Unable to create TLS connection between RabbitMQ 3.6.5 broker and .net client.
1,589 views
Skip to first unread message
rejag
Sep 13, 2017, 10:38:38 AM9/13/17
to rabbitmq-users
Hello,
I am trying to connect to RabbitMQ 3.6.5 broker from .net over TLS and It is failing.
In server log getting following error:
SSL: certify: ssl_connection.erl:826:Fatal error: handshake failure
In client end getting error :
Exception in connection : RabbitMQ.Client.Exceptions.BrokerUnreachableException: None of the specified endpoints were reachable ---> System.IO.IOException: Unable to write data to the transport connection: An existing connection was forcibly closed by the remote host. ---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host
Broker hosted in RHEL 6.8
Broker Erlang version: 19.0.4
Client Machine : Windows Server 2008 R2.
.net 4.5(Runtime 4.0)
I have tried with openssl s_client using same client certificates, used in .net and the connection is successful. Also, from using jave with same certificates, I can connect to broker.
There is no cipher restriction in broker configuration.
Thanks,
John
Michael Klishin
Sep 13, 2017, 11:13:01 AM9/13/17
to rabbitm...@googlegroups.com
The stack trace mentions
> A socket operation was attempted to an unreachable network [::ffff:168.82.107.83]:5675
connections at all (or logs any TLS alerts). Also whether port 5675 is actually used
for TLS connections (default value is 5671).
--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
MK
Staff Software Engineer, Pivotal/RabbitMQ
rejag
Sep 13, 2017, 11:28:55 AM9/13/17
to rabbitmq-users
Thanks for your response Michael.
But, I am not clear with your response.
I noticed the lines you pointed. I thought, it means, socket connection attempted without cert in it first step.
Thanks,
John
On Wednesday, September 13, 2017 at 11:13:01 AM UTC-4, Michael Klishin wrote:
The stack trace mentions> System.Net.Sockets Error: 0 : [10832] Exception in Socket#21454193::EndConnect -> A socket operation was attempted to an unreachable network [::ffff:168.82.107.83]:5675First step in troubleshooting this should be tailing server logs to see if it registers any
connections at all (or logs any TLS alerts). Also whether port 5675 is actually used
for TLS connections (default value is 5671).
On Wed, Sep 13, 2017 at 10:38 AM, rejag <hellos...@gmail.com> wrote:
Hello,I am trying to connect to RabbitMQ 3.6.5 broker from .net over TLS and It is failing.In server log getting following error:SSL: certify: ssl_connection.erl:826:Fatal error: handshake failureIn client end getting error :Exception in connection : RabbitMQ.Client.Exceptions.BrokerUnreachableException: None of the specified endpoints were reachable ---> System.IO.IOException: Unable to write data to the transport connection: An existing connection was forcibly closed by the remote host. ---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote hostBroker hosted in RHEL 6.8Broker Erlang version: 19.0.4Client Machine : Windows Server 2008 R2..net 4.5(Runtime 4.0)I have tried with openssl s_client using same client certificates, used in .net and the connection is successful. Also, from using jave with same certificates, I can connect to broker.There is no cipher restriction in broker configuration.Thanks,John
--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To post to this group, send email to rabbitm...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Michael Klishin
Sep 13, 2017, 12:02:02 PM9/13/17
to rabbitm...@googlegroups.com
It's not clear what the exception really says, that's why server logs and a traffic capture if possible are important to obtain before we draw any conclusions.
Staff Software Engineer, Pivotal/RabbitMQ
Luke Bakken
Sep 13, 2017, 4:15:05 PM9/13/17
to rabbitmq-users
John -
The IP address in the Exception is an "IPv4-mapped IPv6 address" (https://en.wikipedia.org/wiki/IPv6#Software). I can't say I have ever seen one in an error like this but it is sort of suspicious. Of course it could be just how the .NET runtime formats the address, too.
When you test your certs using openssl are you using the IP address or the host name to connect to?
Thanks,
Luke
rejag
Sep 14, 2017, 2:52:57 AM9/14/17
to rabbitmq-users
Thanks for your response Luke.
I am using domain name(not ip) for both openssl s_client and in my .net sample code.
rejag
Sep 14, 2017, 3:06:07 AM9/14/17
to rabbitmq-users
Yes, Michael. There is no detail error in Broker end.
Broker end only show error that I already mention in my original post.
I made my debug enabled in for connection : {log_levels, [{connection, debug},{channel, debug}]}
But no detail error written in log.
How can I capture traffic for rabbitmq?
Thanks,
John
Michael Klishin
Sep 14, 2017, 11:11:28 AM9/14/17
to rabbitm...@googlegroups.com
If RabbitMQ doesn't log any connection "attempts", it means one of two things:
1. There are no actual inbound connections or
2. Connected clients send no data at all (such as TCP load balancer health checks)
Based on the error message here it must be option 1. Please investigate what prevents network connectivity
to [::ffff:168.82.107.83]:5675. Taking a traffic capture with tcpdump/Wireshark and inspecting it (with Wireshark)
can greatly speed up the investigation, so we recommend it.
can greatly speed up the investigation, so we recommend it.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.
rejag
Sep 15, 2017, 4:58:56 AM9/15/17
to rabbitmq-users
Hello Michael,
1. There are no actual inbound connections or - Already checked inbound connection in port 5675(SSL configured in this port.), and I have noticed inbound connections during my test client connection to broker. Connection log from tcpdump is in attachment.
2. Connected clients send no data at all (such as TCP load balancer health checks) - How to confirm that? Getting exception in line conn = factory.CreateConnection();
Additionally, I did the test after making change in broker config file for these two properties
{verify, verify_none},
{fail_if_no_peer_cert, false},
{fail_if_no_peer_cert, false},
And, the connection is successful in same SSL port(5675). So, there is no firewall issue for incoming traffic in SSL port.
Thanks,
John
Michael Klishin
Sep 15, 2017, 11:20:40 AM9/15/17
to rabbitm...@googlegroups.com
A realistic client will always send some data after it successfully opens a TCP connection. You can see if there was
data sent by opening a tcpdump in Wireshark (or capturing in Wireshark).
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages