to use client-side certificates, we get the following error:-

pika.exceptions.AMQPConnectionError: Connection to <IP>:5671 failed: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:600)

I've used a number of on-line resources to investigate - including this one, which says that the username in RabbitMQ should begin with "CN=" and should not have a password.  We've set up the ID to be prefixed with "CN=" but RabbitMQ won't start unless I give the user ID a password.  We're creating the IDs via a JSON definitions file.

I get the handshake error whether I include the ID and password in the broker URL or not.

As per Luke's reply to another thread, we've checked that the server's certificate matches the host name correctly.

Any help would be much appreciated.

J.

[Michael Klishin]

SSLv3 is disabled in RabbitMQ by default. See "Known Vulnerabilities"

and "Evaluating TLS Setups" in http://www.rabbitmq.com/ssl.html.

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

MK

Staff Software Engineer, Pivotal/RabbitMQ

[Jeremy Gooch]

Thanks for the speedy response.

I think that's a red herring, however.  We've checked output from s_connect and it tells us that we're using TLSv1.2.  Also, I can forced the protocol version in the client and get the same error.

Client code:-

ssl_options = ({"ca_certs": cacertfile,

    "certfile": certfile,

    "keyfile": keyfile,

    "ssl_version": ssl.PROTOCOL_TLSv1_2,

    "cert_reqs": ssl.CERT_REQUIRED})

After trying various different configurations, I started seeing this in the logs:-

SSL: certify: ssl_handshake.erl:1621:Fatal error: handshake failure - {bad_cert,max_path_length_reached}

We realised that we had quite a complicated CA certificate chain from our PKI.  One of our lead admins dug into the Erlang manual, and we added a depth setting to the RabbitMQ ssl_options, and it started working.

The working RabbitMQ SSL server config looks like this:-

{ssl_cert_login_from,common_name},

{ssl_options, [{cacertfile,"/path/to/cacert.pem"},

                 {certfile,"/path/to/server-cert.pem"},

                 {keyfile,"/path/to/server-key.pem"},

                 {verify,verify_peer},

                 {fail_if_no_peer_cert,true},

                 {depth, 4},

                 {versions,['tlsv1.2','tlsv1.1']}

                 ]},

So, we're suddenly up-and-running.  :-)

J.

On Friday, 18 August 2017 16:42:53 UTC+1, Michael Klishin wrote:

SSLv3 is disabled in RabbitMQ by default. See "Known Vulnerabilities"

and "Evaluating TLS Setups" in http://www.rabbitmq.com/ssl.html.

On Fri, Aug 18, 2017 at 11:27 AM, 'Jeremy Gooch' via rabbitmq-users <rabbitm...@googlegroups.com> wrote:

Hi,

I'm another user with SSL and client certificates problems, I'm afraid.

We're using RabbitMQ 3.6.10 on Erlang 20.0 and a Python 3.6.0 Pika 0.10.0 client.  We can get SSL encryption to work, with client-side basic auth.  But when we change up to use client-side certificates, we get the following error:-

pika.exceptions.AMQPConnectionError: Connection to <IP>:5671 failed: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:600)

I've used a number of on-line resources to investigate - including this one, which says that the username in RabbitMQ should begin with "CN=" and should not have a password.  We've set up the ID to be prefixed with "CN=" but RabbitMQ won't start unless I give the user ID a password.  We're creating the IDs via a JSON definitions file.

I get the handshake error whether I include the ID and password in the broker URL or not.

As per Luke's reply to another thread, we've checked that the server's certificate matches the host name correctly.

Any help would be much appreciated.

J.

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.

To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To post to this group, send email to rabbitm...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Michael Klishin]

Ah, interesting. TLS alert interpretation and error messages varies between

implementation, which can be quite confusing sometimes.

Glad you managed to get a more informative error and overriding verification depth helped.

Thank you for reporting back!

To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.