tls:使用streadway/amqp为RabbitMQ启用tls时握手失败 [英] tls: handshake failure when enabling tls for RabbitMQ with streadway/amqp

问题描述

我正在尝试使用streadway/amqp在Go中使用 amqps://连接到RabbitMQ.我可以成功连接 amqp://.启用TLS并使用 amqps://时，出现以下错误:

I'm attempting to connect to RabbitMQ with amqps:// in Go using streadway/amqp. I can connect successfully with amqp://. When enabling TLS and using amqps:// I get the following error:

panic: remote error: tls: handshake failure

RabbitMQ在docker中运行时具有以下环境变量和设置:

RabbitMQ is running in docker with the following environment variables and settings:

environment:
    RABBITMQ_SSL_CACERTFILE: /ca_certificate.pem
    RABBITMQ_SSL_CERTFILE: /server_certificate.pem
    RABBITMQ_SSL_KEYFILE: /server_key.pem
ports:
    - 5671:5671 # Note that 5671 is for tls and 5672 is non-tls
volumes:
    - ./ca_certificate.pem:/ca_certificate.pem:ro
    - ./server_certificate.pem:/server_certificate.pem:ro
    - ./server_key.pem:/server_key.pem:ro

我已经尝试过使用 amqp/streadway 进行以下操作:

I've tried the following with amqp/streadway:

err := amqp.DialTLS(amqps://guest:guest@localhost:5671", nil)
if err != nil {
    panic(err)
}

我还尝试读取证书文件，创建密钥对，并将证书颁发机构附加到证书池，并在具有以下功能的 tls.Config {} 中以这种方式使用它:

I've also tried reading the cert files, creating a key pair, and appending the certificate authority to the cert pool and using it that way in a tls.Config{} with the following functions:

• tls.LoadX509KeyPair()
• x509.NewCertPool().AppendCertsFromPEM()

我使用 mkcert 生成证书，用于127.0.0.1，localhost，rabbitmq.

I generate the certs with mkcert for 127.0.0.1, localhost, rabbitmq.

根据一些与RabbitMQ无关的答案，有人认为密码可能是错误的.因此，我了解了Rabbitmq使用的密码:

According to some answers that aren't related to RabbitMQ, some people suggest the ciphers could be wrong. So I took a look at what ciphers rabbitmq is using:

$ openssl s_client -connect localhost:5671 -tls1

Protocol  : TLSv1
Cipher    : ECDHE-RSA-AES256-SHA
<etc etc...>
Verify return code: 0 (ok)

运行上述命令时，还会出现一两个错误，但是我猜这是因为我没有在此命令中提供CA证书(我使用的是MacOS).也许相关，也许不相关，因为我在postgres中没有这个问题，例如:

There are also one or two errors when I run the above command, but I'm guessing it's because I'm not providing the CA certificate in this command (I'm using MacOS). Maybe related, maybe not, as I don't have this issue with postgres, for example:

验证错误:num = 19:证书链中的自签名证书验证返回:04644699756:错误:1401E410:SSL例程:CONNECT_CR_FINISHED:sslv3警报握手失败:/AppleInternal/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-47.100.4/libressl-2.8/ssl/ssl_pkt.c:1200:SSL警报编号40

verify error:num=19:self signed certificate in certificate chain verify return:0 4644699756:error:1401E410:SSL routines:CONNECT_CR_FINISHED:sslv3 alert handshake failure:/AppleInternal/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-47.100.4/libressl-2.8/ssl/ssl_pkt.c:1200:SSL alert number 40

然后我在golang中使用以下 tls.Config 设置:

Then I use the following tls.Config settings in golang:

tlsConfig := &tls.Config{
    Certificates: []tls.Certificate{cert}, // from tls.LoadX509KeyPair
    RootCAs:      caCertPool,
    CipherSuites: []uint16{
        tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, // these look like they match the Cipher above
        tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
    },
    CurvePreferences:         []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256},
    PreferServerCipherSuites: true,
    InsecureSkipVerify:       true,
    MinVersion:               tls.VersionTLS10,
}

我仍然有同样的问题.我非常怀疑这是图书馆，一定是我做错了什么，但这是什么?

I still have the same issue. I highly doubt it's the library, it must be something I'm doing wrong, but what is it?

推荐答案

我复制了您的设置.这不起作用，因为您需要使用 client 证书配置AMQP连接.

I reproduced your setup. It doesn't work because you need to configure the AMQP connection with the client certs.

使用 mkcert : mkcert -client Rabbitmq.test localhost 127.0.0.1 :: 1(请注意 -client 标志).

Using mkcert: mkcert -client rabbitmq.test localhost 127.0.0.1 ::1 (note the -client flag).

此后，您只需要使用 tls.LoadX509KeyPair 将客户端证书传递到AMQP tlsConfig中，它就可以正常工作:

After this, you just need to pass the client certs into your AMQP tlsConfig with tls.LoadX509KeyPair, and it should just work:

    cert, err := tls.LoadX509KeyPair("./rabbitmq.test+3-client.pem", "./rabbitmq.test+3-client-key.pem")

    // Load CA cert
    caCert, err := ioutil.ReadFile("./rootCA.pem") // The same you configured in your MQ server
    if err != nil {
        log.Fatal(err)
    }
    caCertPool := x509.NewCertPool()
    caCertPool.AppendCertsFromPEM(caCert)

    tlsConfig := &tls.Config{
        Certificates: []tls.Certificate{cert}, // from tls.LoadX509KeyPair
        RootCAs:      caCertPool,
        // ...other options are just the same as yours
    }

    conn, err := amqp.DialTLS("amqps://test:secret@127.0.0.1:5671", tlsConfig)
    if err != nil {
        panic(err) // does not panic!
    }

    // ... application code

PS:在我的设置中，我使用了一些与您使用的不同的名称(用户/密码/容器)，但这些名称应该无关紧要

PS: in my setup I used some different names (user/password/container) than yours, but those should be irrelevant

这篇关于tls:使用streadway/amqp为RabbitMQ启用tls时握手失败的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！