tls:使用streadway/amqp为RabbitMQ启用tls时握手失败 [英] tls: handshake failure when enabling tls for RabbitMQ with streadway/amqp
问题描述
我正在尝试使用streadway/amqp在Go中使用 amqps://
连接到RabbitMQ.我可以成功连接 amqp://
.启用TLS并使用 amqps://
时,出现以下错误:
I'm attempting to connect to RabbitMQ with amqps://
in Go using streadway/amqp. I can connect successfully with amqp://
. When enabling TLS and using amqps://
I get the following error:
panic: remote error: tls: handshake failure
RabbitMQ在docker中运行时具有以下环境变量和设置:
RabbitMQ is running in docker with the following environment variables and settings:
environment:
RABBITMQ_SSL_CACERTFILE: /ca_certificate.pem
RABBITMQ_SSL_CERTFILE: /server_certificate.pem
RABBITMQ_SSL_KEYFILE: /server_key.pem
ports:
- 5671:5671 # Note that 5671 is for tls and 5672 is non-tls
volumes:
- ./ca_certificate.pem:/ca_certificate.pem:ro
- ./server_certificate.pem:/server_certificate.pem:ro
- ./server_key.pem:/server_key.pem:ro
我已经尝试过使用 amqp/streadway 进行以下操作:
I've tried the following with amqp/streadway:
err := amqp.DialTLS(amqps://guest:guest@localhost:5671", nil)
if err != nil {
panic(err)
}
我还尝试读取证书文件,创建密钥对,并将证书颁发机构附加到证书池,并在具有以下功能的 tls.Config {}
中以这种方式使用它:
I've also tried reading the cert files, creating a key pair, and appending the certificate authority to the cert pool and using it that way in a tls.Config{}
with the following functions:
-
tls.LoadX509KeyPair()
-
x509.NewCertPool().AppendCertsFromPEM()
我使用 mkcert 生成证书,用于127.0.0.1,localhost,rabbitmq.
I generate the certs with mkcert for 127.0.0.1, localhost, rabbitmq.
根据一些与RabbitMQ无关的答案,有人认为密码可能是错误的.因此,我了解了Rabbitmq使用的密码:
According to some answers that aren't related to RabbitMQ, some people suggest the ciphers could be wrong. So I took a look at what ciphers rabbitmq is using:
$ openssl s_client -connect localhost:5671 -tls1
Protocol : TLSv1
Cipher : ECDHE-RSA-AES256-SHA
<etc etc...>
Verify return code: 0 (ok)
运行上述命令时,还会出现一两个错误,但是我猜这是因为我没有在此命令中提供CA证书(我使用的是MacOS).也许相关,也许不相关,因为我在postgres中没有这个问题,例如:
There are also one or two errors when I run the above command, but I'm guessing it's because I'm not providing the CA certificate in this command (I'm using MacOS). Maybe related, maybe not, as I don't have this issue with postgres, for example:
验证错误:num = 19:证书链中的自签名证书验证返回:04644699756:错误:1401E410:SSL例程:CONNECT_CR_FINISHED:sslv3警报握手失败:/AppleInternal/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-47.100.4/libressl-2.8/ssl/ssl_pkt.c:1200:SSL警报编号40
verify error:num=19:self signed certificate in certificate chain verify return:0 4644699756:error:1401E410:SSL routines:CONNECT_CR_FINISHED:sslv3 alert handshake failure:/AppleInternal/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-47.100.4/libressl-2.8/ssl/ssl_pkt.c:1200:SSL alert number 40
然后我在golang中使用以下 tls.Config
设置:
Then I use the following tls.Config
settings in golang:
tlsConfig := &tls.Config{
Certificates: []tls.Certificate{cert}, // from tls.LoadX509KeyPair
RootCAs: caCertPool,
CipherSuites: []uint16{
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, // these look like they match the Cipher above
tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
},
CurvePreferences: []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256},
PreferServerCipherSuites: true,
InsecureSkipVerify: true,
MinVersion: tls.VersionTLS10,
}
我仍然有同样的问题.我非常怀疑这是图书馆,一定是我做错了什么,但这是什么?
I still have the same issue. I highly doubt it's the library, it must be something I'm doing wrong, but what is it?
推荐答案
我复制了您的设置.这不起作用,因为您需要使用 client 证书配置AMQP连接.
I reproduced your setup. It doesn't work because you need to configure the AMQP connection with the client certs.
使用 mkcert : mkcert -client Rabbitmq.test localhost 127.0.0.1 :: 1
(请注意 -client
标志).
Using mkcert: mkcert -client rabbitmq.test localhost 127.0.0.1 ::1
(note the -client
flag).
此后,您只需要使用 tls.LoadX509KeyPair
将客户端证书传递到AMQP tlsConfig中,它就可以正常工作:
After this, you just need to pass the client certs into your AMQP tlsConfig with tls.LoadX509KeyPair
, and it should just work:
cert, err := tls.LoadX509KeyPair("./rabbitmq.test+3-client.pem", "./rabbitmq.test+3-client-key.pem")
// Load CA cert
caCert, err := ioutil.ReadFile("./rootCA.pem") // The same you configured in your MQ server
if err != nil {
log.Fatal(err)
}
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(caCert)
tlsConfig := &tls.Config{
Certificates: []tls.Certificate{cert}, // from tls.LoadX509KeyPair
RootCAs: caCertPool,
// ...other options are just the same as yours
}
conn, err := amqp.DialTLS("amqps://test:secret@127.0.0.1:5671", tlsConfig)
if err != nil {
panic(err) // does not panic!
}
// ... application code
PS:在我的设置中,我使用了一些与您使用的不同的名称(用户/密码/容器),但这些名称应该无关紧要
PS: in my setup I used some different names (user/password/container) than yours, but those should be irrelevant
这篇关于tls:使用streadway/amqp为RabbitMQ启用tls时握手失败的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!