[rabbitmq-discuss] RabbitMQ - Erlang AMQP client - mutual SSL authentication problem
Skorepa, Michal
Michal.Skorepa at Honeywell.com
Tue Sep 17 10:02:32 BST 2013
Hello,
I have a problem with establishing SSL connections between Erlang AMQP client (v. 3.0.2) and RabbitMQ server (v. 3.1.3). I need to use mutual authentication, i.e. I need to authenticate the server to the client with the server certificate as well as the client to the server with the client certificate. Authenticating the server to the client works fine (ssl_fail_if_no_peer_cert set to "true" at the client and to "false" at the server), but I am not able to make the client-to-servet authentication work ("true at both sides").
My SSL configs are the following:
RabbitMQ:
---------
{rabbit, [
{ssl_listeners, [5677]},
{ssl_options, [ {cacertfile, "/etc/ssl/xxx/ca_cert.pem"},
{certfile, "/etc/ssl/xxx/cert.pem"},
{keyfile, "/etc/ssl/xxx/key.pem"},
{fail_if_no_peer_cert, true},
{verify, verify_peer}
]
}
]
},
Client:
--------
{port, 5677},
{ssl_cert_ca, "/etc/ssl/xxx/swim-ca_cert.pem"},
{ssl_cert, "/etc/ssl/xxx/cert.pem"},
{ssl_key, "/etc/ssl/xxx/key.pem"},
{ssl_verify, verify_peer},
{ssl_fail_if_no_peer_cert, true},
{username, <<"aaa">>},
{password, <<"aaa">>},
-----------------
I tried everyting that was suggested on the troubleshooting website (http://www.rabbitmq.com/troubleshooting-ssl.html) - check SSL support in Erlang, check the client and server certificates using OpenSSL, check broker listenning on SSL port, attempt SSL connection to broker using OpenSSL, validate client connections with stunnel.. I did not get any errors! I even tried to connect with the Erlang AMQP client to the OpenSSL server - this also worked! (I just got AMQP connection setup timeout after the SSL connection setup - which is not suprprising)
The error I am getting on the client side is:
---------------------------------------------------
{error, esslconnect}
The broker log says:
-------------------------
=ERROR REPORT==== 17-Sep-2013::10:39:40 ===
error on AMQP connection <0.9012.1>: {ssl_upgrade_error,esslaccept} (unknown POSIX error)
=INFO REPORT==== 17-Sep-2013::10:39:40 ===
accepting AMQP connection <0.9027.1> (xxx.xxx.138.17:56035 -> xxx.xxx.0.21:5677)
=ERROR REPORT==== 17-Sep-2013::10:39:40 ===
SSL: certify: ssl_connection.erl:496:Fatal error: handshake failure
---------------------------
Do you have any idea what could be wrong and how to fix it?
Thank you for any thaughts!
Michal
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20130917/2d5f5003/attachment.htm>
More information about the rabbitmq-discuss
mailing list