SSL issue federation upstream connection, error: TLS client: In state hello received SERVER ALERT: Fatal - Insufficient Security
565 views
Skip to first unread message
kdc
Oct 29, 2019, 1:37:26 PM10/29/19
to rabbitmq-users
Hello,
We have done a RabbitMQ 3.8.0 setup through the Bitnami AMI on AWS on two different instances. We have configured the RabbitMQ's to support SSL for both AMQPS (5671) and the RabbitMQ management console (15671) successfully.
Unfortunately, we seem to run into trouble when trying to couple the two servers together through federation. When trying to couple the servers with each other, or to an older setup which we're trying to migrate from we get an error saying "TLS client: In state hello received SERVER ALERT: Fatal - Insufficient Security". Nowhere in the message do we see anything related to ciphers.
We made sure to add our pem files into the AMQPS URL which we use in the upstream URL. A redacted example of it is: amqps://username:pass...@broker2.example.com/vhostname?cacertfile=/opt/bitnami/rabbitmq/etc/cacert.pem&certfile=/opt/bitnami/rabbitmq/etc/cert.pem&keyfile=/opt/bitnami/rabbitmq/etc/private.pem&verify=verify_peer&server_name_indication=broker1.example.com
Any advice on how to further investigate this?
Thanks.
Luke Bakken
Oct 29, 2019, 2:26:44 PM10/29/19
to rabbitmq-users
Hello,
What Erlang version or versions are you using? It is also very helpful to attach your complete configuration files to your questions, as well as copy complete log files or un-abridged error lines from the log files.
The TLS troubleshooting guide is a good place to start - https://www.rabbitmq.com/troubleshooting-ssl.html
Use openssl s_client to verify that TLS connections to port 5671 work correctly to all RabbitMQ servers. There is an example in that doc that also verifies the peer cert while using SNI.
Let us know how that test works and we can proceed from there.
Let us know how that test works and we can proceed from there.
Thanks,
Luke
On Tuesday, October 29, 2019 at 10:37:26 AM UTC-7, kdc wrote:
Hello,We have done a RabbitMQ 3.8.0 setup through the Bitnami AMI on AWS on two different instances. We have configured the RabbitMQ's to support SSL for both AMQPS (5671) and the RabbitMQ management console (15671) successfully.Unfortunately, we seem to run into trouble when trying to couple the two servers together through federation. When trying to couple the servers with each other, or to an older setup which we're trying to migrate from we get an error saying "TLS client: In state hello received SERVER ALERT: Fatal - Insufficient Security". Nowhere in the message do we see anything related to ciphers.
We made sure to add our pem files into the AMQPS URL which we use in the upstream URL. A redacted example of it is: amqps://username:password@broker2.example.com/vhostname?cacertfile=/opt/bitnami/rabbitmq/etc/cacert.pem&certfile=/opt/bitnami/rabbitmq/etc/cert.pem&keyfile=/opt/bitnami/rabbitmq/etc/private.pem&verify=verify_peer&server_name_indication=broker1.example.com
kdc
Oct 30, 2019, 9:57:35 AM10/30/19
to rabbitmq-users
We use RabbitMQ 3.5.7 with Erlang 18.3.4
Op dinsdag 29 oktober 2019 19:26:44 UTC+1 schreef Luke Bakken:
I have attached the complete logs and also the config file, in the config file I replaced some things with xxxxxxxxxx
Communication with clients is no problem! Only the federation upstream is not working.
Op dinsdag 29 oktober 2019 19:26:44 UTC+1 schreef Luke Bakken:
Wesley Peng
Oct 30, 2019, 10:04:51 AM10/30/19
to rabbitm...@googlegroups.com
Those erlang and rabbitmq are very old. The only stuff you would do is to upgrade them to the latest.
regards
--You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/20dcf83e-3094-4bcb-b698-c5e905ed8cf7%40googlegroups.com.Attachments:
- lograbbit.log
- rabbitmq-redacted.config
Koen De Clercq (TELETASK)
Oct 30, 2019, 10:24:22 AM10/30/19
to rabbitm...@googlegroups.com
Sorry I posted the version of or old servers, we now want to place the severs on AWS with Bitnami running RabbitMQ 3.8.0 and Erlang 22.1 (like you can see in the log)
In or old servers the upstream is working OK, but not in the new 3.8.0
kdc
Oct 30, 2019, 10:27:46 AM10/30/19
to rabbitmq-users
Sorry I posted the version of or old servers, we now want to place the severs on AWS with Bitnami running RabbitMQ 3.8.0 and Erlang 22.1 (like you can see in the log)
In or old servers the upstream is working OK, but not in the new 3.8.0
Op woensdag 30 oktober 2019 15:04:51 UTC+1 schreef Wesley Peng:
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitm...@googlegroups.com.
Luke Bakken
Oct 30, 2019, 11:07:35 AM10/30/19
to rabbitmq-users
Hello,
Please run the openssl s_client test and share the output.
My guess is that you will have to enable all TLS ciphers in your environments: https://www.rabbitmq.com/ssl.html#cipher-suites
My guess is that you will have to enable all TLS ciphers in your environments: https://www.rabbitmq.com/ssl.html#cipher-suites
rabbitmqctl eval 'ssl:cipher_suites(all)'.
Then take that list and add it to ssl_options in your configuration (see attached file). Note that your list of ciphers may be different than what I have added as an example.
You will then have to restart RabbitMQ.
Thanks,
Luke
Reply all
Reply to author
Forward
0 new messages