RabbitMQ:尝试使用SSL证书时发生握手错误
我正在尝试将SSL证书用于RabbitMQ,但我不断收到代理的握手错误 在单独的终端窗口中使用openssl的“s_client”和“s_server”命令并使用端口8443时,我生成的证书可以正常工作,如SSL疑难解答指南()中所述 当我尝试使用相同的openssl的_client命令连接到RabbitMQ SSL端口5671时,出现问题: 运行此:RabbitMQ:尝试使用SSL证书时发生握手错误,ssl,rabbitmq,Ssl,Rabbitmq,我正在尝试将SSL证书用于RabbitMQ,但我不断收到代理的握手错误 在单独的终端窗口中使用openssl的“s_client”和“s_server”命令并使用端口8443时,我生成的证书可以正常工作,如SSL疑难解答指南()中所述 当我尝试使用相同的openssl的_client命令连接到RabbitMQ SSL端口5671时,出现问题: 运行此: openssl s_client -connect localhost:5671 -cert /etc/rabbitmq/ssl/client/
openssl s_client -connect localhost:5671 -cert /etc/rabbitmq/ssl/client/cert.pem -key /etc/rabbitmq/ssl/client/key.pem -CAfile /etc/rabbitmq/ssl/certificate_auth/cacert.pem
产生以下结果:
CONNECTED(00000003)
depth=1 CN = RMQCA
verify return:1
depth=0 CN = roger.xxxxxx.com, O = server
verify return:1
139997248210760:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1256:SSL alert number 40
139997248210760:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
---
SSL侦听器启动正常,如RabbitMQ日志中所示:
=INFO REPORT==== 19-May-2014::15:45:34 ===
started TCP Listener on [::]:5672
=INFO REPORT==== 19-May-2014::15:45:34 ===
started SSL Listener on [::]:5671
=ERROR REPORT==== 21-Jun-2016::13:28:21 ===
SSL: certify: ssl_handshake.erl:1492:Fatal error: handshake failure
尝试使用“s_client”连接到端口5671时,出现错误:
=INFO REPORT==== 19-May-2014::17:20:39 ===
accepting AMQP connection <0.3263.0> ([::1]:58538 -> [::1]:5671)
=ERROR REPORT==== 19-May-2014::17:20:39 ===
SSL: certify: ssl_handshake.erl:1346:Fatal error: handshake failure
=ERROR REPORT==== 19-May-2014::17:20:44 ===
error on AMQP connection <0.3263.0>: {ssl_upgrade_error,
{tls_alert,"handshake failure"}} (unknown POSIX error)
RabbitMQ信息:
[{pid,10375},
{running_applications,
[{rabbitmq_management,"RabbitMQ Management Console","3.2.3"},
{rabbitmq_web_dispatch,"RabbitMQ Web Dispatcher","3.2.3"},
{webmachine,"webmachine","1.10.3-rmq3.2.3-gite9359c7"},
{mochiweb,"MochiMedia Web Server","2.7.0-rmq3.2.3-git680dba8"},
{rabbitmq_management_agent,"RabbitMQ Management Agent","3.2.3"},
{rabbit,"RabbitMQ","3.2.3"},
{ssl,"Erlang/OTP SSL application","5.3.3"},
{public_key,"Public key infrastructure","0.21"},
{crypto,"CRYPTO version 2","3.2"},
{asn1,"The Erlang ASN1 compiler version 2.0.4","2.0.4"},
{os_mon,"CPO CXC 138 46","2.2.14"},
{inets,"INETS CXC 138 49","5.9.8"},
{mnesia,"MNESIA CXC 138 12","4.11"},
{amqp_client,"RabbitMQ AMQP Client","3.2.3"},
{xmerl,"XML parser","1.3.6"},
{sasl,"SASL CXC 138 11","2.3.4"},
{stdlib,"ERTS CXC 138 10","1.19.4"},
{kernel,"ERTS CXC 138 10","2.16.4"}]},
{os,{unix,linux}},
{erlang_version,
"Erlang R16B03-1 (erts-5.10.4) [source] [64-bit] [smp:2:2] [async-threads:30] [hipe] [kernel-poll:true]\n"},
{memory,
[{total,43812088},
{connection_procs,5616},
{queue_procs,42528},
{plugins,451248},
{other_proc,13805200},
{mnesia,72752},
{mgmt_db,10208},
{msg_index,34560},
{other_ets,1159472},
{binary,1030272},
{code,21819091},
{atom,793505},
{other_system,4587636}]},
{vm_memory_high_watermark,0.4},
{vm_memory_limit,787819724},
{disk_free_limit,50000000},
{disk_free,31267266560},
{file_descriptors,
[{total_limit,924},{total_used,4},{sockets_limit,829},{sockets_used,2}]},
{processes,[{limit,1048576},{used,215}]},
{run_queue,0},
{uptime,7893}]
...done.
任何帮助都将不胜感激
提前谢谢
更新:
我在尝试连接rabbitmqadmin实用程序时遇到以下错误
日志文件:
=INFO REPORT==== 20-May-2014::14:39:12 ===
accepting AMQP connection <0.16589.0> ([::1]:58922 -> [::1]:5671)
=ERROR REPORT==== 20-May-2014::14:39:12 ===
SSL: certify: ssl_handshake.erl:1346:Fatal error: handshake failure
=ERROR REPORT==== 20-May-2014::14:39:17 ===
error on AMQP connection <0.16589.0>: {ssl_upgrade_error,
{tls_alert,"handshake failure"}} (unknown POSIX error)
我用自己的方法解决了类似的问题(使用RabbitMQ 2.7.1/Erlang R14B04)。以下是我的发现: RabbitMQ和至少建议启用插件。如果
rabbitmq plugins
在您的系统上是无效的命令,请描述如何在Ubuntu上启用它。(显然,apt get包在基于Debian的系统上没有预期的行为。)您的输出(我猜是从rabbitmqctl report
)表明您没有启用rabbitmq\u auth\u机制\u ssl
对于rabbitmq.config,您需要确保“EXTERNAL”被列为auth_机制之一。该行的语法是{auth_mechanism,['PLAIN',AMQPLAIN',EXTERNAL']}
,并在配置的默认“rabbit”部分作为一项显示
您还应该确保客户端提供的证书为keyusause
和extendedkeyusause
设置了适当的值,因为RabbitMQ对这两个方面的要求比s_服务器更严格。出于调试/测试的目的,您可能希望对这些内容非常宽容。您可以在中设置密钥用法。广泛接受的openssl配置可能有如下行
keyUsage=数字签名、不可否认性、密钥加密、数据加密、密钥协议、密钥证书签名、cRLSign
extendedKeyUsage=1.3.6.1.5.5.7.3.1、1.3.6.1.5.5.7.3.2
(我认为.2 OID“TLS Web客户端身份验证”对于连接到RabbitMQ很重要,但我没有进行仔细的测试。)
这将生成证书,该块接近末尾:
X509v3密钥用法:
数字签名、不可否认性、密钥加密、数据加密、密钥协议、证书签名、CRL签名
X509v3扩展密钥用法:
TLS Web服务器身份验证、TLS Web客户端身份验证
s_客户端应该有更多的输出。特别是,我对最后一行很感兴趣,它应该类似于“验证返回代码:0(ok)”,如果您在那里有一条非零/错误消息,请将其发布并在搜索中转移。(#19出人意料地普遍,因为它是
当我说到这一点时,当我尝试创建一个简单的pika.BlockingConnection
时,握手显然完成得很好,但是Rabbit从配置中的auth\u机制
中指定的列表中删除了外部。我确认我启用了rabbitmq\u auth\u机制\u ssl,但这本身还不够。(我通过子类化pika.credentials.ExternalCredentials
发现了这一点,并将一个实例作为ConnectionParameters中的“凭据”项传递,在子类的response_for()
方法的顶部添加了print start
)我通过将以下行添加到配置文件的rabbit
部分,与ssl\u监听器
和ssl\u cert\u login\u在同一级别上,解决了这个问题:
{ssl\u应用程序,[asn1,加密,公钥,ssl]},
(我怀疑RabbitMQ的较新版本在默认情况下会启用该功能,但我的特定设置没有启用。)
如果您已经完成了所有这些,但仍然有问题,那么您也可以尝试在RabbitMQ配置中将“verify\u peer”替换为“verify\u none”。您可能不希望在生产中使用它,因为它向拥有自签名证书的任何人开放,但这是另一个数据点。另外,在pika和add-in print语句中对相关内容进行子分类,以便更深入地了解Rabbit发送给您的内容以及您当地的客户如何解释它。我遇到了与@user3653959相同的问题,@Sarah Messer的回答引导我找到了解决方案
您的客户端证书必须具有TLS Web客户端身份验证
“X509v3扩展密钥使用”属性。由于客户端生成脚本中的错误,我的服务器只进行了TLS Web服务器身份验证
要检查客户端证书的功能,可以使用this命令:
openssl x509 -noout -text -in client-certificate.pem
然后查找“X509v3扩展:”部分和“X509v3扩展密钥用法:”小节
如果使用官方提供的示例openssl.conf
以及客户机和服务器命令生成客户机证书,那么它应该是现成的
这里的关键是@Sarah Messer指出的openssl.conf
中的extendedKeyUsage=1.3.6.1.5.5.7.3.2
openssl配置选项。这是“TLS Web客户端身份验证”功能。OpenSSLs_服务器
不需要此功能,这就是为什么默认情况下它可以使用它,但不能使用RabbitMQkeyUsage=digitalSignature
作为主要使用选项就足够了。此外,客户端证书的“通用名称”(CN
)也不重要
仅供参考
我的环境:
- RabbitMQ 3.6.2
- Erlang 18.2
- Ubuntu 14.04.2 LTS(64位)
- 仅启用TLSv1.2
我在RabbitMQ日志中看到的错误:
=INFO REPORT==== 19-May-2014::15:45:34 ===
started TCP Listener on [::]:5672
=INFO REPORT==== 19-May-2014::15:45:34 ===
started SSL Listener on [::]:5671
=ERROR REPORT==== 21-Jun-2016::13:28:21 ===
SSL: certify: ssl_handshake.erl:1492:Fatal error: handshake failure
我通过openssl s_客户端看到的错误:
140735165813584:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt.c:1472:SSL alert number 40
140735165813584:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:656:
他
{ciphers, ["ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-RSA-AES256-GCM-SHA384",
"ECDHE-ECDSA-AES256-SHA384","ECDHE-RSA-AES256-SHA384", "ECDHE-ECDSA-DES-CBC3-SHA",
"ECDH-ECDSA-AES256-GCM-SHA384","ECDH-RSA-AES256-GCM-SHA384","ECDH-ECDSA-AES256-SHA384",
"ECDH-RSA-AES256-SHA384","DHE-DSS-AES256-GCM-SHA384","DHE-DSS-AES256-SHA256",
"AES256-GCM-SHA384","AES256-SHA256","ECDHE-ECDSA-AES128-GCM-SHA256",
"ECDHE-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES128-SHA256","ECDHE-RSA-AES128-SHA256",
"ECDH-ECDSA-AES128-GCM-SHA256","ECDH-RSA-AES128-GCM-SHA256","ECDH-ECDSA-AES128-SHA256",
"ECDH-RSA-AES128-SHA256","DHE-DSS-AES128-GCM-SHA256","DHE-DSS-AES128-SHA256",
"AES128-GCM-SHA256","AES128-SHA256","ECDHE-ECDSA-AES256-SHA",
"ECDHE-RSA-AES256-SHA","DHE-DSS-AES256-SHA","ECDH-ECDSA-AES256-SHA",
"ECDH-RSA-AES256-SHA","AES256-SHA","ECDHE-ECDSA-AES128-SHA",
"ECDHE-RSA-AES128-SHA","DHE-DSS-AES128-SHA","ECDH-ECDSA-AES128-SHA",
"ECDH-RSA-AES128-SHA","AES128-SHA"]},
{fail_if_no_peer_cert,false}]}
]}
]