[rabbitmq-discuss] Create an encrypted SSL connection without having to verify certificate

Michael Klishin mklishin at pivotal.io
Thu Jul 31 06:42:12 BST 2014


On 31 July 2014 at 09:33:17, Ankur5 C (ankur5.c at tcs.com) wrote:
> > The example given in https://www.rabbitmq.com/ssl.htmlfor  
> connecting a TLS port 5671 is not working.
>  
> Exception:
> accepting AMQP connection <0.231.0> (192.168.161.171:65208  
> -> 192.168.161.197:5671)
> =ERROR REPORT==== 30-Jul-2014::17:53:07  
> error on AMQP connection <0.231.0>:
> {ssl_upgrade_error,timeout}
>  
> In one of the solution you said "somehow end up connecting with  
> a non-TLS client on the TLS port. "

It is not a solution, it is the problem. A client connects to RabbitMQ on
port 5671, RabbitMQ expects the client to perform a TLS upgrade (this is
the default TLS connections port) but the client is not instructed to do it,
so it never does. After waiting for some time, RabbitMQ declares that
TLS upgrade has timed out and drops the TCP connection.

> So the example in https://www.rabbitmq.com/ssl.htmlfor "Connecting  
> without validating certificates", what is that? Is it a non TLS  
> client? How to make it TLS?

It demonstrates how to make the Java client use TLS connections, yes.

> I simply need to execute the java code right ? Or something more  
> I have to do?
>  
> Please suggest how to resolve this.

The "Connecting without validating certificates"
example on https://www.rabbitmq.com/ssl.html demonstrates the bare
minimum you have to do but because you instructed RabbitMQ to perform
peer verification, you need to use the second example,
"Presenting and validating certificates".

The guide at https://www.rabbitmq.com/ssl.html goes into a lot of detail
on every step you need to take to connect with TLS encryption from Java.

You can generate a bunch of certificates (including PCSK12 certificates used
by JDK's keytool) using tls-gen:
https://github.com/michaelklishin/tls-gen/

Unless a new thread is started (I've asked you to do so twice )
and you post your actual code, I'll refrain from replying to this thread.
--  
MK  

Staff Software Engineer, Pivotal/RabbitMQ


More information about the rabbitmq-discuss mailing list