rabbitmq_management ssl access issue with chrome/firefox

[Hugo]

Hello,

I am trying to setup ssl access to the management interface of rabbitmq 3.6.6-1 on Debian jessie.
Here is my configuration :

  {rabbitmq_management, [
    {listener, [
      {port, 8080},
      {ssl, true},
      {ssl_opts, [
                              {verify, verify_none},
                           {cacertfile,   "/etc/rabbitmq/ssl/ra-ap-vialink-app.pem"},
                           {certfile,   "/etc/rabbitmq/ssl/ra-ap-vialink-app.crt"},
                           {keyfile,    "/etc/rabbitmq/ssl/ra-ap-vialink-app.key"}
                     ]}
    ]}
  ]}

The funny thing is that https access works on Internet explorer 11 but not on firefox and Chrome.
This is not an issue with tls or sslv3

I think this is related to a mismatch on cipher list, but I'm not sure at 100%

On my system here is the cipher list :

# rabbitmqctl eval 'ssl:cipher_suites(openssl).'

["ECDHE-ECDSA-AES256-SHA384","ECDHE-RSA-AES256-SHA384",
 "ECDH-ECDSA-AES256-SHA384","ECDH-RSA-AES256-SHA384","DHE-RSA-AES256-SHA256",
 "DHE-DSS-AES256-SHA256","AES256-SHA256","ECDHE-ECDSA-AES128-SHA256",
 "ECDHE-RSA-AES128-SHA256","ECDH-ECDSA-AES128-SHA256",
 "ECDH-RSA-AES128-SHA256","DHE-RSA-AES128-SHA256","DHE-DSS-AES128-SHA256",
 "AES128-SHA256","ECDHE-ECDSA-AES256-SHA","ECDHE-RSA-AES256-SHA",
 "DHE-RSA-AES256-SHA","DHE-DSS-AES256-SHA","ECDH-ECDSA-AES256-SHA",
 "ECDH-RSA-AES256-SHA","AES256-SHA","ECDHE-ECDSA-DES-CBC3-SHA",
 "ECDHE-RSA-DES-CBC3-SHA","EDH-RSA-DES-CBC3-SHA","EDH-DSS-DES-CBC3-SHA",
 "ECDH-ECDSA-DES-CBC3-SHA","ECDH-RSA-DES-CBC3-SHA","DES-CBC3-SHA",
 "ECDHE-ECDSA-AES128-SHA","ECDHE-RSA-AES128-SHA","DHE-RSA-AES128-SHA",
 "DHE-DSS-AES128-SHA","ECDH-ECDSA-AES128-SHA","ECDH-RSA-AES128-SHA",
 "AES128-SHA","ECDHE-ECDSA-RC4-SHA","ECDHE-RSA-RC4-SHA","RC4-SHA","RC4-MD5",
 "EDH-RSA-DES-CBC-SHA","ECDH-ECDSA-RC4-SHA","ECDH-RSA-RC4-SHA","DES-CBC-SHA"]

Seems that there is no match with my Chrome browser Version 56.0.2924.87

Am I the only one having this issue ?

Regards,
 

[Michael Klishin]

What's in server logs?

What Erlang version is used?

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To post to this group, send email to rabbitm...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Hugo]

I'm running Erlang 17.3
For the server logs :

=SUPERVISOR REPORT==== 9-Feb-2017::20:14:28 ===
     Supervisor: {local,tls_connection_sup}
     Context:    child_terminated
     Reason:     {function_clause,
                     [{ssl_cipher,hash_algorithm,"\b",
                          [{file,"ssl_cipher.erl"},{line,1196}]},
                      {ssl_handshake,'-dec_hello_extensions/2-lc$^0/1-1-',1,
                          [{file,"ssl_handshake.erl"},{line,1706}]},
                      {ssl_handshake,'-dec_hello_extensions/2-lc$^0/1-1-',1,
                          [{file,"ssl_handshake.erl"},{line,1707}]},
                      {ssl_handshake,dec_hello_extensions,2,
                          [{file,"ssl_handshake.erl"},{line,1706}]},
                      {tls_handshake,decode_handshake,3,
                          [{file,"tls_handshake.erl"},{line,184}]},
                      {tls_handshake,get_tls_handshake_aux,3,
                          [{file,"tls_handshake.erl"},{line,155}]},
                      {tls_connection,next_state,4,
                          [{file,"tls_connection.erl"},{line,433}]},
                      {gen_fsm,handle_msg,7,
                          [{file,"gen_fsm.erl"},{line,503}]}]}
     Offender:   [{pid,<0.6484.0>},
                  {name,undefined},
                  {mfargs,{tls_connection,start_link,undefined}},
                  {restart_type,temporary},
                  {shutdown,4000},
                  {child_type,worker}]


==> rabbit@rarabbitmq1.log <==

=ERROR REPORT==== 9-Feb-2017::20:14:28 ===
    application: mochiweb
    "Accept failed error"
    "{'EXIT',\n    {{function_clause,\n         [{ssl_cipher,hash_algorithm,\"\\b\",\n              [{file,\"ssl_cipher.erl\"},{line,1196}]},\n          {ssl_handshake,'-dec_hello_extensions/2-lc$^0/1-1-',1,\n              [{file,\"ssl_handshake.erl\"},{line,1706}]},\n          {ssl_handshake,'-dec_hello_extensions/2-lc$^0/1-1-',1,\n              [{file,\"ssl_handshake.erl\"},{line,1707}]},\n          {ssl_handshake,dec_hello_extensions,2,\n              [{file,\"ssl_handshake.erl\"},{line,1706}]},\n          {tls_handshake,decode_handshake,3,\n              [{file,\"tls_handshake.erl\"},{line,184}]},\n          {tls_handshake,get_tls_handshake_aux,3,\n              [{file,\"tls_handshake.erl\"},{line,155}]},\n          {tls_connection,next_state,4,\n              [{file,\"tls_connection.erl\"},{line,433}]},\n          {gen_fsm,handle_msg,7,[{file,\"gen_fsm.erl\"},{line,503}]}]},\n     {gen_fsm,sync_send_all_state_event,[<0.6484.0>,{start,20000},infinity]}}}"

==> rabbit@rarabbitmq1-sasl.log <==

=CRASH REPORT==== 9-Feb-2017::20:14:28 ===
  crasher:
    initial call: mochiweb_acceptor:init/4
    pid: <0.6464.0>
    registered_name: []
    exception exit: {error,accept_failed}
      in function  mochiweb_acceptor:init/4 (src/mochiweb_acceptor.erl, line 73)
    ancestors: [rabbit_web_dispatch_sup_8080,rabbit_web_dispatch_sup,
                  <0.433.0>]
    messages: []
    links: [<0.440.0>]
    dictionary: []
    trap_exit: false
    status: running
    heap_size: 4185
    stack_size: 27
    reductions: 5524
  neighbours:

I can provide a link with full stack trace. But this one doesn't talk to me.

[Jared Kauppila]

We recently had this issue, but resolved it by upgrading Erlang 17.4 to 19.2.

[Hugo]

Thank you, by using the jessie backports for Erlang package I am running 19.2.

This solve my issue, but the side effect is I can't login anymore with my ldap setup.
Are you aware of any change on this ?
In my logs I only have :

=INFO REPORT==== 9-Feb-2017::20:33:15 ===
    LDAP connect error: {error,"connect failed"}

=INFO REPORT==== 9-Feb-2017::20:33:15 ===
LDAP DECISION: login for htest: {error,"connect failed"}

=WARNING REPORT==== 9-Feb-2017::20:33:15 ===
HTTP access denied: rabbit_auth_backend_ldap failed authenticating htest: "connect failed"

[Michael Klishin]

Does your LDAP setup use TLS?

--

[Hugo Deprez]

Yes it does. Looking for a full SSL setup ;)

To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to a topic in the Google Groups "rabbitmq-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rabbitmq-users/ycARawihtMo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.

[Michael Klishin]

Well, you can try inspecting LDAP server logs or try Erlang 19.1 or 18.2.

There are known issues in 18.3 and at least 19.2.1 but it's really difficult to

tell if this may be one those without a traffic capture (and private keys, otherwise

the capture is useless).

To post to this group, send email to rabbitm...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to a topic in the Google Groups "rabbitmq-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rabbitmq-users/ycARawihtMo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to rabbitmq-users+unsubscribe@googlegroups.com.

To post to this group, send email to rabbitm...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

MK

Staff Software Engineer, Pivotal/RabbitMQ

[Hugo Deprez]

Well I'm pretty sure, since this doesn't work as soon as I upgraded.

Sadly On debian I don't have 19.1 or 18.2 as packages.

I'll try one package from :
https://www.erlang-solutions.com/resources/download.html

but there is 19.1.5 should be working ?

Thanks !

MK

Staff Software Engineer, Pivotal/RabbitMQ

--

You received this message because you are subscribed to a topic in the Google Groups "rabbitmq-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rabbitmq-users/ycARawihtMo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to rabbitmq-users+unsubscribe@googlegroups.com.

[Hugo]

Hello,

to save time if you have the same issue :
1:18.3-1 is working from repo erlang-solutions.

version 1:19.0-1  is not working (same bug with ldap SSL)

If needed here is the configuration I used to pin the packages :

package: /erlang/
Pin: version 1:18.3-1
Pin-Priority: 999

To post to this group, send email to rabbitmq-users@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to a topic in the Google Groups "rabbitmq-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rabbitmq-users/ycARawihtMo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.

To post to this group, send email to rabbitmq-users@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

MK

Staff Software Engineer, Pivotal/RabbitMQ

[Michael Klishin]

Thank you for reporting back, Hugo!

To post to this group, send email to rabbitm...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to a topic in the Google Groups "rabbitmq-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rabbitmq-users/ycARawihtMo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to rabbitmq-users+unsubscribe@googlegroups.com.

To post to this group, send email to rabbitm...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.

To post to this group, send email to rabbitm...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

MK

Staff Software Engineer, Pivotal/RabbitMQ

--
You received this message because you are subscribed to a topic in the Google Groups "rabbitmq-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rabbitmq-users/ycARawihtMo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to rabbitmq-users+unsubscribe@googlegroups.com.

To post to this group, send email to rabbitm...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.