[rabbitmq-discuss] RES: RES: [Rabbit + SSL connection] AMQP ☺closed ?? Is it normal?

Tue Jul 1 22:22:03 BST 2014

Hi Michael.

The exact command I have used is:
--------------------------------------------
openssl s_client -connect localhost:5671 -cert client/cert.pem -key client/key.pem -CAfile testca/cacert.pem

The exact result is:
----------------------
Loading 'screen' into random state - done
CONNECTED(000001BC)
depth=1 CN = MyTestCA
verify return:1
depth=0 CN = ICCSW-109, O = server
verify return:1
---
Certificate chain
 0 s:/CN=ICCSW-109/O=server
   i:/CN=MyTestCA
 1 s:/CN=MyTestCA
   i:/CN=MyTestCA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC4jCCAcqgAwIBAgIBATANBgkqhkiG9w0BAQUFADATMREwDwYDVQQDDAhNeVRl
c3RDQTAeFw0xNDA2MjcxMzAyMDBaFw0xNTA2MjcxMzAyMDBaMCUxEjAQBgNVBAMM
CUlDQ1NXLTEwOTEPMA0GA1UECgwGc2VydmVyMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAqyosJfGAjRgCbU3OP2VDAcE8vj8gNjHTFXlEkZnVeP1qyRr9
k67lG54YGttPsR/jislJgPd0sckrOoCfZikptU6ZGfYOO0b0/1rtkbuFqhdhZLle
z3XLC3RDE2hXMueDbY4vEuDKSZ2GRawCaMC4a7q5nRluI+VO8CJmHgr1uROsWQQ4
nAPJ/R3LPxbU4xmqGeOpRMl+Hw9UB3adAtIT+/zYg8JNu+1UBgHuXdL94yPG/lFm
c2WAJYflb+9yWMv5U/jHOEI2F3KWno4qiuquLCrpEX6uDNEnDhRwlu4A3oNiQXJQ
9+IO3f6icnoZxvhsq6hgnyrcrpyF7Ntvo1FlVQIDAQABoy8wLTAJBgNVHRMEAjAA
MAsGA1UdDwQEAwIFIDATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQUF
AAOCAQEAHzIDuherNlWYlJye6v4a10xnsG3gV8c/TgGLtnK+oMwx9Jj376hUH4Ga
lwZ/7c6cFFUUUVsenjFbK6VrHCQrQFIaQbs62bGj8gbQPVbixhNCcDeu/0oK7iVL
wked5VoKcfHQ6msdJ+gZmaG3pU+8iHCfDEpYab5YOr2HORld6E2TdIpRRw+zj2/U
K4DVh2oFiD/C8H8qwBi4dFa8qBAbE7L/Xxi44FSRUAg/5RZ+FbPqd0fzThLh646T
knhbA8nh3nrFVPfrHp/Bkog4fx8gnUjFPYPVyh/AuBpG+cb0i68f+baoKtg5yKtQ
eKyyaJxv7lL55Q3+mlJ/LflFhLSjLw==
-----END CERTIFICATE-----
subject=/CN=ICCSW-109/O=server
issuer=/CN=MyTestCA
---
Acceptable client certificate CA names
/CN=MyTestCA
---
SSL handshake has read 1728 bytes and written 2420 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : AES256-SHA256
    Session-ID: 75DAF625DC4A8458E7B539A5430C13F8602304D1B841476ED04214ECDFB48CCC
    Session-ID-ctx:
    Master-Key: 01909073E5427FB2D81F0438F26A8EF64857BF08713DCE004C6E556D39FA565995716817C3A4EDA7D7FC861B0CFDFA2E
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1404247934
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
closed                                                                                                                    // closed after 10 seconds. And according to you, in an earlie email, it is ok.

Two terminals mean two prompts for commands, where I had tested keys and certificates with OpenSSL, exactly how it is explained in the RabbitMQ SSL Troubleshooting web page. All is ok here too. I´m using Windows 7.

My RabbitMQ java client is:
----------------------------------

public class Send_Hello {

	private final static String QUEUE_NAME = "task_queue_r";

	/**
	 * @param args
	 * @throws IOException 
	 */
	public static void main(String[] args) throws IOException {

		try {
	        char[] keyPassphrase = "XXXclp".toCharArray();
	        KeyStore ks = KeyStore.getInstance("PKCS12");
	        ks.load(new FileInputStream("E:\\path\\certificadosB\\server\\keycert.p12"), keyPassphrase);

	        KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
	        kmf.init(ks, keyPassphrase); 

	        char[] trustPassphrase = "XXXVVclp".toCharArray();
	        KeyStore tks = KeyStore.getInstance("JKS");
	        tks.load(new FileInputStream("E:\\path\\certificadosB\\server\\rabbitstore"), trustPassphrase);

	        TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
	        tmf.init(tks);

	        SSLContext c = SSLContext.getInstance("SSLv3");
	        c.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);	

		    ConnectionFactory factory = new ConnectionFactory();                                                                      // the exception rises here.

		    factory.setHost("localhost"); 

		    factory.setUsername("pimenta");                                                                                                           //pimenta is an administrator.
		    factory.setPassword("pimenta");

	           factory.setPort(5671);

		   factory.useSslProtocol(c);

		    Connection connection = factory.newConnection();

		    Channel channel = connection.createChannel();

		    boolean durable = true;
		    channel.queueDeclare(QUEUE_NAME, durable, false, false, null); 

		    String message = "Hello World.";
		    channel.basicPublish("", QUEUE_NAME, MessageProperties.PERSISTENT_TEXT_PLAIN, message.getBytes());

		    System.out.println(" [x] Sent '" + message + "'");

		     channel.close();
		     connection.close();

		} catch (KeyStoreException e) {
			// TODO Auto-generated catch block
			e.printStackTrace();
		} catch (NoSuchAlgorithmException e) {
			// TODO Auto-generated catch block
			e.printStackTrace();
		} catch (CertificateException e) {
			// TODO Auto-generated catch block
			e.printStackTrace();
		} catch (UnrecoverableKeyException e) {
			// TODO Auto-generated catch block
			e.printStackTrace();
		} catch (KeyManagementException e) {
			// TODO Auto-generated catch block
			e.printStackTrace();
		}

	}
}

The output of this code is:
-------------------------------------
Exception in thread "main" java.net.SocketException: Software caused connection abort: recv failed
	at java.net.SocketInputStream.socketRead0(Native Method)
	at java.net.SocketInputStream.read(Unknown Source)
	at java.net.SocketInputStream.read(Unknown Source)
	at sun.security.ssl.InputRecord.readFully(Unknown Source)
	at sun.security.ssl.InputRecord.read(Unknown Source)
	at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
	at sun.security.ssl.SSLSocketImpl.writeRecord(Unknown Source)
	at sun.security.ssl.AppOutputStream.write(Unknown Source)
	at java.io.BufferedOutputStream.flushBuffer(Unknown Source)
	at java.io.BufferedOutputStream.flush(Unknown Source)
	at java.io.DataOutputStream.flush(Unknown Source)
	at com.rabbitmq.client.impl.SocketFrameHandler.sendHeader(SocketFrameHandler.java:129)
	at com.rabbitmq.client.impl.SocketFrameHandler.sendHeader(SocketFrameHandler.java:134)
	at com.rabbitmq.client.impl.AMQConnection.start(AMQConnection.java:276)
	at com.rabbitmq.client.ConnectionFactory.newConnection(ConnectionFactory.java:590)
	at com.rabbitmq.client.ConnectionFactory.newConnection(ConnectionFactory.java:612)
	at br.inatel.icc.prototypeRabbitMQ.Send_Hello.main(Send_Hello.java:81)

In the log I have:
-----------------------------------------------------------------------------
=INFO REPORT==== 1-Jul-2014::18:14:02 ===
accepting AMQP connection <0.361.0> (127.0.0.1:56445 -> 127.0.0.1:5671)

=ERROR REPORT==== 1-Jul-2014::18:14:02 ===
SSL: certify: ssl_handshake.erl:1358:Fatal error: handshake failure

=ERROR REPORT==== 1-Jul-2014::18:14:07 ===
error on AMQP connection <0.361.0>:
{ssl_upgrade_error,{tls_alert,"handshake failure"}}

In the config file I have
-----------------------------------

    {ssl_listeners, [5671]},
    {ssl_options, [{cacertfile,           "E:/path/certificadosB/testca/cacert.pem"},
                   {certfile,             "E:/path/certificadosB/server/cert.pem"},
                   {keyfile,              "E:/path/certificadosB/server/key.pem"},
                   {verify,               verify_peer},   
                   {fail_if_no_peer_cert, false}]}

Would you like to see my key, certificates and CA certificate file? Could I send it attached in a next message?

Thank very much you for your effort in help !!

BR,

RODRIGO PIMENTA CARVALHO
Inatel Competence Center
Software
Ph: +55 35 3471 9979     (Brasil)
________________________________________
De: Michael Klishin [mklishin at gopivotal.com]
Enviado: terça-feira, 1 de julho de 2014 17:31
Para: Rodrigo Pimenta Carvalho; Legacy list about RabbitMQ
Assunto: Re: [rabbitmq-discuss] RES: [Rabbit + SSL connection] AMQP ☺closed ?? Is it normal?

On 2 July 2014 at 00:23:05, Rodrigo Pimenta Carvalho (pimenta at inatel.br) wrote:
> > So, now my unique problem is what happen when I use a RabbitMQ
> client. It is:
>
> 4. =ERROR REPORT==== 27-Jun-2014(http://airmail.calendar/2014-06-27%2012:00:00%20GMT+4)::13:44:56
> ===
> 5. SSL: certify: ssl_handshake.erl:1358:Fatal error: handshake
> failure
> 6.
> 7. =ERROR REPORT==== 27-Jun-2014()::13:45:01
> ===
> 8. error on AMQP connection <0.301.0>:
> 9. {ssl_upgrade_error,{tls_alert,"handshake failure"}}

This is a very generic error. Please post the code you use and s_client output
(and the exact command you run).

In an earlier email you say

"- Keys and certificates with OpenSSL is OK! The certificates and keys can be used to establish a secure link by connecting two terminals. "

I'm not sure what "two terminals" means. You need to use s_client with RabbitMQ server,
not openssl s_server, for example.
--
MK

Staff Software Engineer, Pivotal/RabbitMQ