Web STOMP plugin with SSL/TLS, no server active

[Giovanni Foiani]

Hi all,

I'm using Rabbitmq 3.5.6 and I'm trying to configure Web STOMP plugin to work with SSL/TLS. This is the plugin configuration:

  {rabbitmq_web_stomp,
    [
      {ssl_cert_login, true},
      { ssl_config,
        [
          {port,       15671},
          {backlog,    1024},
          {cacertfile, "/path/to/ca_certificate.pem"},
          {certfile, "/path/to/server_certificate.pem"},
          {keyfile, "/path/to/server_key.pem"}
        ]
      }
    ]
  }

The plugin is correctly enabled:

gfoiani@FojaMac ~/tls-gen/basic/result (master)$ rabbitmq-plugins list
 Configured: E = explicitly enabled; e = implicitly enabled
 | Status:   * = running on rabbit@Fojamac
 |/
[e*] amqp_client                       3.5.6
[e*] cowboy                            0.5.0-rmq3.5.6-git4b93c2d
[E*] gen_coap                          0.0.1-rmq0.0.0-git
[e*] mochiweb                          2.7.0-rmq3.5.6-git680dba8
[E*] rabbitmq_amqp1_0                  3.5.6
[E*] rabbitmq_auth_backend_http        3.5.x-fe9401c6
[  ] rabbitmq_auth_backend_ldap        3.5.6
[  ] rabbitmq_auth_mechanism_ssl       3.5.6
[  ] rabbitmq_consistent_hash_exchange 3.5.6
[E*] rabbitmq_delayed_message_exchange 0.0.1-rmq3.5.x-9bf265e4
[E*] rabbitmq_event_exchange           3.5.x-4813af15
[  ] rabbitmq_federation               3.5.6
[  ] rabbitmq_federation_management    3.5.6
[E*] rabbitmq_lvc                      3.5.x-bd06d59b
[E*] rabbitmq_management               3.5.6
[e*] rabbitmq_management_agent         3.5.6
[E*] rabbitmq_management_themes        3.5.x-9013cbf9
[E*] rabbitmq_management_visualiser    3.5.6
[E*] rabbitmq_mqtt                     3.5.900
[E*] rabbitmq_shovel                   3.5.6
[E*] rabbitmq_shovel_management        3.5.6
[E*] rabbitmq_stomp                    3.5.6
[  ] rabbitmq_test                     3.5.6
[E*] rabbitmq_top                      3.5.x-99ed877e
[  ] rabbitmq_tracing                  3.5.6
[e*] rabbitmq_web_dispatch             3.5.6
[E*] rabbitmq_web_stomp                3.5.6
[E*] rabbitmq_web_stomp_examples       3.5.6
[e*] sockjs                            0.3.4-rmq3.5.6-git3132eb9
[e*] webmachine                        1.10.3-rmq3.5.6-gite9359c7

but when I try to connect to the endpoint I get the following error:

gfoiani@FojaMac ~/tls-gen/basic/result (master)$ telnet localhost 15671
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
telnet: connect to address 127.0.0.1: Connection refused
Trying fe80::1...
telnet: connect to address fe80::1: Connection refused
telnet: Unable to connect to remote host
gfoiani@FojaMac ~/tls-gen/basic/result (master)$ openssl s_client -connect localhost:15671 -tls1                         connect: Connection refused
connect:errno=61

Errno 61 indicates that there is no server active at the destination IP.

How can I check if web server is running? Where are the web server logs?

Web stomp is working fine without SSL on port 15674...

Thanks

Giovanni

[Michael Klishin]

On 16 December 2015 at 13:54:45, Giovanni Foiani (giovann...@gmail.com) wrote:
> Errno 61 indicates that there is no server active at the destination
> IP.
> How can I check if web server is running? Where are the web server
> logs?

Web STOMP logs into RabbitMQ log file. Have you restarted the node after
changing your config? Is the config file at the correct location? (management UI
will display its path and optionally a "(not found)" mark if it cannot be found/read). 

I'd recommend going with 3.6.0 (RC3 at the moment) for Web STOMP as it has been
completely rewritten and also provides a "raw" WebSocket endpoint. TLS support hasn't
changed but it now uses a more modern HTTP/WebSocket server under the hood.

Docs for 3.6.0 can currently be found at http://next.rabbitmq.com/web-stomp.html.
--
MK

Staff Software Engineer, Pivotal/RabbitMQ

[Giovanni Foiani]

When I start the node I get the following error in SASL log:

=CRASH REPORT==== 16-Dec-2015::12:03:17 ===
  crasher:
    initial call: supervisor:cowboy_acceptors_sup/1
    pid: <0.600.0>
    registered_name: []
    exception exit: {{badmatch,false},
                     [{cowboy_ssl_transport,listen,1,
                          [{file,
                               "cowboy-wrapper/cowboy-git/src/cowboy_ssl_transport.erl"},
                           {line,70}]},
                      {cowboy_acceptors_sup,init,1,
                          [{file,
                               "cowboy-wrapper/cowboy-git/src/cowboy_acceptors_sup.erl"},
                           {line,36}]},
                      {supervisor,init,1,[{file,"supervisor.erl"},{line,243}]},
                      {gen_server,init_it,6,
                          [{file,"gen_server.erl"},{line,306}]},
                      {proc_lib,init_p_do_apply,3,
                          [{file,"proc_lib.erl"},{line,237}]}]}
      in function  gen_server:init_it/6 (gen_server.erl, line 330)
    ancestors: [<0.597.0>,cowboy_sup,<0.53.0>]
    messages: []
    links: [<0.597.0>]
    dictionary: []
    trap_exit: true
    status: running
    heap_size: 987
    stack_size: 27
    reductions: 227
  neighbours:

[Michael Klishin]

On 16 December 2015 at 14:05:53, Giovanni Foiani (giovann...@gmail.com) wrote:
> When I start the node I get the following error in SASL log

Another reason to try 3.6.0: investigating what exactly is the issue (can be an unsupported option
or a typo) would require digging in an ancient Cowboy version. 

[Giovanni Foiani]

OK I'll try 3.6.0.

Thanks Michael

[Loïc Hoguin]

3.6.0 will tell you what option is invalid (in the logs), and that
option will be simply ignored.

On 12/16/2015 12:10 PM, Giovanni Foiani wrote:
> OK I'll try 3.6.0.
>
> Thanks Michael
>
> On Wednesday, December 16, 2015 at 12:09:08 PM UTC+1, Michael Klishin wrote:
>
> On 16 December 2015 at 14:05:53, Giovanni Foiani

> (giovann...@gmail.com <javascript:>) wrote:
> > When I start the node I get the following error in SASL log
>
> Another reason to try 3.6.0: investigating what exactly is the issue
> (can be an unsupported option
> or a typo) would require digging in an ancient Cowboy version.
> --
> MK
>
> Staff Software Engineer, Pivotal/RabbitMQ
>
>

> --
> You received this message because you are subscribed to the Google
> Groups "rabbitmq-users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to rabbitmq-user...@googlegroups.com
> <mailto:rabbitmq-user...@googlegroups.com>.
> To post to this group, send email to rabbitm...@googlegroups.com
> <mailto:rabbitm...@googlegroups.com>.
> For more options, visit https://groups.google.com/d/optout.

--
Loïc Hoguin
http://ninenines.eu
Author of The Erlanger Playbook,
A book about software development using Erlang

[Giovanni Foiani]

With Rabbitmq 3.6.0 the Web STOMP TLS/SSL connection works fine!

My WebSocket endpoint is https://localhost:15671/stomp

but what I see is that, in the connection page of the Management plugin, the Web STOMP entry has the TLS/SSL bullet not active. Is it ok? (see the attachment)

Thanks

Giovanni

[Michael Klishin]

Sounds like the new version does not register its listener.

Loïc, can you please check?

[Loïc Hoguin]

Hello,

I don't think the SSL/TLS indicator has ever worked for Web STOMP
connections. There's a hardcoded {ssl, false}.

Will have a PR ready in a few minutes.

Cheers,

[Loïc Hoguin]

The PR is open if you want to try it:
https://github.com/rabbitmq/rabbitmq-web-stomp/pull/33

Enjoy!