Fatal编程技术网
  • ssl/
  • RabbitMQ:尝试使用SSL证书时发生握手错误

RabbitMQ:尝试使用SSL证书时发生握手错误

ssl rabbitmq

RabbitMQ:尝试使用SSL证书时发生握手错误,ssl,rabbitmq,Ssl,Rabbitmq,我正在尝试将SSL证书用于RabbitMQ,但我不断收到代理的握手错误 在单独的终端窗口中使用openssl的“s_client”和“s_server”命令并使用端口8443时,我生成的证书可以正常工作,如SSL疑难解答指南()中所述 当我尝试使用相同的openssl的_client命令连接到RabbitMQ SSL端口5671时,出现问题: 运行此: openssl s_client -connect localhost:5671 -cert /etc/rabbitmq/ssl/client/

我正在尝试将SSL证书用于RabbitMQ,但我不断收到代理的握手错误

在单独的终端窗口中使用openssl的“s_client”和“s_server”命令并使用端口8443时,我生成的证书可以正常工作,如SSL疑难解答指南()中所述

当我尝试使用相同的openssl的_client命令连接到RabbitMQ SSL端口5671时,出现问题:

运行此:

openssl s_client -connect localhost:5671 -cert /etc/rabbitmq/ssl/client/cert.pem -key /etc/rabbitmq/ssl/client/key.pem -CAfile /etc/rabbitmq/ssl/certificate_auth/cacert.pem
产生以下结果:

CONNECTED(00000003)
depth=1 CN = RMQCA
verify return:1
depth=0 CN = roger.xxxxxx.com, O = server
verify return:1
139997248210760:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1256:SSL alert number 40
139997248210760:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake  failure:s23_lib.c:177:
---
SSL侦听器启动正常,如RabbitMQ日志中所示:

=INFO REPORT==== 19-May-2014::15:45:34 ===
 started TCP Listener on [::]:5672

=INFO REPORT==== 19-May-2014::15:45:34 ===
 started SSL Listener on [::]:5671

=ERROR REPORT==== 21-Jun-2016::13:28:21 ===
SSL: certify: ssl_handshake.erl:1492:Fatal error: handshake failure
尝试使用“s_client”连接到端口5671时,出现错误:

=INFO REPORT==== 19-May-2014::17:20:39 ===
accepting AMQP connection <0.3263.0> ([::1]:58538 -> [::1]:5671)

=ERROR REPORT==== 19-May-2014::17:20:39 ===
SSL: certify: ssl_handshake.erl:1346:Fatal error: handshake failure

=ERROR REPORT==== 19-May-2014::17:20:44 ===
error on AMQP connection <0.3263.0>: {ssl_upgrade_error,
                                      {tls_alert,"handshake failure"}} (unknown POSIX error)
RabbitMQ信息:

[{pid,10375},
 {running_applications,
     [{rabbitmq_management,"RabbitMQ Management Console","3.2.3"},
      {rabbitmq_web_dispatch,"RabbitMQ Web Dispatcher","3.2.3"},
      {webmachine,"webmachine","1.10.3-rmq3.2.3-gite9359c7"},
      {mochiweb,"MochiMedia Web Server","2.7.0-rmq3.2.3-git680dba8"},
      {rabbitmq_management_agent,"RabbitMQ Management Agent","3.2.3"},
      {rabbit,"RabbitMQ","3.2.3"},
      {ssl,"Erlang/OTP SSL application","5.3.3"},
      {public_key,"Public key infrastructure","0.21"},
      {crypto,"CRYPTO version 2","3.2"},
      {asn1,"The Erlang ASN1 compiler version 2.0.4","2.0.4"},
      {os_mon,"CPO  CXC 138 46","2.2.14"},
      {inets,"INETS  CXC 138 49","5.9.8"},
      {mnesia,"MNESIA  CXC 138 12","4.11"},
      {amqp_client,"RabbitMQ AMQP Client","3.2.3"},
      {xmerl,"XML parser","1.3.6"},
      {sasl,"SASL  CXC 138 11","2.3.4"},
      {stdlib,"ERTS  CXC 138 10","1.19.4"},
      {kernel,"ERTS  CXC 138 10","2.16.4"}]},
 {os,{unix,linux}},
 {erlang_version,
     "Erlang R16B03-1 (erts-5.10.4) [source] [64-bit] [smp:2:2] [async-threads:30] [hipe] [kernel-poll:true]\n"},
 {memory,
     [{total,43812088},
      {connection_procs,5616},
      {queue_procs,42528},
      {plugins,451248},
      {other_proc,13805200},
      {mnesia,72752},
      {mgmt_db,10208},
      {msg_index,34560},
      {other_ets,1159472},
      {binary,1030272},
      {code,21819091},
      {atom,793505},
      {other_system,4587636}]},
 {vm_memory_high_watermark,0.4},
 {vm_memory_limit,787819724},
 {disk_free_limit,50000000},
 {disk_free,31267266560},
 {file_descriptors,
     [{total_limit,924},{total_used,4},{sockets_limit,829},{sockets_used,2}]},
 {processes,[{limit,1048576},{used,215}]},
 {run_queue,0},
 {uptime,7893}]
...done.
任何帮助都将不胜感激

提前谢谢

更新:

我在尝试连接rabbitmqadmin实用程序时遇到以下错误

日志文件:

=INFO REPORT==== 20-May-2014::14:39:12 ===
accepting AMQP connection <0.16589.0> ([::1]:58922 -> [::1]:5671)

=ERROR REPORT==== 20-May-2014::14:39:12 ===
SSL: certify: ssl_handshake.erl:1346:Fatal error: handshake failure

=ERROR REPORT==== 20-May-2014::14:39:17 ===
error on AMQP connection <0.16589.0>: {ssl_upgrade_error,
                                       {tls_alert,"handshake failure"}} (unknown POSIX error)
我用自己的方法解决了类似的问题(使用RabbitMQ 2.7.1/Erlang R14B04)。以下是我的发现:

RabbitMQ和至少建议启用插件。如果
rabbitmq plugins
在您的系统上是无效的命令,请描述如何在Ubuntu上启用它。(显然,apt get包在基于Debian的系统上没有预期的行为。)您的输出(我猜是从
rabbitmqctl report
)表明您没有启用
rabbitmq\u auth\u机制\u ssl

对于rabbitmq.config,您需要确保“EXTERNAL”被列为auth_机制之一。该行的语法是
{auth_mechanism,['PLAIN',AMQPLAIN',EXTERNAL']}
,并在配置的默认“rabbit”部分作为一项显示

您还应该确保客户端提供的证书为
keyusause
extendedkeyusause
设置了适当的值,因为RabbitMQ对这两个方面的要求比s_服务器更严格。出于调试/测试的目的,您可能希望对这些内容非常宽容。您可以在中设置密钥用法。广泛接受的openssl配置可能有如下行

keyUsage=数字签名、不可否认性、密钥加密、数据加密、密钥协议、密钥证书签名、cRLSign
extendedKeyUsage=1.3.6.1.5.5.7.3.1、1.3.6.1.5.5.7.3.2

(我认为.2 OID“TLS Web客户端身份验证”对于连接到RabbitMQ很重要,但我没有进行仔细的测试。)

这将生成证书,该块接近末尾:

X509v3密钥用法:
数字签名、不可否认性、密钥加密、数据加密、密钥协议、证书签名、CRL签名
X509v3扩展密钥用法:
TLS Web服务器身份验证、TLS Web客户端身份验证
s_客户端应该有更多的输出。特别是,我对最后一行很感兴趣,它应该类似于“验证返回代码:0(ok)”,如果您在那里有一条非零/错误消息,请将其发布并在搜索中转移。(#19出人意料地普遍,因为它是

当我说到这一点时,当我尝试创建一个简单的
pika.BlockingConnection
时,握手显然完成得很好,但是Rabbit从配置中的
auth\u机制
中指定的列表中删除了外部。我确认我启用了rabbitmq\u auth\u机制\u ssl,但这本身还不够。(我通过子类化
pika.credentials.ExternalCredentials
发现了这一点,并将一个实例作为ConnectionParameters中的“凭据”项传递,在子类的
response_for()
方法的顶部添加了
print start
)我通过将以下行添加到配置文件的
rabbit
部分,与
ssl\u监听器
ssl\u cert\u login\u在同一级别上,解决了这个问题:


{ssl\u应用程序,[asn1,加密,公钥,ssl]},

(我怀疑RabbitMQ的较新版本在默认情况下会启用该功能,但我的特定设置没有启用。)


如果您已经完成了所有这些,但仍然有问题,那么您也可以尝试在RabbitMQ配置中将“verify\u peer”替换为“verify\u none”。您可能不希望在生产中使用它,因为它向拥有自签名证书的任何人开放,但这是另一个数据点。另外,在pika和add-in print语句中对相关内容进行子分类,以便更深入地了解Rabbit发送给您的内容以及您当地的客户如何解释它。
我遇到了与@user3653959相同的问题,@Sarah Messer的回答引导我找到了解决方案

您的客户端证书必须具有
TLS Web客户端身份验证
“X509v3扩展密钥使用”属性。由于客户端生成脚本中的错误,我的服务器只进行了TLS Web服务器身份验证

要检查客户端证书的功能,可以使用this命令:


openssl x509 -noout -text -in client-certificate.pem


然后查找“X509v3扩展:”部分和“X509v3扩展密钥用法:”小节

如果使用官方提供的示例
openssl.conf
以及客户机和服务器命令生成客户机证书,那么它应该是现成的

这里的关键是@Sarah Messer指出的
openssl.conf
中的
extendedKeyUsage=1.3.6.1.5.5.7.3.2
openssl配置选项。这是“TLS Web客户端身份验证”功能。OpenSSL
s_服务器
不需要此功能,这就是为什么默认情况下它可以使用它,但不能使用RabbitMQ
keyUsage=digitalSignature
作为主要使用选项就足够了。此外,客户端证书的“通用名称”(
CN
)也不重要

仅供参考
我的环境:


    

  • RabbitMQ 3.6.2
    • 

  • Erlang 18.2
    • 

  • Ubuntu 14.04.2 LTS(64位)
    • 

  • 仅启用TLSv1.2
    • 


我在RabbitMQ日志中看到的错误:


=INFO REPORT==== 19-May-2014::15:45:34 ===
 started TCP Listener on [::]:5672

=INFO REPORT==== 19-May-2014::15:45:34 ===
 started SSL Listener on [::]:5671



=ERROR REPORT==== 21-Jun-2016::13:28:21 ===
SSL: certify: ssl_handshake.erl:1492:Fatal error: handshake failure


我通过openssl s_客户端看到的错误:


140735165813584:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt.c:1472:SSL alert number 40
140735165813584:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:656:

{ciphers, ["ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-RSA-AES256-GCM-SHA384",
                        "ECDHE-ECDSA-AES256-SHA384","ECDHE-RSA-AES256-SHA384", "ECDHE-ECDSA-DES-CBC3-SHA",
                        "ECDH-ECDSA-AES256-GCM-SHA384","ECDH-RSA-AES256-GCM-SHA384","ECDH-ECDSA-AES256-SHA384",
                        "ECDH-RSA-AES256-SHA384","DHE-DSS-AES256-GCM-SHA384","DHE-DSS-AES256-SHA256",
                        "AES256-GCM-SHA384","AES256-SHA256","ECDHE-ECDSA-AES128-GCM-SHA256",
                        "ECDHE-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES128-SHA256","ECDHE-RSA-AES128-SHA256",
                        "ECDH-ECDSA-AES128-GCM-SHA256","ECDH-RSA-AES128-GCM-SHA256","ECDH-ECDSA-AES128-SHA256",
                        "ECDH-RSA-AES128-SHA256","DHE-DSS-AES128-GCM-SHA256","DHE-DSS-AES128-SHA256",
                        "AES128-GCM-SHA256","AES128-SHA256","ECDHE-ECDSA-AES256-SHA",
                        "ECDHE-RSA-AES256-SHA","DHE-DSS-AES256-SHA","ECDH-ECDSA-AES256-SHA",
                        "ECDH-RSA-AES256-SHA","AES256-SHA","ECDHE-ECDSA-AES128-SHA",
                        "ECDHE-RSA-AES128-SHA","DHE-DSS-AES128-SHA","ECDH-ECDSA-AES128-SHA",
                        "ECDH-RSA-AES128-SHA","AES128-SHA"]},
                  {fail_if_no_peer_cert,false}]}
    ]}
]