[rabbitmq-discuss] sslv3 alert handshake failure for TLS Web Server certificates

Alexandru Scvorţov alexandru at rabbitmq.com
Wed Oct 26 19:33:31 BST 2011


> Yes, I used the same version of erlang for both 1. and 2. and a
> different version of erlang for both 3 and 4.
> 
> 
> It looks like erlang does care about extended key usage since OTP-8554
>  "Ssl now correctly verifies the extended_key_usage extension and also
> allows the user to verify application specific extensions by supplying
> an appropriate fun."
> -http://www.erlang.org/download/otp_src_R14A.readme

So, you tried RabbitMQ 1.7.2 on R13B04 and RabbitMQ 2.4.1 on R14B03.

RabbitMQ uses Erlang's definition of what a valid certificate is.  So,
you can either run 2.4.1 on R13B04, or you could go the way of
"supplying an appropriate fun", but that's fairly complicated and
involves writing and compiling a bit of Erlang.

On Wed, Oct 26, 2011 at 10:49:09AM -0600, Nathaniel Haggard wrote:
> On Wed, Oct 26, 2011 at 2:48 AM, Matthias Radestock
> <matthias at rabbitmq.com> wrote:
> > Nate,
> >
> > On 25/10/11 17:52, Nathaniel Haggard wrote:
> >>
> >> On Mon, Oct 24, 2011 at 5:36 PM, Alexandru Scvorţov
> >>>
> >>> So, are you using the same version of Erlang in both tests?
> >>
> >> Yes.
> >
> > ok. But...
> >
> >> The tests I'm do go like this:
> >>
> >> 1. openssl s_client -host 127.0.0.1 -port 5671 -key
> >> keys/serverlike.key -cert keys/serverlike.crt
> >> 2. openssl s_client -host 127.0.0.1 -port 5671 -key
> >> keys/clientlike.key -cert keys/clientlike.crt
> >> 3. openssl s_client -host myrabbit172 -port 5671 -key
> >> keys/serverlike.key -cert keys/serverlike.crt
> >> 4. openssl s_client -host myrabbit172 -port 5671 -key
> >> keys/clientlike.key -cert keys/clientlike.crt
> >>
> >> 1 fails and 2 passes on rabbitmq-2.4.1 with erlang R14B03.
> >>
> >> 3 and 4 pass on rabbitmq-1.7.2 with erlang R13B04.
> >
> > ...that's two different versions of Erlang.
> 
> Yes, I used the same version of erlang for both 1. and 2. and a
> different version of erlang for both 3 and 4.
> 
> 
> It looks like erlang does care about extended key usage since OTP-8554
>  "Ssl now correctly verifies the extended_key_usage extension and also
> allows the user to verify application specific extensions by supplying
> an appropriate fun."
> -http://www.erlang.org/download/otp_src_R14A.readme
> _______________________________________________
> rabbitmq-discuss mailing list
> rabbitmq-discuss at lists.rabbitmq.com
> https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss


More information about the rabbitmq-discuss mailing list