Rabbitmq web_mqtt ssl connection error
426 views
Skip to first unread message
Bernard Wong
Mar 15, 2017, 2:07:33 AM3/15/17
to rabbitmq-users
Hi team,
I had a server withh Centos 6.7. I had insalled erlang-19.2 and rabbitmq-server-3.6.6. Plugin rabbitmq_web_mqtt-3.6.x-3b6a09bb also enabled.
This is my rabbitmq.config :
[
{rabbit, [
{loopback_users, []},
{ssl_listeners, [5671]},
{ssl_options, [
{cacertfile,"/tmp/testca/cacert.pem"},
{certfile,"/tmp/server/crt.pem"},
{keyfile,"/tmp/server/key.pem"},
{verify,verify_peer},
{fail_if_no_peer_cert,false},
{password, "MySecretPassword"}]
}
]
},
{rabbitmq_web_mqtt, [
{tcp_config, [{port, 15679}]},
{ssl_config, [{port, 15675},
{backlog, 1024},
{cacertfile,"/tmp/testca/cacert.pem"},
{certfile,"/tmp/server/cert.pem"},
{keyfile,"/tmp/server/key.pem"},
{verify,verify_peer},
{fail_if_no_peer_cert,false},
{password, "MySecretPassword"}]
}
]
},
{rabbitmq_mqtt,
[
{ssl_listeners, [8883]},
{tcp_listeners, [1883]}
]}
].
I can access the server through socket 15679 (TCP connection) but failed when connect to socket 15675 (SSL connection). While connect through socket 15675, "WebSocket connection to 'wss://10.17.98.147:15679/ws' failed: Error in connection establishment: net::ERR_SSL_PROTOCOL_ERROR" will be returned. Those cacert.pem , cert.pem and key.pem is generated by following the tutorial at https://www.rabbitmq.com/ssl.html. I also tried to install certificate under client/keycert.p12 into browser but still same error exist.
Michael Klishin
Mar 15, 2017, 4:47:27 AM3/15/17
to rabbitm...@googlegroups.com, Bernard Wong
Please start by following the steps in this guide: http://www.rabbitmq.com/troubleshooting-ssl.html
and post server logs. We cannot suggest anything with the amount of information provided.
> --
> You received this message because you are subscribed to the Google Groups "rabbitmq-users"
> group.
> To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
> To post to this group, send an email to rabbitm...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
--
MK
Staff Software Engineer, Pivotal/RabbitMQ
and post server logs. We cannot suggest anything with the amount of information provided.
> You received this message because you are subscribed to the Google Groups "rabbitmq-users"
> group.
> To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
> To post to this group, send an email to rabbitm...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
--
MK
Staff Software Engineer, Pivotal/RabbitMQ
Bernard Wong
Mar 16, 2017, 3:41:37 AM3/16/17
to rabbitmq-users, ber...@gmail.com
Hi,
ssl:version().
[{ssl_app,"8.1"},
{supported,['tlsv1.2','tlsv1.1',tlsv1]},
{available,['tlsv1.2','tlsv1.1',tlsv1,sslv3]}]
After
openssl s_server -accept 8443 -cert /tmp/server/cert.pem -key /tmp/server/key.pem \ -CAfile /tmp/testca/cacert.pem
and
openssl s_client -connect localhost:8443 -cert /tmp/client/cert.pem -key /tmp/client/key.pem \ -CAfile /tmp/testca/cacert.pem
returned:
CONNECTED(00000003)
depth=1 CN = MyTestCA
verify return:1
depth=0 CN = smartv, O = server
verify return:1
---
Certificate chain
0 s:/CN=smartv/O=server
i:/CN=MyTestCA
1 s:/CN=MyTestCA
i:/CN=MyTestCA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC3zCCAcegAwIBAgIBATANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDEwhNeVRl
c3RDQTAeFw0xNzAzMTUwNjUzMjFaFw0xODAzMTUwNjUzMjFaMCIxDzANBgNVBAMM
BnNtYXJ0djEPMA0GA1UECgwGc2VydmVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAzxt3R9piuNfcqjVi4Pf/+vXyMgiwbj6JuqY1GLpotJ6HL6TCN+Mi
4LDMDnfUySSwwnUfdON9OBsEx6I10jZ4y0Fvky+0IKUK+W6ppEMwba6oVgR2UKfs
/eeVD5xMBOb2dDBTlLsOWxy+IWVzRzcsaHSM3Y0nomsomMA1/R5sKXY2SBxxLt5q
CQUJPTGyveJ0nDliu3ivA2tS+ZGzyEQNjfgHiTJOBxZHqCDIZNHb1DfmVsMfMsG6
0ZtByAOuAhIkE6MCVf+ySO8HHIsQUoRqoEZGn3Vv/F+V3P27y1/lcbLX5F2Ypagz
owEqMcEtL/NT88ScaNU0EltJPSiWM3CIGwIDAQABoy8wLTAJBgNVHRMEAjAAMAsG
A1UdDwQEAwIFIDATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOC
AQEAAA/psIoSuH7oaE3bxXeaiyh4Q23tSCKWUs50O93ZdbHZAT0WI29KT/FfWZlo
az5pzz+sFuhaf5yBiWBGRuhgkZN//Yx2VU7f43bOdkP+9zrgG9U1CzsS0a95P2bC
8Ftsn4xwKU2VkJ/0M1kOAKUXl04ynlLtZmyVTMfnrvQK0rooC3pqcTzPfUNXPG+6
9KHYrJ+RsegMR9MUAZPnwnyaJKqLzYx7Auq2ZOTaa3Gtlj2CFZTujDCi6GKjBZ0D
jwtsREjsQmuk8kQc2Mqb1a/V9ne50q6HrPu9rxo3dY77DjYl5rGDsHb875ci6319
EmUloIqwy+NiQxqp9IOXEDU0MQ==
-----END CERTIFICATE-----
subject=/CN=smartv/O=server
issuer=/CN=MyTestCA
---
No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 2115 bytes and written 373 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 82E3971F64A68C924AE1CAE6D62611804670C4A94BA00CF98BC6A5C8AFDFB68F
Session-ID-ctx:
Master-Key: F4FE739D4B0339E6B7320FE299AAFF6F20D862DD5B3BA09F73BC50E1A1E42E7F0B7A6D9ED6DE7F6427427618073F5D0E
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 5e 2c c3 e1 aa 99 de aa-d1 46 31 14 c6 c4 ab 1f ^,.......F1.....
0010 - 0f 3c 93 b7 8a 55 e3 39-ff 05 48 c1 5e b3 a7 f4 .<...U.9..H.^...
0020 - 7b 59 75 6b fe d8 ec d9-72 18 5e d2 76 38 a8 4c {Yuk....r.^.v8.L
0030 - e6 a4 1f 1e 01 b8 8b 0f-8d 37 3f 6b 5a 3a 5d 96 .........7?kZ:].
0040 - c7 3c 53 8d c0 d7 26 fa-11 fa 65 a1 b5 56 1d a2 .<S...&...e..V..
0050 - ad 0a cd 81 0a 89 af bf-47 b7 fc 31 6a ce 80 2d ........G..1j..-
0060 - 5c 7b 4b 99 c2 26 d7 3b-64 b9 11 0b 33 34 3e f8 \{K..&.;d...34>.
0070 - 0a 0d fd f5 3c a3 d0 8c-0c 6a ba 67 ee a6 bc 25 ....<....j.g...%
0080 - 9c ce 6b b2 11 0a 22 57-be 4f 49 bf 09 c8 cf b8 ..k..."W.OI.....
0090 - 46 ef 44 db ba c4 e5 52-48 ab d3 38 5c 5c 97 32 F.D....RH..8\\.2
Start Time: 1489568058
Timeout : 300 (sec)
Verify return code: 0 (ok)
....................................................................................................................
and
Using default temp DH parameters
Using default temp ECDH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MFUCAQECAgMDBALAMAQABDD0/nOdSwM55rcyD+KZqv9vINhi3Vs7oJ9zvFDhoeQu
fwt6bZ7W3n9kJ0J2GAc/XQ6hBgIEWMkBOqIEAgIBLKQGBAQBAAAA
-----END SSL SESSION PARAMETERS-----
Shared ciphers:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:DES-CBC3-SHA:IDEA-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5
CIPHER is ECDHE-RSA-AES256-GCM-SHA384
Secure Renegotiation IS supported
I tried to connect to the web_mqtt socket (15679)
openssl s_client -connect localhost:15679 -cert /tmp/client/cert.pem -key /tmp/client/key.pem \ -CAfile /tmp/testca/cacert.pem
It return :
CONNECTED(00000003)
depth=1 CN = MyTestCA
verify return:1
depth=0 CN = smartv, O = server
verify return:1
---
Certificate chain
0 s:/CN=smartv/O=server
i:/CN=MyTestCA
1 s:/CN=MyTestCA
i:/CN=MyTestCA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC3zCCAcegAwIBAgIBATANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDEwhNeVRl
c3RDQTAeFw0xNzAzMTUwNjUzMjFaFw0xODAzMTUwNjUzMjFaMCIxDzANBgNVBAMM
BnNtYXJ0djEPMA0GA1UECgwGc2VydmVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAzxt3R9piuNfcqjVi4Pf/+vXyMgiwbj6JuqY1GLpotJ6HL6TCN+Mi
4LDMDnfUySSwwnUfdON9OBsEx6I10jZ4y0Fvky+0IKUK+W6ppEMwba6oVgR2UKfs
/eeVD5xMBOb2dDBTlLsOWxy+IWVzRzcsaHSM3Y0nomsomMA1/R5sKXY2SBxxLt5q
CQUJPTGyveJ0nDliu3ivA2tS+ZGzyEQNjfgHiTJOBxZHqCDIZNHb1DfmVsMfMsG6
0ZtByAOuAhIkE6MCVf+ySO8HHIsQUoRqoEZGn3Vv/F+V3P27y1/lcbLX5F2Ypagz
owEqMcEtL/NT88ScaNU0EltJPSiWM3CIGwIDAQABoy8wLTAJBgNVHRMEAjAAMAsG
A1UdDwQEAwIFIDATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOC
AQEAAA/psIoSuH7oaE3bxXeaiyh4Q23tSCKWUs50O93ZdbHZAT0WI29KT/FfWZlo
az5pzz+sFuhaf5yBiWBGRuhgkZN//Yx2VU7f43bOdkP+9zrgG9U1CzsS0a95P2bC
8Ftsn4xwKU2VkJ/0M1kOAKUXl04ynlLtZmyVTMfnrvQK0rooC3pqcTzPfUNXPG+6
9KHYrJ+RsegMR9MUAZPnwnyaJKqLzYx7Auq2ZOTaa3Gtlj2CFZTujDCi6GKjBZ0D
jwtsREjsQmuk8kQc2Mqb1a/V9ne50q6HrPu9rxo3dY77DjYl5rGDsHb875ci6319
EmUloIqwy+NiQxqp9IOXEDU0MQ==
-----END CERTIFICATE-----
subject=/CN=smartv/O=server
issuer=/CN=MyTestCA
---
No client certificate CA names sent
---
SSL handshake has read 1623 bytes and written 565 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : AES256-GCM-SHA384
Session-ID: 5076A95795A544745FAEE7A95180F63885298D048CD13FC43231CC79474BC230
Session-ID-ctx:
Master-Key: 2FBFECF7759A07048FF198174C75718E03772C75A5279895306FF13309EBC992F1CF2539767D783A89245B2D29C6758C
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1489568519
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
closed
..................
if connect to port 5671
CONNECTED(00000003)
................................................................................
for
stunnel -r localhost:5672 -d 5679 -f -p /tmp/client/key-cert.pem -D 7
[ ] Clients allowed=500
[ ] Cron thread initialized
[.] stunnel 5.40 on i686-pc-linux-gnu platform
[.] Compiled/running with OpenSSL 1.0.1e-fips 11 Feb 2013
[.] Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI
[ ] errno: (*__errno_location ())
[!] Invalid configuration file name "-r"
[!] realpath: No such file or directory (2)
.........................................................................
I put the echo.html and mqttws31.js under apache server. Normal connection is established successfully but fail while using ssl connection.
Michael Klishin
Mar 16, 2017, 3:55:22 AM3/16/17
to rabbitm...@googlegroups.com, Bernard Wong
Your leaf certificate verifies OK but MyTestCA doesn't. Was it added to the list of trusted
certificates on the client end? If not it has to be.
> .> 0050 - ad 0a cd 81 0a 89 af bf-47 b7 fc 31 6a ce 80 2d
certificates on the client end? If not it has to be.
Bernard Wong
Mar 16, 2017, 5:52:42 AM3/16/17
to rabbitmq-users, ber...@gmail.com
Is it add the cert.pem inside /testca folder into /etc/pki/ca-trust/source/anchors/ and "make update-ca-trust enable"?
Michael Klishin
Mar 16, 2017, 6:06:08 AM3/16/17
to rabbitm...@googlegroups.com, Bernard Wong
It varies from OS to OS and potentially even distribution to distribution.
See http://unix.stackexchange.com/questions/90450/adding-a-self-signed-certificate-to-the-trusted-list, for example.
See http://unix.stackexchange.com/questions/90450/adding-a-self-signed-certificate-to-the-trusted-list, for example.
Bernard Wong
Mar 16, 2017, 10:39:43 PM3/16/17
to rabbitmq-users, ber...@gmail.com
After adding the cacert, I am able to connect to 15675 port without closed automatically.
openssl s_client -connect localhost:15676 -cert /tmp/client/cert.pem -key /tmp/client/key.pem \-CAfile /tmp/testca/cacert.pem
return
CONNECTED(00000003)
But through window pc, google chrome still unable to establish ssh connection with web_mqtt.
In order to turn off the ssl verification, is it the correct rabbitmq.config file:
[
{rabbit, [
{loopback_users, []},
{auth_mechanisms, ['EXTERNAL', 'PLAIN']},
{ssl_listeners, [5671]},
{ssl_options, [
{cacertfile,"/tmp/testca/cacert.pem"},
{certfile,"/tmp/server/crt.pem"},
{keyfile,"/tmp/server/key.pem"},
{verify,verify_none},
{fail_if_no_peer_cert,false},
{password, "MySecretPassword"}]
}
]
},
{rabbitmq_web_mqtt, [
{tcp_config, [{port, 15675}]},
{auth_mechanisms, ['EXTERNAL', 'PLAIN']},
{ssl_config, [{port, 15676},
{backlog, 1024},
{cacertfile,"/etc/pki/ca-trust/source/anchors/cacert.pem"},
{certfile,"/etc/pki/ca-trust/source/anchors/crt.pem"},
{keyfile,"/etc/pki/ca-trust/source/anchors/key.pem"},
{verify,verify_none},
Michael Klishin
Mar 17, 2017, 5:57:03 AM3/17/17
to rabbitm...@googlegroups.com
Chrome and other browsers have their own lists of trusted root CAs. You can't change it but you can make Chrome trust connections from a particular HTTPS resource,
which effectively white lists a certificate. I suspect that may be the culprit.
I'd assume a white listed certificate to also be trusted by WebSocket client connections but my Web API knowledge leaves a lot to be desired.
To post to this group, send email to rabbitm...@googlegroups.com.
Bernard Wong
Mar 20, 2017, 11:16:27 PM3/20/17
to rabbitmq-users
Hi,
I put the echo.html and mqttws31.js inside public folder in a Apache self-signed ssl server. For the rabbitmq_web_mqtt setting, I use the certificates that generated as https://www.rabbitmq.com/ssl.html which different from certificate used by ssl Apache. Does it matter that I use different certificates?
My rabbit.config:
Reply all
Reply to author
Forward
0 new messages