RabbitMQ:尝试使用 SSL 证书时出现握手错误 [英] RabbitMQ: handshake error when attempting to use SSL certificates
问题描述
我正在尝试将 SSL 证书与 RabbitMQ 一起使用,但我不断收到与代理的握手错误.
在单独的终端窗口中使用 openssl 's_client' 和 's_server' 命令并使用端口 8443 时,我生成的证书工作正常,如 SSL 故障排除指南 (http://www.rabbitmq.com/troubleshooting-ssl.html).
当我尝试使用相同的 openssl 's_client' 命令连接到 RabbitMQ SSL 端口 5671 时出现问题:
运行:
openssl s_client -connect localhost:5671 -cert/etc/rabbitmq/ssl/client/cert.pem -key/etc/rabbitmq/ssl/client/key.pem -CAfile/etc/rabbitmq/ssl/certificate_auth/cacert.pem产生这个:
CONNECTED(00000003)深度=1 CN = RMQCA验证返回:1深度=0 CN = roger.xxxxxx.com,O = 服务器验证返回:1139997248210760:错误:14094410:SSL 例程:SSL3_READ_BYTES:sslv3 警报握手失败:s3_pkt.c:1256:SSL 警报编号 40139997248210760:错误:140790E5:SSL 例程:SSL23_WRITE:ssl 握手失败:s23_lib.c:177:---SSL 侦听器启动正常,如 RabbitMQ 日志所示:
=信息报告==== 2014 年 5 月 19 日::15:45:34 ===在 [::]:5672 上启动 TCP 侦听器=信息报告==== 2014 年 5 月 19 日::15:45:34 ===在 [::]:5671 上启动 SSL 侦听器尝试使用s_client"连接到端口 5671 时出现错误:
=信息报告==== 2014 年 5 月 19 日::17:20:39 ===接受 AMQP 连接 <0.3263.0>([::1]:58538 -> [::1]:5671)=错误报告==== 2014 年 5 月 19 日::17:20:39 ===SSL:证明:ssl_handshake.erl:1346:致命错误:握手失败=错误报告==== 2014 年 5 月 19 日::17:20:44 ===AMQP 连接错误 <0.3263.0>:{ssl_upgrade_error,{tls_alert,"握手失败"}}(未知的 POSIX 错误)RabbitMQ 配置文件:
<预><代码>[{兔子, [{ssl_listeners, [5671]},{ssl_options, [{cacertfile, "/etc/rabbitmq/ssl/certificate_auth/cacert.pem"},{certfile, "/etc/rabbitmq/ssl/server/cert.pem"},{keyfile, "/etc/rabbitmq/ssl/server/key.pem"},{验证,verify_peer},{fail_if_no_peer_cert, false}]}]}].RabbitMQ 信息:
[{pid,10375},{running_applications,[{rabbitmq_management,"RabbitMQ 管理控制台","3.2.3"},{rabbitmq_web_dispatch,"RabbitMQ Web Dispatcher","3.2.3"},{webmachine,"webmachine","1.10.3-rmq3.2.3-gite9359c7"},{mochiweb,"MochiMedia Web Server","2.7.0-rmq3.2.3-git680dba8"},{rabbitmq_management_agent,"RabbitMQ 管理代理","3.2.3"},{rabbit,"RabbitMQ","3.2.3"},{ssl,"Erlang/OTP SSL 应用程序","5.3.3"},{public_key,"公钥基础设施","0.21"},{crypto,"CRYPTO 版本 2","3.2"},{asn1,"Erlang ASN1 编译器版本 2.0.4","2.0.4"},{os_mon,"CPO CXC 138 46","2.2.14"},{inets,"INETS CXC 138 49","5.9.8"},{mnesia,"MNESIA CXC 138 12","4.11"},{amqp_client,"RabbitMQ AMQP 客户端","3.2.3"},{xmerl,"XML 解析器","1.3.6"},{sasl,"SASL CXC 138 11","2.3.4"},{stdlib,"ERTS CXC 138 10","1.19.4"},{内核,ERTS CXC 138 10",2.16.4"}]},{os,{unix,linux}},{erlang_version,"Erlang R16B03-1 (erts-5.10.4) [source] [64-bit] [smp:2:2] [async-threads:30] [hipe] [kernel-poll:true]\n"},{记忆,[{总计,43812088},{connection_procs,5616},{queue_procs,42528},{插件,451248},{other_proc,13805200},{mnesia,72752},{mgmt_db,10208},{msg_index,34560},{other_ets,1159472},{二进制,1030272},{代码,21819091},{原子,793505},{other_system,4587636}]},{vm_memory_high_watermark,0.4},{vm_memory_limit,787819724},{disk_free_limit,50000000},{disk_free,31267266560},{文件描述符,[{total_limit,924},{total_used,4},{sockets_limit,829},{sockets_used,2}]},{processes,[{limit,1048576},{used,215}]},{run_queue,0},{正常运行时间,7893}]...完毕.任何帮助将不胜感激
提前致谢.
更新:
我在尝试连接 rabbitmqadmin 实用程序时遇到以下错误.
日志文件:
=INFO REPORT==== 20-May-2014::14:39:12 ===接受 AMQP 连接 <0.16589.0>([::1]:58922 -> [::1]:5671)=错误报告==== 2014 年 5 月 20 日::14:39:12 ===SSL:证明:ssl_handshake.erl:1346:致命错误:握手失败=错误报告==== 2014 年 5 月 20 日::14:39:17 ===AMQP 连接错误 <0.16589.0>:{ssl_upgrade_error,{tls_alert,"握手失败"}}(未知的 POSIX 错误)rabbitmqadmin 命令产生以下内容:
*** 无法连接:[Errno 1] _ssl.c:492: 错误:14094410:SSL 例程:SSL3_READ_BYTES:sslv3 警报握手失败我遇到了与 @user3653959 相同的问题,@Sarah Messer 的回答让我找到了解决方案.
您的客户端证书必须具有TLS Web 客户端身份验证X509v3 扩展密钥用法"属性.由于客户端生成脚本中的错误,我的只有 TLS Web 服务器身份验证.
要检查您的客户端证书的功能,您可以使用以下命令:
openssl x509 -noout -text -in client-certificate.pem然后查找X509v3 扩展:"部分和X509v3 扩展密钥用法:"小节.
如果您使用示例 openssl.conf 以及官方 "RabbitMQ - TLS 支持" 指南,它应该是开箱即用的.
这里的关键是@Sarah Messer 指出的openssl.conf 中的extendedKeyUsage = 1.3.6.1.5.5.7.3.2 openssl 配置选项.这是TLS Web 客户端身份验证"功能.OpenSSL s_server 不需要此功能,这就是为什么它默认使用它,但不适用于 RabbitMQ.keyUsage = digitalSignature 作为主要使用选项就足够了.此外,客户端证书的通用名称"(CN) 并不重要.
仅供参考
我的环境:
- RabbitMQ 3.6.2
- 二郎 18.2
- Ubuntu 14.04.2 LTS(64 位)
- 仅启用 TLSv1.2.
我在 RabbitMQ 日志中看到的错误:
=错误报告==== 21-Jun-2016::13:28:21 ===SSL:证明:ssl_handshake.erl:1492:致命错误:握手失败我通过 openssl s_client 看到的错误:
140735165813584:error:14094410:SSL 例程:ssl3_read_bytes:sslv3 警报握手失败:s3_pkt.c:1472:SSL 警报编号 40140735165813584:错误:1409E0E5:SSL 例程:ssl3_write_bytes:ssl 握手失败:s3_pkt.c:656:I am trying to use SSL certificates with RabbitMQ but I keep getting handshake errors with the broker.
The certificates that I have generated work fine when using the openssl 's_client' and 's_server' commands in separate terminal windows and utilizing port 8443 as detailed in the SSL Troubleshooting guide (http://www.rabbitmq.com/troubleshooting-ssl.html).
The problem appears when I attempt to connect to the RabbitMQ SSL port 5671 using the same openssl 's_client' command:
Running this:
openssl s_client -connect localhost:5671 -cert /etc/rabbitmq/ssl/client/cert.pem -key /etc/rabbitmq/ssl/client/key.pem -CAfile /etc/rabbitmq/ssl/certificate_auth/cacert.pem
Produces this:
CONNECTED(00000003)
depth=1 CN = RMQCA
verify return:1
depth=0 CN = roger.xxxxxx.com, O = server
verify return:1
139997248210760:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1256:SSL alert number 40
139997248210760:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
---
The SSL listener starts fine as indicated in the RabbitMQ log:
=INFO REPORT==== 19-May-2014::15:45:34 ===
started TCP Listener on [::]:5672
=INFO REPORT==== 19-May-2014::15:45:34 ===
started SSL Listener on [::]:5671
When attempting to connect to port 5671 with 's_client' the error appears:
=INFO REPORT==== 19-May-2014::17:20:39 ===
accepting AMQP connection <0.3263.0> ([::1]:58538 -> [::1]:5671)
=ERROR REPORT==== 19-May-2014::17:20:39 ===
SSL: certify: ssl_handshake.erl:1346:Fatal error: handshake failure
=ERROR REPORT==== 19-May-2014::17:20:44 ===
error on AMQP connection <0.3263.0>: {ssl_upgrade_error,
{tls_alert,"handshake failure"}} (unknown POSIX error)
RabbitMQ Config file:
[
{rabbit, [
{ssl_listeners, [5671]},
{ssl_options, [{cacertfile, "/etc/rabbitmq/ssl/certificate_auth/cacert.pem"},
{certfile, "/etc/rabbitmq/ssl/server/cert.pem"},
{keyfile, "/etc/rabbitmq/ssl/server/key.pem"},
{verify, verify_peer},
{fail_if_no_peer_cert, false}]}
]}
].
RabbitMQ info:
[{pid,10375},
{running_applications,
[{rabbitmq_management,"RabbitMQ Management Console","3.2.3"},
{rabbitmq_web_dispatch,"RabbitMQ Web Dispatcher","3.2.3"},
{webmachine,"webmachine","1.10.3-rmq3.2.3-gite9359c7"},
{mochiweb,"MochiMedia Web Server","2.7.0-rmq3.2.3-git680dba8"},
{rabbitmq_management_agent,"RabbitMQ Management Agent","3.2.3"},
{rabbit,"RabbitMQ","3.2.3"},
{ssl,"Erlang/OTP SSL application","5.3.3"},
{public_key,"Public key infrastructure","0.21"},
{crypto,"CRYPTO version 2","3.2"},
{asn1,"The Erlang ASN1 compiler version 2.0.4","2.0.4"},
{os_mon,"CPO CXC 138 46","2.2.14"},
{inets,"INETS CXC 138 49","5.9.8"},
{mnesia,"MNESIA CXC 138 12","4.11"},
{amqp_client,"RabbitMQ AMQP Client","3.2.3"},
{xmerl,"XML parser","1.3.6"},
{sasl,"SASL CXC 138 11","2.3.4"},
{stdlib,"ERTS CXC 138 10","1.19.4"},
{kernel,"ERTS CXC 138 10","2.16.4"}]},
{os,{unix,linux}},
{erlang_version,
"Erlang R16B03-1 (erts-5.10.4) [source] [64-bit] [smp:2:2] [async-threads:30] [hipe] [kernel-poll:true]\n"},
{memory,
[{total,43812088},
{connection_procs,5616},
{queue_procs,42528},
{plugins,451248},
{other_proc,13805200},
{mnesia,72752},
{mgmt_db,10208},
{msg_index,34560},
{other_ets,1159472},
{binary,1030272},
{code,21819091},
{atom,793505},
{other_system,4587636}]},
{vm_memory_high_watermark,0.4},
{vm_memory_limit,787819724},
{disk_free_limit,50000000},
{disk_free,31267266560},
{file_descriptors,
[{total_limit,924},{total_used,4},{sockets_limit,829},{sockets_used,2}]},
{processes,[{limit,1048576},{used,215}]},
{run_queue,0},
{uptime,7893}]
...done.
Any help would be greatly appreciated
Thanks in advance.
UPDATE:
I get the following errors when trying to connect with the rabbitmqadmin utility.
Log File:
=INFO REPORT==== 20-May-2014::14:39:12 ===
accepting AMQP connection <0.16589.0> ([::1]:58922 -> [::1]:5671)
=ERROR REPORT==== 20-May-2014::14:39:12 ===
SSL: certify: ssl_handshake.erl:1346:Fatal error: handshake failure
=ERROR REPORT==== 20-May-2014::14:39:17 ===
error on AMQP connection <0.16589.0>: {ssl_upgrade_error,
{tls_alert,"handshake failure"}} (unknown POSIX error)
The rabbitmqadmin command produced the following:
*** Could not connect: [Errno 1] _ssl.c:492: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
I had the same problem as @user3653959 and @Sarah Messer's answer lead me to the solution.
Your client certificate must have the TLS Web Client Authentication "X509v3 Extended Key Usage" attribute. Mine had only TLS Web Server Authentication due to an error in my client generation script.
To check your client certificate's capabilities, you can use the this command:
openssl x509 -noout -text -in client-certificate.pem
Then look for the "X509v3 extensions:" section and the "X509v3 Extended Key Usage:" subsection.
If you generate your client certificate using the example openssl.conf and client and server commands provided in the official "RabbitMQ - TLS Support" guide, it should work out of the box.
The key here is the extendedKeyUsage = 1.3.6.1.5.5.7.3.2 openssl config option in openssl.conf as @Sarah Messer points out. This is the "TLS Web Client Authentication" capability. OpenSSL s_server does not require this capability and that's why it works by default with it, but not with RabbitMQ. keyUsage = digitalSignature is enough as main usage options. Also, the "Common Name" (CN) of the client certificate is not important.
Just for reference
My environment:
- RabbitMQ 3.6.2
- Erlang 18.2
- Ubuntu 14.04.2 LTS (64-bit)
- Only TLSv1.2 enabled.
The error I was seeing in my RabbitMQ log:
=ERROR REPORT==== 21-Jun-2016::13:28:21 ===
SSL: certify: ssl_handshake.erl:1492:Fatal error: handshake failure
The error I was seeing via openssl s_client:
140735165813584:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt.c:1472:SSL alert number 40
140735165813584:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:656:
这篇关于RabbitMQ:尝试使用 SSL 证书时出现握手错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
