[rabbitmq-discuss] Strange behavior with SSL configuration

Matthew Sackman matthew at rabbitmq.com
Thu Jun 17 12:00:41 BST 2010


Hi Romary,

Please try to keep the mailing list CC'd.

On Thu, Jun 17, 2010 at 12:45:34PM +0200, romary.kremer at gmail.com wrote:
> It still sounds strange to me that the same application behaved
> perfectly good one month ago !

Yeah, it's a racy behaviour within the Erlang ssl module.

> Furthermore, do you have any idea about what has gone bad, with
> regard to the error log at the broker side ?

Yes. It's a programming error in the Erlang ssl module. I traced it
through and my full report is at
http://www.erlang.org/cgi-bin/ezmlm-cgi/2/1791

Tbh, SSL is a horrendous protocol and really needs to die. Almost no one
implements it correctly, largely because it's so ambiguous in many
areas. Also, people make very different decisions about what to
implement. For example, an SSL certificate has a "usage" field. Firefox
chooses to ignore this, so a website can happily use an SSL certificate
which is not meant to be used on a server, whereas Google Chrome rejects
such certificates. Mono makes all sorts of other requirements about SSL
certificates to be used, and I've also come across many bugs in
Dovecot's use of SSL. A lot of the time, this seems to be due to the
extreme lack of documentation of the OpenSSL libraries, and the fact
that they tend to change a lot, even between minor versions. It wouldn't
surprise me to find there are bugs in all applications that support SSL.

In short, SSL is very hard to get right, people choose to interpret it
very differently, and the situation isn't eased by the way the OpenSSL
folks go about development and documentation.

Matthew


More information about the rabbitmq-discuss mailing list