[rabbitmq-discuss] Client connection to ssl rabbitMQ is very slow

Rabbit001 rcrespopanizo at gmail.com
Thu Apr 12 08:33:02 BST 2012


I'm confused, with your instructions my client agent display this messages in
ssl debug mode,

trigger seeding of SecureRandom
done seeding SecureRandom
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
main, setSoTimeout(10000) called
%% No cached client session
*** ClientHello, TLSv1
RandomCookie:  GMT: 1317372735 bytes = { 76, 106, 8, 15, 157, 169, 170, 81,
26, 139, 188, 38, 162, 78, 118, 72, 247, 33, 111, 100, 141, 102, 119, 16,
87, 139, 107, 190 }
Session ID:  {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA,
SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5,
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
***
main, WRITE: TLSv1 Handshake, length = 75
main, WRITE: SSLv2 client hello message, length = 101
main, READ: TLSv1 Handshake, length = 74
*** ServerHello, TLSv1
RandomCookie:  GMT: 1317372729 bytes = { 156, 148, 232, 187, 191, 145, 24,
28, 51, 155, 203, 236, 126, 135, 166, 157, 173, 90, 220, 10, 160, 177, 84,
67, 152, 90, 78, 194 }
Session ID:  {37, 88, 220, 40, 149, 121, 218, 58, 162, 191, 87, 212, 201,
16, 131, 216, 98, 63, 205, 168, 46, 58, 53, 213, 238, 228, 205, 71, 4, 245,
227, 129}
Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
Compression Method: 0
***
Warning: No renegotiation indication extension in ServerHello
%% Created:  [Session-1, SSL_RSA_WITH_RC4_128_MD5]
** SSL_RSA_WITH_RC4_128_MD5
main, READ: TLSv1 Handshake, length = 1474
*** Certificate chain
chain [0] = [
[
  Version: V3
  Subject: O=server, CN=MdpQueue
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  Sun RSA public key, 2048 bits
  modulus:
24334987968930982943981825187475436299008497607561573573631523764564684548469811266648724448544625619306915448884829059653148026682713134819159622851610665802136344975591672757687667031687154387433867924238004953412446642508173836476637867784982543240635609951624723163538133830316073386671198648519063730784583506433654210317223494465395785490801263975472397303659595998370054145999922092449831111420053502703651377024865842207190113400021631570198643096824223092956683480679689104179006662881694541917547715526331703763768468498407847738764426243314732078926021142975650072247517108406152577606651997494500325440503
  public exponent: 65537
  Validity: [From: Mon Apr 02 09:07:49 CEST 2012,
               To: Tue Apr 02 09:07:49 CEST 2013]
  Issuer: CN=rabbitMQCa
  SerialNumber: [    01]

Certificate Extensions: 3
[1]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
]

[2]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
  Key_Encipherment
]

[3]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:false
  PathLen: undefined
]

]
  Algorithm: [SHA1withRSA]
  Signature:
0000: 7B C4 2B 9D 9D 4C 3E AB   6E CF 6D 5B FC A3 FC 8D  ..+..L>.n.m[....
0010: 0D AB 56 4C A6 92 E4 17   17 AD BA 1C F4 3F 2D 50  ..VL.........?-P
0020: 5B F8 1D 41 9B 64 BA E0   B5 D8 DC 18 23 D4 40 F7  [..A.d......#. at .
0030: BB B7 C2 4A D7 4F 11 97   43 31 72 72 10 49 0E 0E  ...J.O..C1rr.I..
0040: AA F8 FF 99 34 F3 20 FC   40 FE A2 81 52 BE 2C 00  ....4. . at ...R.,.
0050: 33 9C FE F1 07 16 0B 33   95 5A C4 06 45 E0 3E 09  3......3.Z..E.>.
0060: E4 CB D0 5A 46 7B D0 78   0C 8B A0 C3 CA C5 E2 5E  ...ZF..x.......^
0070: 54 40 1F 1E 66 BE EE FE   08 01 E0 1E 26 D3 01 40  T at ..f.......&[email protected]
0080: 00 DD 45 D6 8F 93 98 E6   B8 0F D2 61 AD 92 18 EC  ..E........a....
0090: 82 DC 3B 79 A6 05 52 43   3F 8D 9F E7 04 6B B4 86  ..;y..RC?....k..
00A0: 94 BB 95 F3 7D 63 81 FB   68 24 12 C7 75 BB D9 A2  .....c..h$..u...
00B0: A0 2A 97 47 73 46 72 0D   9B 03 B1 67 29 72 EA 4F  .*.GsFr....g)r.O
00C0: 6F CC 79 99 22 6D CC 59   3E EC 03 BE 29 41 89 78  o.y."m.Y>...)A.x
00D0: 6B DE F0 CD F6 F6 B6 6A   72 73 3B 3C B6 6A 44 A3  k......jrs;<.jD.
00E0: 49 C8 D3 FF 3A 70 15 E3   21 F5 72 23 4C 01 A1 03  I...:p..!.r#L...
00F0: 28 ED EE D4 DF 6A 9B 46   C8 D4 87 04 BA BC 69 EF  (....j.F......i.

]
chain [1] = [
[
  Version: V3
  Subject: CN=rabbitMQCa
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  Sun RSA public key, 2048 bits
  modulus:
18248746087467252200944236832325278424669636151934770607412859044474223256189932855084016557855926613771028068656808036187947675937254796758195884535556914971667322865350982711031725796002558363209549109860397534076839586787095955246512345600254524286338875779345081458059658636195587370951763953299337439192950834178442581857332221418797812357302842100055837043461572333613052191364110791214387914869357781679072330997864692304194270929303923018766081122118475979404194228545380152289084703482584350985406029286974099362125142672271699924650060974298570867776059293459310888926049474632091997882856434952322556490083
  public exponent: 65537
  Validity: [From: Mon Apr 02 09:02:32 CEST 2012,
               To: Tue Apr 02 09:02:32 CEST 2013]
  Issuer: CN=rabbitMQCa
  SerialNumber: [    a653d3dc a21770c5]

Certificate Extensions: 2
[1]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
  Key_CertSign
  Crl_Sign
]

[2]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

]
  Algorithm: [SHA1withRSA]
  Signature:
0000: 32 15 CE 98 8E B3 AF 10   CD C1 70 4F 93 4A 8D 89  2.........pO.J..
0010: 8C 07 4B 7A 65 25 4B 23   4F 84 43 D5 52 43 73 D1  ..Kze%K#O.C.RCs.
0020: 29 AA 90 2C 0E 1F 9C 72   7C 26 5E F5 20 6D 25 EF  )..,...r.&^. m%.
0030: 75 DF 70 C0 9F A5 21 97   6F 70 3A 43 F9 36 83 5E  u.p...!.op:C.6.^
0040: 7A F1 F0 5C BE 05 BF 22   15 A9 D0 A1 E5 4F 91 B8  z..\...".....O..
0050: A3 4F F4 86 65 62 1D 44   0E C0 DC D9 3C 0F F0 5D  .O..eb.D....<..]
0060: 18 38 36 FA 94 DB C0 34   E2 0F 93 92 6C 8F 60 50  .86....4....l.`P
0070: 22 DB 25 F9 57 2D C3 12   A7 9E D9 7D 7D AC 15 CE  ".%.W-..........
0080: FC 1D C8 78 C8 40 BA A7   A3 46 05 E2 4D CC 8D 9E  ...x. at ...F..M...
0090: 5D 15 31 BD C4 A7 52 74   E0 AF BC A2 E3 86 F7 16  ].1...Rt........
00A0: 3A D4 3A 19 90 E7 07 91   85 3E 56 F7 55 57 8B 58  :.:......>V.UW.X
00B0: F7 D4 51 C2 3F 73 6E A7   3B 71 76 09 79 D6 13 29  ..Q.?sn.;qv.y..)
00C0: C5 43 7A 2C 03 C2 02 A9   E2 90 4C 86 A9 90 19 BC  .Cz,......L.....
00D0: 29 47 8B 7F 84 88 8A 69   D1 1B C0 32 3F 1C 3C 00  )G.....i...2?.<.
00E0: 8B 43 9F 6B 43 C1 A3 A6   D3 6A 52 E7 90 16 F0 D1  .C.kC....jR.....
00F0: 7D D3 BB B0 0E 34 79 99   85 26 84 0B B9 2E 7D 39  .....4y..&.....9

]
***
main, READ: TLSv1 Handshake, length = 8
*** CertificateRequest
Cert Types: RSA
Cert Authorities:
main, READ: TLSv1 Handshake, length = 4
*** ServerHelloDone
*** Certificate chain
***
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1
main, WRITE: TLSv1 Handshake, length = 269
SESSION KEYGEN:
PreMaster Secret:
0000: 03 01 A6 30 EE 15 4D BA   4B C3 28 3C AA 71 2A 19  ...0..M.K.(<.q*.
0010: 57 29 F8 72 E5 D8 1F DE   60 B1 E3 18 DB 8A 95 CF  W).r....`.......
0020: AA BE 58 97 A3 86 87 62   D4 94 C0 73 1B 50 E2 83  ..X....b...s.P..
CONNECTION KEYGEN:
Client Nonce:
0000: 4F 86 83 3F 4C 6A 08 0F   9D A9 AA 51 1A 8B BC 26  O..?Lj.....Q...&
0010: A2 4E 76 48 F7 21 6F 64   8D 66 77 10 57 8B 6B BE  .NvH.!od.fw.W.k.
Server Nonce:
0000: 4F 86 83 39 9C 94 E8 BB   BF 91 18 1C 33 9B CB EC  O..9........3...
0010: 7E 87 A6 9D AD 5A DC 0A   A0 B1 54 43 98 5A 4E C2  .....Z....TC.ZN.
Master Secret:
0000: 19 C9 FE 4C 06 78 77 F0   5E 95 31 07 25 C3 42 DA  ...L.xw.^.1.%.B.
0010: B4 FE D0 94 F7 90 FB CC   4C B7 1B 5F D7 B0 CD E9  ........L.._....
0020: DA 76 1E 78 00 A1 F7 69   A6 F1 A6 A0 72 2B E8 CE  .v.x...i....r+..
Client MAC write Secret:
0000: CD E7 47 FE 44 19 51 83   6D EE 0D AA 9E 01 2C 04  ..G.D.Q.m.....,.
Server MAC write Secret:
0000: 46 64 25 F9 F6 84 6C BD   85 E2 5C 89 EA 05 C2 AE  Fd%...l...\.....
Client write key:
0000: 4E 69 00 96 E5 D5 B1 AB   95 49 D6 CC 1C F4 13 06  Ni.......I......
Server write key:
0000: 9C 04 F6 18 1D E2 76 00   21 4E 3A 1A 06 5F DA F2  ......v.!N:.._..
... no IV used for this cipher
main, WRITE: TLSv1 Change Cipher Spec, length = 1
*** Finished
verify_data:  { 57, 44, 198, 169, 225, 7, 158, 86, 155, 62, 36, 88 }
***
main, WRITE: TLSv1 Handshake, length = 32
main, READ: TLSv1 Change Cipher Spec, length = 1
main, READ: TLSv1 Handshake, length = 32
*** Finished
verify_data:  { 162, 42, 28, 39, 215, 24, 120, 234, 180, 131, 242, 240 }
***
%% Cached client session: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
main, WRITE: TLSv1 Application Data, length = 24
AMQP Connection 172.30.34.11:5671, READ: TLSv1 Application Data, length =
351
main, WRITE: TLSv1 Application Data, length = 343
AMQP Connection 172.30.34.11:5671, READ: TLSv1 Application Data, length = 36
main, setSoTimeout(0) called
main, WRITE: TLSv1 Application Data, length = 36
main, WRITE: TLSv1 Application Data, length = 32
AMQP Connection 172.30.34.11:5671, READ: TLSv1 Application Data, length = 29
main, WRITE: TLSv1 Application Data, length = 29
AMQP Connection 172.30.34.11:5671, READ: TLSv1 Application Data, length = 32
main, WRITE: TLSv1 Application Data, length = 39
main, WRITE: TLSv1 Application Data, length = 38
main, WRITE: TLSv1 Application Data, length = 36
 Tiempo: (1) 5246
 Tiempo: (2) 24
 Tiempo: (3) 4
main, WRITE: TLSv1 Application Data, length = 37
AMQP Connection 172.30.34.11:5671, READ: TLSv1 Application Data, length = 28
main, WRITE: TLSv1 Application Data, length = 37
AMQP Connection 172.30.34.11:5671, READ: TLSv1 Application Data, length = 28
AMQP Connection 172.30.34.11:5671, called close()
main, called close()
main, called closeInternal(true)
AMQP Connection 172.30.34.11:5671, called closeInternal(true)
main, SEND TLSv1 ALERT:  warning, description = close_notify
main, WRITE: TLSv1 Alert, length = 18
AMQP Connection 172.30.34.11:5671, close invoked again; state = 7
AMQP Connection 172.30.34.11:5671, after primary close; state = 7

The connection has been established over  SSL_RSA_WITH_RC4_128_MD5, but the
response time before the connection has been established was  "Tiempo: (1)
5246" (miliseconds). It's not acceptable. My client agent code is,


import com.rabbitmq.client.*;

public class RabbitMQSSLSample {
	public static void main(String[] args) throws Exception {

		System.setProperty("javax.net.debug", "ssl");
		ConnectionFactory factory = new ConnectionFactory();
		factory.setHost("172.30.34.11");
		factory.setPort(5671);
		factory.setVirtualHost("/");
		// Tells the library to setup the default Key and Trust managers for you

		factory.useSslProtocol("TLS"); // which do not do any form of remote
										// server trust verification
		long time1 = System.currentTimeMillis();

		Connection conn = factory.newConnection();
		long time2 = System.currentTimeMillis();
		Channel channel = conn.createChannel();
		long time3 = System.currentTimeMillis();
		// non-durable, exclusive, auto-delete queue
		// channel.queueDeclare("sample", false, true, true, null);
		channel.basicPublish("", "sample", null, "Hello, World".getBytes());

		/*
		 * GetResponse chResponse = channel.basicGet("sample", false);
		 * if(chResponse == null) { System.out.println("No message retrieved");
		 * } else { byte[] body = chResponse.getBody();
		 * channel.basicAck(chResponse.getEnvelope().getDeliveryTag(), false);
		 * System.out.println("Recieved: " + new String(body)); }
		 */
		System.out.println(" Tiempo: (1) "
				+ (System.currentTimeMillis() - time1));
		System.out.println(" Tiempo: (2) "
				+ (System.currentTimeMillis() - time2));
		System.out.println(" Tiempo: (3) "
				+ (System.currentTimeMillis() - time3));

		channel.close();
		conn.close();
	}
}

Thanks again for your help,

Best Regards,


Carl Hörberg wrote:
> 
> hum.. the client seems to support rsa aes 128 sha, but try to add some
> more like:
> 
> {ciphers,[{rsa,aes_128_cbc,sha},{rsa,rc4_128,md5},{rsa,rc4_128,sha}]}
> 
> 
> On Tue, Apr 10, 2012 at 12:35, Emile Joubert <emile at rabbitmq.com> wrote:
>> Hi,
>>
>> On 09/04/12 08:23, Rabbit001 wrote:
>>> I follow your instructions and I've modified rabbitmq.config and put
>>> {ciphers,[{rsa,aes_128_cbc,sha}]}. The server starts correctly but my
>>> client
>>> display this error,
>>
>> The broker will stand a better chance of being able to negotiate a
>> cipher with the client if it offers more than one. Select some more from
>> the supported broker ciphers (reported by ssl:cipher_suites/0), avoiding
>> slow ones (like triple DES) and including at least one that is
>> compatible with your client.
>>
>>
>> -Emile
>>
>> _______________________________________________
>> rabbitmq-discuss mailing list
>> rabbitmq-discuss at lists.rabbitmq.com
>> https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
> _______________________________________________
> rabbitmq-discuss mailing list
> rabbitmq-discuss at lists.rabbitmq.com
> https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
> 
> 

-- 
View this message in context: http://old.nabble.com/Client-connection-to-ssl-rabbitMQ-is-very-slow-tp33544994p33673563.html
Sent from the RabbitMQ mailing list archive at Nabble.com.



More information about the rabbitmq-discuss mailing list