Rabbitmq Node throws TLS Server Alert

6,463 views
Skip to first unread message

Sweatha Ashok

unread,
Jan 19, 2022, 9:28:42 PM1/19/22
to rabbitmq-users
Hi 
I am using below version of Rabbit and Erlang and disabled peer verification, I am connecting my peer nodes on TLS, Seeing the below alerts on my Rabbit log file which are piling up.

Rabbit Version : 3.9.6
Erlang: 23.3.4.7
ssl_port:                   5671
ssl_verify:                 verify_none
ssl_fail_if_no_peer_cert:   false


>  - {unsupported_record_type,65}
2022-01-20 02:02:33.730882+00:00 [notice] <0.37.4> TLS server: In state hello at tls_record.erl:558 generated SERVER ALERT: Fatal - Unexpected Message

Checked the rabbitmq listeners, Status the cluster status everything looks good.
Am i missing something here

Thanks,
Sweatha

Wes Peng

unread,
Jan 19, 2022, 9:52:57 PM1/19/22
to rabbitm...@googlegroups.com
Since this is a "notice" message, neither "warn" nor "error", i think
you can ignore it.

regards.

Arnaud Cogoluègnes

unread,
Jan 20, 2022, 2:57:26 AM1/20/22
to rabbitmq-users
We need more information:
  - server logs
  - broker and Erlang versions
  - broker configuration
  - client library versions and possibly error message and code snippet

It's also not clear whether the notice message is about the cluster nodes TLS communication or about the client connection. Are you using inter-node TLS [1], that is the broker nodes are clustered using TLS? This is different from client-to-broker TLS. If so, please provide also the inter-node TLS setup information.


Sweatha Ashok

unread,
Jan 20, 2022, 10:07:22 AM1/20/22
to rabbitmq-users
Hi ,

As mentioned above these are the details. As of now this is a single node.
Rabbit Version : 3.9.6
Erlang: 23.3.4.7
ssl_port:                   5671
ssl_verify:                 verify_none
ssl_fail_if_no_peer_cert:   false

Client nodes connect to rabbit on port 5671. From the client end nodes are getting connected to RAbbit and I could see the connections in the Rabbit console as well.

The rabbit logs are as below, these alerts being repeated.
2022-01-20 15:00:49.795972+00:00 [notice] <0.12258.20>  - {unsupported_record_type,65}
2022-01-20 15:00:49.918188+00:00 [notice] <0.12264.20> TLS server: In state hello at tls_record.erl:558 generated SERVER ALERT: Fatal - Unexpected Message
2022-01-20 15:00:49.918188+00:00 [notice] <0.12264.20>  - {unsupported_record_type,65}
2022-01-20 15:00:50.019743+00:00 [notice] <0.12270.20> TLS server: In state hello at tls_record.erl:558 generated SERVER ALERT: Fatal - Unexpected Message
2022-01-20 15:00:50.019743+00:00 [notice] <0.12270.20>  - {unsupported_record_type,65}
2022-01-20 15:00:50.395516+00:00 [notice] <0.12276.20> TLS server: In state hello at tls_record.erl:558 generated SERVER ALERT: Fatal - Unexpected Message

Sweatha Ashok

unread,
Jan 20, 2022, 10:33:41 AM1/20/22
to rabbitmq-users
Just to add on top of this, thought most of my clients are connecting on 5671, there are a couple which connect on 5672 - is this notice due to the clients connecting on 5672

Adam Cammack

unread,
Jan 20, 2022, 10:49:16 AM1/20/22
to rabbitm...@googlegroups.com

Hi Sweatha, this is likely due to clients attempting to connect to the TLS-enabled server without using TLS. The "65" in the logs is the ASCII letter "A", which is the first byte of an unencrypted AMQP connection. Port 5671 is normally not used for encrypted AMQP connections, so you will probably need to take extra steps to configure your clients to use TLS on that port, or you may want to use port 5672, which is the usual TLS port for AMQP. If your clients are all connecting with TLS successfully and server is accessible over the internet, this can also be caused by people scanning the internet for AMQP servers and not using TLS. In this case the error can be safely ignored.

 

Hope this helps,

Adam

Sweatha Ashok

unread,
Jan 20, 2022, 10:58:21 AM1/20/22
to rabbitmq-users

Hi Adam,

 Thank you , just a clarification you had mentioned "Port 5671 is normally not used for encrypted AMQP connections" this should be 5671 is not for unencrypted AMQP connections.

Thanks,
Sweatha

Adam Cammack

unread,
Jan 20, 2022, 11:08:15 AM1/20/22
to rabbitm...@googlegroups.com

Yes, my mistake. 5671 is indeed the standard AMQP+TLS port. Unless you have listeners.ssl set to use 5672, I would not expect clients using that port to cause this error. To be certain, you could run a packet capture for connections inbound to the server on 5671 and 5672 to see which client connections are sending a plain request to a TLS port.

 

Thanks for the correction,

Adam

 

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/04cdf8d6-1381-4350-bf7d-99870e2dcb01n%40googlegroups.com.

Reply all
Reply to author
Forward
0 new messages