SSL Connection from RabbitMQ C Client

[Aylin Koroglu]

Dear all,

I'm trying to connect to RabbitMQ Server (on Linux machine) from the RabbitMQ C Client Application (on Solaris machine) using SSL connection.

(We are using  the following RabbitMQ C library:  https://github.com/alanxz/rabbitmq-c/ )

Is it needed to import the certificates like we do in Java ? Or is it enough just to copy the certificates and the key file to the client machine, and specify the certificate paths in the source code ?

I am newbie to C. Any help would be highly appreciated.

Thank you.

Aylin  

[Jean-Sébastien Pédron]

On 28.07.2015 09:02, Aylin Koroglu wrote:
> I'm trying to connect to RabbitMQ Server (on Linux machine) from the
> RabbitMQ C Client Application (on Solaris machine) using SSL connection.
> (We are using the following RabbitMQ C library:
> https://github.com/alanxz/rabbitmq-c/ )
>
> Is it needed to import the certificates like we do in Java ? Or is it
> enough just to copy the certificates and the key file to the client
> machine, and specify the certificate paths in the source code ?

Hi!

The latter is true: the library API takes the path to the certificate
and key files as arguments. There is no such certificate registry.

--
Jean-Sébastien Pédron
Pivotal / RabbitMQ

[Aylin Koroglu]

Does the format of the certificates (cer or pem) matter ?

28 Temmuz 2015 Salı 11:24:00 UTC+3 tarihinde Jean-Sébastien Pédron yazdı:

[Jean-Sébastien Pédron]

On 28.07.2015 10:42, Aylin Koroglu wrote:
> Does the format of the certificates (cer or pem) matter ?

Whatever OpenSSL likes. I think most applications use PEM.

[Aylin Koroglu]

I'm trying to adapt the following example 

https://github.com/alanxz/rabbitmq-c/blob/master/examples/amqps_sendstring.c

to my source code. 

I couldn't figure out, how can I specify the SSL version (TLS1.2) ? Any idea ?

28 Temmuz 2015 Salı 11:48:29 UTC+3 tarihinde Jean-Sébastien Pédron yazdı:

[Alan Antonuk]

Currently there isn't a way to pin the desired SSL version, it simply negotiates based on what the server is advertising.

-Alan

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To post to this group, send email to rabbitm...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Aylin Koroglu]

Thanks a lot Alan. We were able to make the C Client work with SSL connection on Solaris Sparc..


28 Temmuz 2015 Salı 23:55:47 UTC+3 tarihinde Alan Antonuk yazdı:

[Michael Claßen]

Hi Alan,

I looked into this also a little bit. I think there might be a way to force some specific SSL protocol:

1. by setting specific defines that are mentioned in ssl.h in OpenSSL (I haven't looked at other SSL libraries), e.g.: 
   
   /*
    * The following cipher list is used by default. It also is substituted when
    * an application-defined cipher list string starts with 'DEFAULT'.
    */
   # define SSL_DEFAULT_CIPHER_LIST "ALL:!EXPORT:!aNULL:!eNULL:!SSLv2"
2. in amqp_openssl.c:
   
   instead of this line:
   self->ctx = SSL_CTX_new(SSLv23_client_method());
   
   we could try a more specific method, e.g.:
   self->ctx = SSL_CTX_new(TLSv1_2_client_method());

Of course this is more of a hack and should be somehow configurable. But we are seeing problems with TLS protocol negotiations in one of the latest rabbitmq-c versions and I'm thinking of using one of these workarounds to fix it (if it is actually rabbitmq-c's faul, whic his not 100% sure).

thanks,

Michael

[Alan Antonuk]

Whats the greatest version of TLS that the (various versions of the) RabbitMQ broker supports? Ideally the client should aim for the highest version of that.

-Alan

[Jean-Sébastien Pédron]

On 14.09.2015 17:23, Alan Antonuk wrote:
> Whats the greatest version of TLS that the (various versions of the)
> RabbitMQ broker supports? Ideally the client should aim for the highest
> version of that.

Hi!

It depends on the version of Erlang, not RabbitMQ.