TLS connection with password protected private key file

[Yusuke Masuda]

Hello,

I am stuck on TLS connection using password protected private key file.

I try to make .NET client via MassTransit connects to RabbitMQ server with TLS connection.

I prepared 4 files for this:

• ca.pem  ---  CA certificate file (PEM format)
• RMQ_crt.pem  ---  Server certificate (PEM format)
• RMQ_crt.key  ---  Password protected private key file of the server certificate (PEM format)
• RMQ_crt.pfx  ---  Pfx file generated with the server certificate and the private key (PKCS#12 format)

Then I configured my RabbitMQ server with a config file below:

[
  {ssl, [{versions, ['tlsv1.2']}]},
  {rabbit, [
    {ssl_listeners, [5671]},
    {ssl_cert_login_from, common_name},
    {crl_check, true},
    {crl_cache, {ssl_crl_cache, {internal, [{http, 5000}]}}},
    {ssl_options, [
      {cacertfile,"C:\\ProgramData\\Certificates\\Use\\RabbitMQ\\ca.pem"},
      {certfile, "C:\\ProgramData\\Certificates\\Use\\RabbitMQ\\RMQ_crt.pem"},
      {keyfile, "C:\\ProgramData\\Certificates\\Use\\RabbitMQ\\RMQ_crt.key"},
      {password, "<<Plain text password of the keyfile>>"},
      {verify, verify_peer},
      {fail_if_no_peer_cert, true},
      {versions, ['tlsv1.2']},
      {depth, 2},
      {ciphers, [
        {ecdhe_ecdsa,aes_256_gcm,null,sha384},
        {ecdhe_rsa,aes_256_gcm,null,sha384},
        {ecdhe_ecdsa,aes_256_cbc,sha384,sha384},
        {ecdhe_rsa,aes_256_cbc,sha384,sha384},
        {ecdh_ecdsa,aes_256_gcm,null,sha384},
        {ecdh_rsa,aes_256_gcm,null,sha384},
        {ecdh_ecdsa,aes_256_cbc,sha384,sha384},
        {ecdh_rsa,aes_256_cbc,sha384,sha384},
        {dhe_rsa,aes_256_gcm,null,sha384},
        {dhe_dss,aes_256_gcm,null,sha384},
        {dhe_rsa,aes_256_cbc,sha256},
        {dhe_dss,aes_256_cbc,sha256},
        {rsa,aes_256_gcm,null,sha384},
        {rsa,aes_256_cbc,sha256},
        {ecdhe_ecdsa,aes_128_gcm,null,sha256},
        {ecdhe_rsa,aes_128_gcm,null,sha256},
        {ecdhe_ecdsa,aes_128_cbc,sha256,sha256},
        {ecdhe_rsa,aes_128_cbc,sha256,sha256},
        {ecdh_ecdsa,aes_128_gcm,null,sha256},
        {ecdh_rsa,aes_128_gcm,null,sha256},
        {ecdh_ecdsa,aes_128_cbc,sha256,sha256},
        {ecdh_rsa,aes_128_cbc,sha256,sha256},
        {dhe_rsa,aes_128_gcm,null,sha256},
        {dhe_dss,aes_128_gcm,null,sha256},
        {dhe_rsa,aes_128_cbc,sha256},
        {ecdh_rsa,aes_128_gcm,null,sha256}]},
      {honor_cipher_order, true},
      {honor_ecc_order, true}
    ]}
  ]}
].

Otherwise, I passed the PKCS#12 form certificate (*.pfx) to my .NET client.

r.ConfigureHost(serverAddress, h =>
{
    h.UseSsl(s =>
        {
            s.Protocol = System.Security.Authentication.SslProtocols.Tls12;
            s.ServerName = RabbitMQAddress;
            s.CertificatePath = "Path-To-Cert\\RMQ_crt.pfx";
            s.CertificatePassphrase = "Passphrase-of-Pfx-file";
        });
});

However, the program stopped in middle of the client connecting the server.

See detail in the log file attached.

I wondered that it was wrong not to specify password for private key included in the pfx file, I decrypted the private key and re-generated the pfx file with it. But I got same result as before.

I googled any similar cases, and found the git issue below, but I couldn't reach a solution out.

https://github.com/rabbitmq/rabbitmq-management/issues/512

I believe that RabbitMQ support password protected private key, how can I establish a TLS connection with password protected private key file?

Could anyone help us regarding this issue, please.

Regards,

----

Yusuke Masuda

[Yusuke Masuda]

For your information,

I decrypted the private key file (RMQ_crt.key) configured in RabbitMQ config file, and tried testing.
It worked with no code change then.

Regards,

Yusuke

2019年9月24日火曜日 15時21分45秒 UTC+9 Yusuke Masuda:

[Luke Bakken]

Hi Yusuke,

Please ensure the password configuration is written this way:

{password, <<"Plain text password of the keyfile">>},

Notice that the double quote characters are inside of the << >> characters.

Thanks,

Luke

[Yusuke Masuda]

Hello Luke,

Thank you for your reply.

I tested the configuration change you mentioned, but unfortunately, and it wasn't able to start RabbitMQ with an error.

I got a crash log below. I am not sure the change was correct though, it seems to fail load the configuration particular the password line.

2019-09-25 11:13:10 =ERROR REPORT====
Failed to start Ranch listener {acceptor,{0,0,0,0,0,0,0,0},5671} in ranch_ssl:listen([{port,5671},{ip,{0,0,0,0,0,0,0,0}},inet6,{backlog,128},{nodelay,true},{linger,{true,0}},{exit_on_close,false},{versions,['tlsv1.2']},{cacertfile,"C:\\ProgramData\\MyApp\\Certificates\\Use\\RabbitMQ\\ca.pem"},{certfile,"C:\\ProgramData\\MyApp\\Certificates\\Use\\RabbitMQ\\RMQ_crt.pem"},{keyfile,"C:\\ProgramData\\MyApp\\Certificates\\Use\\RabbitMQ\\RMQ_crt.key"},{password,<<"Password plain text">>},{verify,verify_peer},{fail_if_no_peer_cert,true},{depth,2},{ciphers,[{ecdhe_ecdsa,aes_256_gcm,null,sha384},{ecdhe_rsa,aes_256_gcm,null,sha384},{ecdhe_ecdsa,aes_256_cbc,sha384,sha384},{ecdhe_rsa,aes_256_cbc,sha384,sha384},{ecdh_ecdsa,aes_256_gcm,null,sha384},{ecdh_rsa,aes_256_gcm,null,sha384},{ecdh_ecdsa,aes_256_cbc,sha384,sha384},{ecdh_rsa,aes_256_cbc,sha384,sha384},{dhe_rsa,aes_256_gcm,null,sha384},{dhe_dss,aes_256_gcm,null,sha384},{dhe_rsa,aes_256_cbc,sha256},{dhe_dss,aes_256_cbc,sha256},{rsa,aes_256_gcm,null,sha384},{rsa,aes_256_cbc,sha256},{ecdhe_ecdsa,aes_128_gcm,null,sha256},{ecdhe_rsa,aes_128_gcm,null,sha256},{ecdhe_ecdsa,aes_128_cbc,sha256,sha256},{ecdhe_rsa,aes_128_cbc,sha256,sha256},{ecdh_ecdsa,aes_128_gcm,null,sha256},{ecdh_rsa,aes_128_gcm,null,sha256},{ecdh_ecdsa,aes_128_cbc,sha256,sha256},{ecdh_rsa,aes_128_cbc,sha256,sha256},{dhe_rsa,aes_128_gcm,null,sha256},{dhe_dss,aes_128_gcm,null,sha256},{dhe_rsa,aes_128_cbc,sha256},{ecdh_rsa,aes_128_gcm,null,sha256}]},{honor_cipher_order,true},{honor_ecc_order,true}]) for reason {options,{password,<<"Password plain text">>}} (unknown POSIX error)
2019-09-25 11:13:10 =SUPERVISOR REPORT====
     Supervisor: {<0.578.0>,ranch_listener_sup}
     Context:    start_error
     Reason:     {listen_error,{acceptor,{0,0,0,0,0,0,0,0},5671},{options,{password,<<"Password plain text">>}}}
     Offender:   [{pid,undefined},{id,ranch_acceptors_sup},{mfargs,{ranch_acceptors_sup,start_link,[{acceptor,{0,0,0,0,0,0,0,0},5671},10,ranch_ssl,[{port,5671},{ip,{0,0,0,0,0,0,0,0}},{max_connections,infinity},{ack_timeout,5000},{connection_type,supervisor},inet6,{backlog,128},{nodelay,true},{linger,{true,0}},{exit_on_close,false},{versions,['tlsv1.2']},{cacertfile,"C:\\ProgramData\\MyApp\\Certificates\\Use\\RabbitMQ\\ca.pem"},{certfile,"C:\\ProgramData\\MyApp\\Certificates\\Use\\RabbitMQ\\RMQ_crt.pem"},{keyfile,"C:\\ProgramData\\MyApp\\Certificates\\Use\\RabbitMQ\\RMQ_crt.key"},{password,<<"Password plain text">>},{verify,verify_peer},{fail_if_no_peer_cert,true},{depth,2},{ciphers,[{ecdhe_ecdsa,aes_256_gcm,null,sha384},{ecdhe_rsa,aes_256_gcm,null,sha384},{ecdhe_ecdsa,aes_256_cbc,sha384,sha384},{ecdhe_rsa,aes_256_cbc,sha384,sha384},{ecdh_ecdsa,aes_256_gcm,null,sha384},{ecdh_rsa,aes_256_gcm,null,sha384},{ecdh_ecdsa,aes_256_cbc,sha384,sha384},{ecdh_rsa,aes_256_cbc,sha384,sha384},{dhe_rsa,aes_256_gcm,null,sha384},{dhe_dss,aes_256_gcm,null,sha384},{dhe_rsa,aes_256_cbc,sha256},{dhe_dss,aes_256_cbc,sha256},{rsa,aes_256_gcm,null,sha384},{rsa,aes_256_cbc,sha256},{ecdhe_ecdsa,aes_128_gcm,null,sha256},{ecdhe_rsa,aes_128_gcm,null,sha256},{ecdhe_ecdsa,aes_128_cbc,sha256,sha256},{ecdhe_rsa,aes_128_cbc,sha256,sha256},{ecdh_ecdsa,aes_128_gcm,null,sha256},{ecdh_rsa,aes_128_gcm,null,sha256},{ecdh_ecdsa,aes_128_cbc,sha256,sha256},{ecdh_rsa,aes_128_cbc,sha256,sha256},{dhe_rsa,aes_128_gcm,null,sha256},{dhe_dss,aes_128_gcm,null,sha256},{dhe_rsa,aes_128_cbc,sha256},{ecdh_rsa,aes_128_gcm,null,sha256}]},{honor_cipher_order,true},{honor_ecc_order,true}]]}},{restart_type,permanent},{shutdown,infinity},{child_type,supervisor}]

2019-09-25 11:13:10 =CRASH REPORT====
  crasher:
    initial call: supervisor:ranch_acceptors_sup/1
    pid: <0.580.0>
    registered_name: []
    exception exit: {{listen_error,{acceptor,{0,0,0,0,0,0,0,0},5671},{options,{password,<<"Password plain text">>}}},[{ranch_acceptors_sup,listen_error,4,[{file,"src/ranch_acceptors_sup.erl"},{line,59}]},{ranch_acceptors_sup,init,1,[{file,"src/ranch_acceptors_sup.erl"},{line,38}]},{supervisor,init,1,[{file,"supervisor.erl"},{line,295}]},{gen_server,init_it,2,[{file,"gen_server.erl"},{line,374}]},{gen_server,init_it,6,[{file,"gen_server.erl"},{line,342}]},{proc_lib,init_p_do_apply,3,[{file,"proc_lib.erl"},{line,249}]}]}
    ancestors: [<0.578.0>,<0.577.0>,rabbit_sup,<0.257.0>]
    message_queue_len: 0
    messages: []
    links: [<0.578.0>]
    dictionary: []
    trap_exit: true
    status: running
    heap_size: 987
    stack_size: 27
    reductions: 5047
  neighbours:
2019-09-25 11:13:10 =SUPERVISOR REPORT====
     Supervisor: {<0.577.0>,tcp_listener_sup}
     Context:    start_error
     Reason:     {shutdown,{failed_to_start_child,ranch_acceptors_sup,{listen_error,{acceptor,{0,0,0,0,0,0,0,0},5671},{options,{password,<<"Password plain text">>}}}}}
     Offender:   [{pid,undefined},{id,{ranch_listener_sup,{acceptor,{0,0,0,0,0,0,0,0},5671}}},{mfargs,{ranch_listener_sup,start_link,[{acceptor,{0,0,0,0,0,0,0,0},5671},10,ranch_ssl,[{port,5671},{ip,{0,0,0,0,0,0,0,0}},{max_connections,infinity},{ack_timeout,5000},{connection_type,supervisor},inet6,{backlog,128},{nodelay,true},{linger,{true,0}},{exit_on_close,false},{versions,['tlsv1.2']},{cacertfile,"C:\\ProgramData\\MyApp\\Certificates\\Use\\RabbitMQ\\ca.pem"},{certfile,"C:\\ProgramData\\MyApp\\Certificates\\Use\\RabbitMQ\\RMQ_crt.pem"},{keyfile,"C:\\ProgramData\\MyApp\\Certificates\\Use\\RabbitMQ\\RMQ_crt.key"},{password,<<"Password plain text">>},{verify,verify_peer},{fail_if_no_peer_cert,true},{depth,2},{ciphers,[{ecdhe_ecdsa,aes_256_gcm,null,sha384},{ecdhe_rsa,aes_256_gcm,null,sha384},{ecdhe_ecdsa,aes_256_cbc,sha384,sha384},{ecdhe_rsa,aes_256_cbc,sha384,sha384},{ecdh_ecdsa,aes_256_gcm,null,sha384},{ecdh_rsa,aes_256_gcm,null,sha384},{ecdh_ecdsa,aes_256_cbc,sha384,sha384},{ecdh_rsa,aes_256_cbc,sha384,sha384},{dhe_rsa,aes_256_gcm,null,sha384},{dhe_dss,aes_256_gcm,null,sha384},{dhe_rsa,aes_256_cbc,sha256},{dhe_dss,aes_256_cbc,sha256},{rsa,aes_256_gcm,null,sha384},{rsa,aes_256_cbc,sha256},{ecdhe_ecdsa,aes_128_gcm,null,sha256},{ecdhe_rsa,aes_128_gcm,null,sha256},{ecdhe_ecdsa,aes_128_cbc,sha256,sha256},{ecdhe_rsa,aes_128_cbc,sha256,sha256},{ecdh_ecdsa,aes_128_gcm,null,sha256},{ecdh_rsa,aes_128_gcm,null,sha256},{ecdh_ecdsa,aes_128_cbc,sha256,sha256},{ecdh_rsa,aes_128_cbc,sha256,sha256},{dhe_rsa,aes_128_gcm,null,sha256},{dhe_dss,aes_128_gcm,null,sha256},{dhe_rsa,aes_128_cbc,sha256},{ecdh_rsa,aes_128_gcm,null,sha256}]},{honor_cipher_order,true},{honor_ecc_order,true}],rabbit_connection_sup,[]]}},{restart_type,permanent},{shutdown,infinity},{child_type,supervisor}]

2019-09-25 11:13:10 =CRASH REPORT====
  crasher:
    initial call: application_master:init/4
    pid: <0.256.0>
    registered_name: []
    exception exit: {{bad_return,{{rabbit,start,[normal,[]]},{'EXIT',{{case_clause,{error,{{shutdown,{failed_to_start_child,{ranch_listener_sup,{acceptor,{0,0,0,0,0,0,0,0},5671}},{shutdown,{failed_to_start_child,ranch_acceptors_sup,{listen_error,{acceptor,{0,0,0,0,0,0,0,0},5671},{options,{password,<<"Password plain text">>}}}}}}},{child,undefined,'rabbit_tcp_listener_sup_:::5671',{tcp_listener_sup,start_link,[{0,0,0,0,0,0,0,0},5671,ranch_ssl,[inet6,{backlog,128},{nodelay,true},{linger,{true,0}},{exit_on_close,false},{versions,['tlsv1.2']},{cacertfile,"C:\\ProgramData\\MyApp\\Certificates\\Use\\RabbitMQ\\ca.pem"},{certfile,"C:\\ProgramData\\MyApp\\Certificates\\Use\\RabbitMQ\\RMQ_crt.pem"},{keyfile,"C:\\ProgramData\\MyApp\\Certificates\\Use\\RabbitMQ\\RMQ_crt.key"},{password,<<"Password plain text">>},{verify,verify_peer},{fail_if_no_peer_cert,true},{depth,2},{ciphers,[{ecdhe_ecdsa,aes_256_gcm,null,sha384},{ecdhe_rsa,aes_256_gcm,null,sha384},{ecdhe_ecdsa,aes_256_cbc,sha384,sha384},{ecdhe_rsa,aes_256_cbc,sha384,sha384},{ecdh_ecdsa,aes_256_gcm,null,sha384},{ecdh_rsa,aes_256_gcm,null,sha384},{ecdh_ecdsa,aes_256_cbc,sha384,sha384},{ecdh_rsa,aes_256_cbc,sha384,sha384},{dhe_rsa,aes_256_gcm,null,sha384},{dhe_dss,aes_256_gcm,null,sha384},{dhe_rsa,aes_256_cbc,sha256},{dhe_dss,aes_256_cbc,sha256},{rsa,aes_256_gcm,null,sha384},{rsa,aes_256_cbc,sha256},{ecdhe_ecdsa,aes_128_gcm,null,sha256},{ecdhe_rsa,aes_128_gcm,null,sha256},{ecdhe_ecdsa,aes_128_cbc,sha256,sha256},{ecdhe_rsa,aes_128_cbc,sha256,sha256},{ecdh_ecdsa,aes_128_gcm,null,sha256},{ecdh_rsa,aes_128_gcm,null,sha256},{ecdh_ecdsa,aes_128_cbc,sha256,sha256},{ecdh_rsa,aes_128_cbc,sha256,sha256},{dhe_rsa,aes_128_gcm,null,sha256},{dhe_dss,aes_128_gcm,null,sha256},{dhe_rsa,aes_128_cbc,sha256},{ecdh_rsa,aes_128_gcm,null,sha256}]},{honor_cipher_order,true},{honor_ecc_order,true}],rabbit_connection_sup,[],{rabbit_networking,tcp_listener_started,['amqp/ssl',[{backlog,128},{nodelay,true},{linger,{true,0}},{exit_on_close,false},{versions,['tlsv1.2']},{cacertfile,"C:\\ProgramData\\MyApp\\Certificates\\Use\\RabbitMQ\\ca.pem"},{certfile,"C:\\ProgramData\\MyApp\\Certificates\\Use\\RabbitMQ\\RMQ_crt.pem"},{keyfile,"C:\\ProgramData\\MyApp\\Certificates\\Use\\RabbitMQ\\RMQ_crt.key"},{password,<<"Password plain text">>},{verify,verify_peer},{fail_if_no_peer_cert,true},{depth,2},{ciphers,[{ecdhe_ecdsa,aes_256_gcm,null,sha384},{ecdhe_rsa,aes_256_gcm,null,sha384},{ecdhe_ecdsa,aes_256_cbc,sha384,sha384},{ecdhe_rsa,aes_256_cbc,sha384,sha384},{ecdh_ecdsa,aes_256_gcm,null,sha384},{ecdh_rsa,aes_256_gcm,null,sha384},{ecdh_ecdsa,aes_256_cbc,sha384,sha384},{ecdh_rsa,aes_256_cbc,sha384,sha384},{dhe_rsa,aes_256_gcm,null,sha384},{dhe_dss,aes_256_gcm,null,sha384},{dhe_rsa,aes_256_cbc,sha256},{dhe_dss,aes_256_cbc,sha256},{rsa,aes_256_gcm,null,sha384},{rsa,aes_256_cbc,sha256},{ecdhe_ecdsa,aes_128_gcm,null,sha256},{ecdhe_rsa,aes_128_gcm,null,sha256},{ecdhe_ecdsa,aes_128_cbc,sha256,sha256},{ecdhe_rsa,aes_128_cbc,sha256,sha256},{ecdh_ecdsa,aes_128_gcm,null,sha256},{ecdh_rsa,aes_128_gcm,null,sha256},{ecdh_ecdsa,aes_128_cbc,sha256,sha256},{ecdh_rsa,aes_128_cbc,sha256,sha256},{dhe_rsa,aes_128_gcm,null,sha256},{dhe_dss,aes_128_gcm,null,sha256},{dhe_rsa,aes_128_cbc,sha256},{ecdh_rsa,aes_128_gcm,null,sha256}]},{honor_cipher_order,true},{honor_ecc_order,true}]]},{rabbit_networking,tcp_listener_stopped,['amqp/ssl',[{backlog,128},{nodelay,true},{linger,{true,0}},{exit_on_close,false},{versions,['tlsv1.2']},{cacertfile,"C:\\ProgramData\\MyApp\\Certificates\\Use\\RabbitMQ\\ca.pem"},{certfile,"C:\\ProgramData\\MyApp\\Certificates\\Use\\RabbitMQ\\RMQ_crt.pem"},{keyfile,"C:\\ProgramData\\MyApp\\Certificates\\Use\\RabbitMQ\\RMQ_crt.key"},{password,<<"Password plain text">>},{verify,verify_peer},{fail_if_no_peer_cert,true},{depth,2},{ciphers,[{ecdhe_ecdsa,aes_256_gcm,null,sha384},{ecdhe_rsa,aes_256_gcm,null,sha384},{ecdhe_ecdsa,aes_256_cbc,sha384,sha384},{ecdhe_rsa,aes_256_cbc,sha384,sha384},{ecdh_ecdsa,aes_256_gcm,null,sha384},{ecdh_rsa,aes_256_gcm,null,sha384},{ecdh_ecdsa,aes_256_cbc,sha384,sha384},{ecdh_rsa,aes_256_cbc,sha384,sha384},{dhe_rsa,aes_256_gcm,null,sha384},{dhe_dss,aes_256_gcm,null,sha384},{dhe_rsa,aes_256_cbc,sha256},{dhe_dss,aes_256_cbc,sha256},{rsa,aes_256_gcm,null,sha384},{rsa,aes_256_cbc,sha256},{ecdhe_ecdsa,aes_128_gcm,null,sha256},{ecdhe_rsa,aes_128_gcm,null,sha256},{ecdhe_ecdsa,aes_128_cbc,sha256,sha256},{ecdhe_rsa,aes_128_cbc,sha256,sha256},{ecdh_ecdsa,aes_128_gcm,null,sha256},{ecdh_rsa,aes_128_gcm,null,sha256},{ecdh_ecdsa,aes_128_cbc,sha256,sha256},{ecdh_rsa,aes_128_cbc,sha256,sha256},{dhe_rsa,aes_128_gcm,null,sha256},{dhe_dss,aes_128_gcm,null,sha256},{dhe_rsa,aes_128_cbc,sha256},{ecdh_rsa,aes_128_gcm,null,sha256}]},{honor_cipher_order,true},{honor_ecc_order,true}]]},10,"SSL Listener"]},transient,infinity,supervisor,[tcp_listener_sup]}}}},[{rabbit_networking,start_listener0,5,[{file,"src/rabbit_networking.erl"},{line,230}]},{rabbit_networking,'-start_listener/5-lc$^0/1-0-',5,[{file,"src/rabbit_networking.erl"},{line,221}]},{rabbit_networking,start_listener,5,[{file,"src/rabbit_networking.erl"},{line,221}]},{rabbit_networking,'-boot_ssl/1-lc$^0/1-0-',3,[{file,"src/rabbit_networking.erl"},{line,138}]},{rabbit_networking,boot_ssl,1,[{file,"src/rabbit_networking.erl"},{line,138}]},{rabbit_networking,boot,0,[{file,"src/rabbit_networking.erl"},{line,122}]},{rabbit_boot_steps,'-run_step/2-lc$^1/1-1-',1,[{file,"src/rabbit_boot_steps.erl"},{line,49}]},{rabbit_boot_steps,run_step,2,[{file,"src/rabbit_boot_steps.erl"},{line,49}]}]}}}},[{application_master,init,4,[{file,"application_master.erl"},{line,138}]},{proc_lib,init_p_do_apply,3,[{file,"proc_lib.erl"},{line,249}]}]}
    ancestors: [<0.255.0>]
    message_queue_len: 1
    messages: [{'EXIT',<0.257.0>,normal}]
    links: [<0.255.0>,<0.42.0>]
    dictionary: []
    trap_exit: true
    status: running
    heap_size: 4185
    stack_size: 27
    reductions: 278
  neighbours:

Regards,

Yusuke

2019年9月25日水曜日 8時52分12秒 UTC+9 Luke Bakken:

[Luke Bakken]

I provided an incorrect format.

Please see the documentation here: https://www.rabbitmq.com/ssl.html#private-key-passwords

{password,  "t0p$3kRe7"}

[Yusuke Masuda]

Hi Luke,

Thank you for your email.

I'm sorry for making you misunderstand.

I have configured the password in the form you indicated from the beginning.

I also have seen the page you showed me.

I showed you the configuration so I won't expose the password text as it is.

Actually it was a text consists of dozen characters with alphanumeric and symbols.

{password, "<<Plain text password of the keyfile>>"} ---> {password, "qwertyuioasdfghjklzxcvbnm1234567890!"#$%&'()-^"}

* This is just an example.

Regards,

Yusuke

2019年9月25日(水) 22:55 Luke Bakken <lba...@pivotal.io>:

--
You received this message because you are subscribed to a topic in the Google Groups "rabbitmq-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rabbitmq-users/YZbLrq0awaY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to rabbitmq-user...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/50bea13e-f87f-47e4-835f-b21de7d0edbd%40googlegroups.com.

[Luke Bakken]

Hi Yusuke,

Without some way for us to reproduce what you report there's not much assistance I can give - we don't have your certificates. If it works without passwords, I would do that, especially since having a password on your server in a file defeats the purpose of the password.

Thanks,

LUke

To unsubscribe from this group and all its topics, send an email to rabbitmq-users+unsubscribe@googlegroups.com.

[Yusuke Masuda]

Hi Luke,

Excuse me. I agree with you. Surely you don't have enough information to help me.
I will talk to my colleague and consider what we can provide. I want to reproduce with certificate with password which can be provided.
I suppose that it will be next week due to my colleague days off.

Thank you for your cooperation.

Regards,

Yusuke.

2019年9月25日水曜日 23時41分58秒 UTC+9 Luke Bakken:

To unsubscribe from this group and all its topics, send an email to rabbitm...@googlegroups.com.

[Yusuke Masuda]

Hello Luke,

We prepared materials which can be provided, and we reproduced the issue with them.

All materials are included in the zip file attached.

The certificates which we used are:

• Certificates
• ca.pem: CA certificate
• ca.key: Private key of the CA certificate, and it is protected with password
• ca.pfx: PKCS#12 form certificate that includes ca.pem and ca.key
• RMQ_crt.pem: Server certificate
• RMQ_crt.key: Private key of the Server certificate, and it is protected with password
• RMQ_crt.pfx: PKCS#12 form certificate that includes RMQ_crt.pem and RMQ_crt.key

These certificates are created by following command of openssl.

openssl.exe ecparam -name prime256v1 -genkey -out ".\cert\ca.key"

openssl.exe ec -in ".\cert\ca.key"  -out ".\cert\ca.key"  -passout pass:hogehoge -aes256

openssl.exe req -new -passin pass:hogehoge -config ".\openssl.cnf"  -key ".\cert\ca.key"  -out ".\cert\ca.csr"  -subj "/C=/ST=/L=/O=/OU=/CN=My Certificate Authority"

openssl.exe x509  -in ".\cert\ca.csr"  -out ".\cert\ca.pem"  -req -signkey ".\cert\ca.key"  -sha384 -passin pass:hogehoge -days 7305

openssl.exe pkcs12 -export -in ".\cert\ca.pem"  -inkey ".\cert\ca.key"  -out ".\cert\ca.pfx" -passout pass:hogehoge2  -passin pass:hogehoge

openssl.exe ecparam -name prime256v1 -genkey -out ".\cert\RMQ_crt.key"

openssl.exe ec -in ".\cert\RMQ_crt.key"  -out ".\cert\RMQ_crt.key"  -passout pass:hogehoge3 -aes256

openssl.exe req -new -passin pass:hogehoge3 -config ".\openssl.cnf" -key ".\cert\RMQ_crt.key"  -out ".\cert\RMQ_crt.csr" -subj "/C=/ST=/L=/O=/OU=/CN=myhost.mydomain.com" -addext "subjectAltName=DNS:myhost.mydomain.com"

openssl.exe ca -in ".\cert\RMQ_crt.csr" -out ".\cert\RMQ_crt.pem"  -config ".\openssl.cnf" -md sha384 -passin pass:hogehoge -days 7305 -batch -extensions ke_cert

openssl.exe pkcs12 -export -in ".\cert\RMQ_crt.pem"  -inkey ".\cert\RMQ_crt.key"  -out ".\cert\RMQ_crt.pfx" -passout pass:hogehoge4  -passin pass:hogehoge3

the openssl.conf used with the commands is also attached. See the "openssl.conf" file.

We configured the RabbitMQ that uses CA.pem, RMQ_crt.pem and RMQ_crt.key, with specifying the private key password.

[
  {ssl, [{versions, ['tlsv1.2']}]},
  {rabbit, [
    {ssl_listeners, [5671]},
    {ssl_cert_login_from, common_name},
    {crl_check, true},
    {crl_cache, {ssl_crl_cache, {internal, [{http, 5000}]}}},
    {ssl_options, [

      {cacertfile,"C:\\ProgramData\\MyApp\\Certificates\\Use\\RabbitMQ\\ca.pem"},
      {certfile, "C:\\ProgramData\\MyApp\\Certificates\\Use\\RabbitMQ\\RMQ_crt.pem"},
      {keyfile, "C:\\ProgramData\\MyApp\\Certificates\\Use\\RabbitMQ\\RMQ_crt.key"},

      {password, "hogehoge3"},

We registered the CA.pem to machine-wide trusted Windows certificate store on the client machine.

Then a client application which developed with MassTransit tried establishing TLS connection with the RMQ_crt.pfx, but it did not work.
It seems to be frozen in the middle of connecting.
Although the certificate RMQ_crt.pfx is essentially same as the certificate which configured RabbitMQ server in its configuration file above, because the client application runs on the same computer as the one RabbitMQ server installed.

The log files also are put into the attached file.

We were using versions below:

• Windows: Windows 10 Professional
• Erlang: 21.0.1
  
• RabbitMQ server: 3.7.7
• RabbitMQ.Client for .NET: 5.0.1
• MassTransit: 5.1.4
  

Could you please ask me anything to reproduce the issue if you need.

Regards,

Yusuke.

2019年9月25日水曜日 23時58分30秒 UTC+9 Yusuke Masuda:

[Luke Bakken]

Hi Yusuke,

Thanks for providing all of that information.

Just to double-check - if you generate the certificate without a password, and remove the password from rabbitmq.config with no other changes, everything works? Is that correct?

Thanks -

Luke

[Yusuke Masuda]

Hi Luke,

Yes, it works well for us without the password for the certificate. Although we need to remove the password and regenerate the pfx file.

I am sorry for the trouble, but your help would be appreciated.

Sincerely,

Yusuke.

2019年10月1日火曜日 23時15分53秒 UTC+9 Luke Bakken:

[Luke Bakken]

Hello,

I am planning on investigating this week and should follow up by the end of the day Friday

[Yusuke Masuda]

Luke,

Thank you for you cooperation.

I hope it would be resolved.

Thanks

Yusuke

2019年10月2日(水) 22:44 Luke Bakken <lba...@pivotal.io>:

--
You received this message because you are subscribed to a topic in the Google Groups "rabbitmq-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rabbitmq-users/YZbLrq0awaY/unsubscribe.

To unsubscribe from this group and all its topics, send an email to rabbitmq-user...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/4375fc6a-3be1-4c9b-bfc2-8c5be07e1524%40googlegroups.com.

[Luke Bakken]

Hi Yusuke,

Two questions to start

• Have you enabled the rabbitmq_auth_mechanism_ssl plugin?
• Are you also passing a username and password in your code?

I have completed several tests and all work as expected using the certificates you provide. Details can be found here:

https://gist.github.com/lukebakken/c4cb464625fd95eaef0134b60ce4808d

Notice that my tests have simpler RabbitMQ configuration than yours. I do not specify TLS version nor ciphers. You may wish to try that in your testing but I don't think that's the problem.

In the log file you provide, these are the lines showing that your application connected but that the TLS handshake stops:

2019-10-01 16:54:08.562 [debug] <0.845.0> Supervisor {<0.845.0>,rabbit_connection_sup} started rabbit_connection_helper_sup:start_link() at pid <0.846.0>

2019-10-01 16:54:08.562 [debug] <0.845.0> Supervisor {<0.845.0>,rabbit_connection_sup} started rabbit_reader:start_link(<0.846.0>, {acceptor,{0,0,0,0,0,0,0,0},5671}, {sslsocket,{gen_tcp,#Port<0.78>,tls_connection,<0.583.0>},<0.844.0>}) at pid <0.847.0>

I noticed something similar when I used openssl s_client but forgot to pass a client certificate. We can determine if there is an issue with how MassTransit/.NET is passing the client certificate by disabling the requirement to pass one in the RabbitMQ configuration:

            {verify, verify_none},
            {fail_if_no_peer_cert, false},

In your environment, please use a RabbitMQ configuration with the above two values. You can choose to keep the ciphers and versions settings for now. If your application is able to connect and authenticate, we know that there is something wrong with how the client certificate in the PFX file is being passed.

Thanks,

Luke

To unsubscribe from this group and all its topics, send an email to rabbitmq-users+unsubscribe@googlegroups.com.

[Yusuke Masuda]

Hi Luke,

Thank you for verifying the certification valid.

We also checked your procedures again, then it failed in our environment.

There was version difference between yours and ours. Ours were Erlang 20.0.1 + RabbitMQ 3.7.7.

After that, we tried to upgrade our environment up to yours, and it succeeded.

We also tried on Erlang 20.0.1 + RabbitMQ 3.7.18 (This is the version we intended for next production env.), but it also failed.

We are trying to upgrade our Erlang up in next week.

With Erlang 22 + RabbitMQ 3.8.0, we also checked if it works with changed configuration file as you said. However it also failed.
It might be something wrong with client certificate or client application.
We will check something (no idea yet) about it.

Sincerely,

Yusuke

2019年10月4日金曜日 6時48分37秒 UTC+9 Luke Bakken:

To unsubscribe from this group and all its topics, send an email to rabbitm...@googlegroups.com.

[Luke Bakken]

After that, we tried to upgrade our environment up to yours, and it succeeded.

What version of Erlang did you use in this case? As you can see in my document, I used Erlang version 22.1.1 on OS X / Linux and Erlang version 22.0 on Windows 8.1

 

With Erlang 22 + RabbitMQ 3.8.0, we also checked if it works with changed configuration file as you said. However it also failed.

It might be something wrong with client certificate or client application.

"it also failed" - could you please describe this better?

Were you using version 22.0 in this case?

[Yusuke Masuda]

Hi Luke,

With Erlang 22 (forgot small version) and RabbitMQ 3.8.0, The test you performed was succeeded on our windows environment.

But The test with same environment, changed configuration (verify_none and fail_no_peer_cert off)  and our .NET client, was failed. We haven't investigate in detail, yet.

I want to investigate on the environment with versions we intend.

In next week, we will check the test you performed (that with s_client) with Erlang 22 and RabbitMQ 3.7.18 which is we intend at first.

If it succeed, we will investigate more detail.

Now I doubt that it might be wrong to include password protected private key include PKCS#12 form.

Sincerely,

Yusuke

2019年10月5日土曜日 8時32分46秒 UTC+9 Luke Bakken:

[Yusuke Masuda]

Luke,

We achieved to establish TLS connection with password protected private key.
We employed RabbitMQ 3.8.0 and Erlang 22.1, those are upgraded from our original environment.
We have been able to complete it with .NET client and PKCS#12 form certificate (pfx file). Those material (program and certificates) were not changed since original. We just upgraded RabbitMQ and Erlang.

I am not sure our problem caused by the software version.
We once failed with the versions which we succeeded though, we re-install them then, it succeeded after that.
Before re-install them, our environment had many environment variable related RabbitMQ, so it might have affected to our test then.

While we re-installed, we cleaned our environment up such as clearing those environment variables.

Anyway, we would like to close this thread.
I really appreciate for your support.

Best regards,

Yusuke

2019年10月5日土曜日 10時43分05秒 UTC+9 Yusuke Masuda:

[Luke Bakken]

Thank you for following up Yusuke.

Is there a chance that the last time you upgraded Erlang to version 22.1 there was an older version still installed? There are cases, on Windows, where even though you upgrade Erlang RabbitMQ will continue to use the old version.