Using TLS but no client certificate is provided warning message, why?

[Grant Schoep]

Using bunny 2.13.0 on Ruby 2.5.1

So I am connecting to a RabbitMQ server via amqps, that is in my OS level CA certs. I.e. ruby/curl and everyone connects to it https:// just fine.

So does RabbitMQ, however it always gives this warning
```
Using TLS but no client certificate is provided! If RabbitMQ is configured to verify peer
certificate, connection upgrade will fail!
```

I don't need to add a cacertfile, as it is already in at the OS level.

However, it seems it wants me to give it a cert file and/or keyfile, to appease the warning.
Do I just give it a dummy cacertfile file? This seems odd.

[Grant Schoep]

Sorry, I meant to say "So does bunny", meaning, bunny connects just fine. I have verify_peer as its default true.
Just wondering why this warning message

[Grant Schoep]

So maybe I am misunderstanding, reading more on the documentation
http://rubybunny.info/articles/tls.html
It sounds like I am supposed to have
"Client certificate and private (optional if peer verification is disabled)" 
Our RabbitMQ servers do not actually have TLS enabled, but the AWS ELB servers we do have TLS termination, so I need to talk to RabbitMQ with amqps, but I don't have client cert/key....

[Michael Klishin]

When it comes to RabbitMQ (and many other data services), TLS clients generally are expected to provide a certificate/key pair.

The warning is preventive in nature. If RabbitMQ (or the TLS terminating load balancer) was configured to perform peer verification

or reject connections from clients without certificates, your client won't be able to connect without a pair [1][2].

It is rarely the intent of the user to use TLS without a client pair. If you are sure as to what you are doing, you can ignore the warning.

1. https://www.rabbitmq.com/ssl.html#certificates-and-keys

2. https://www.rabbitmq.com/ssl.html#enabling-tls

--
Bunny: http://rubybunny.info
March Hare: http://rubymarchhare.info
 
IRC: #rabbitmq on irc.freenode.net
 
Post to the group: ruby...@googlegroups.com | unsubscribe: ruby-amqp+...@googlegroups.com
---
You received this message because you are subscribed to the Google Groups "Ruby RabbitMQ libraries" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ruby-amqp+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

MK

Staff Software Engineer, Pivotal/RabbitMQ

[Grant Schoep]

Thanks for the info.  I'll pass on to our folks that are running the RabbitMQ servers, they say there should be no need to do peer verification.

The warning gets really noisy, in one app, as it has bunches of threads creating queues.

Question, when I do set `verify_peer: true` why does it still connect? Is that because the the server(TLS Terminating Load balancer in this case) is not configred to do peer verification?

Thanks again.

[Michael Klishin]

When you tell the client to perform peer verification and the server/load balancer has a certificate chain to present,

the client should be able to do so.

If you ask *the server* (or load balancer) to perform peer verification on a client that sent no certificate chain, the behavior

is tool-specific. I would expect an error of some kind. RabbitMQ (well, the Erlang TLS implementation) specifically allows you to either accept or reject

clients without a certificate chain via a separate option.

I don't know what to suggest beyond "use a different log level" or "provide your own logger that would filter out some warnings".

I will not be removing this warning as for the vast majority of users it is a nudge in the right direction.

Should the general developer public's familiarity with TLS drastically increase in the near future, I'd be happy to remove it

but I'm not holding my breath.

[Grant Schoep]

So just thought I would share on how I proceeded.  For now, we aren't going to enabled peer verification, but leaving amqps enabled. Not as worried about man-in-middle as this is all within a AWS-VPN.

THere are future plans to enable however.

But for now, I already had a logger class, and made a quick monkey patch to ignore this warning.

Thanks for your help.   I didn't understand what peer verification was originally.

[Michael Klishin]

Thanks for reporting back to the list. I'm not dogmatic about peer verification as long as you understand

the risks. Glad Bunny and RabbitMQ docs helped you understand TLS a bit better.

--
Bunny: http://rubybunny.info
March Hare: http://rubymarchhare.info
 
IRC: #rabbitmq on irc.freenode.net
 
Post to the group: ruby...@googlegroups.com | unsubscribe: ruby-amqp+...@googlegroups.com
---
You received this message because you are subscribed to the Google Groups "Ruby RabbitMQ libraries" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ruby-amqp+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Dimitri Pekarovsky]

Hi. Is there any method except monkey-patching to avoid this warning? This is very annoying in logs when debugging.

//DP

четверг, 14 февраля 2019 г., 16:39:17 UTC+2 пользователь Michael Klishin написал:

Thanks for reporting back to the list. I'm not dogmatic about peer verification as long as you understand

the risks. Glad Bunny and RabbitMQ docs helped you understand TLS a bit better.

On Wed, Feb 13, 2019 at 3:30 AM Grant Schoep <matob...@gmail.com> wrote:

So just thought I would share on how I proceeded.  For now, we aren't going to enabled peer verification, but leaving amqps enabled. Not as worried about man-in-middle as this is all within a AWS-VPN.

THere are future plans to enable however.

But for now, I already had a logger class, and made a quick monkey patch to ignore this warning.

Thanks for your help.   I didn't understand what peer verification was originally.

--
Bunny: http://rubybunny.info
March Hare: http://rubymarchhare.info
 
IRC: #rabbitmq on irc.freenode.net
 

Post to the group: ruby...@googlegroups.com | unsubscribe: ruby...@googlegroups.com

---
You received this message because you are subscribed to the Google Groups "Ruby RabbitMQ libraries" group.

To unsubscribe from this group and stop receiving emails from it, send an email to ruby...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Michael Klishin]

I don't have much to add to this thread. The warning is by design. You can provide your own logger (which involves no monkey patching).

Post to the group: ruby...@googlegroups.com | unsubscribe: ruby-amqp+...@googlegroups.com

---
You received this message because you are subscribed to the Google Groups "Ruby RabbitMQ libraries" group.

To unsubscribe from this group and stop receiving emails from it, send an email to ruby-amqp+...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.