[rabbitmq-discuss] web-stomp SSL config causing SASL crash?
Kirk Stork
kirk at stork.name
Thu Jun 19 01:57:50 BST 2014
So I've tried the workaround.
The good: there's no crash
The less good:
I see the SSL listeners now at ports 5761 (amqp) and 0.0.0.0:15671 (web-stomp)
But web connections fail with ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED
I've tried
[
{rabbit, [
{loopback_users, []},
{ssl_listeners, [5761]},
{ssl_options, [
{certfile, "/etc/rabbitmq/certs/cert.pem"},
{keyfile, "/etc/rabbitmq/certs/key.pem"},
{cacertfile, "/etc/rabbitmq/certs/cacerts.pem"},
{password, "changeme"},
{verify, verify_none},
{fail_if_no_peer_cert, false}
]
}]},
{rabbitmq_web_stomp,
[{ssl_config, [{port, 15671},
{backlog, 1024},
{certfile, "/etc/rabbitmq/certs/cert.pem"},
{keyfile, "/etc/rabbitmq/certs/key.pem"},
{cacertfile, "/etc/rabbitmq/certs/cacerts.pem"},
{password, "changeme"}
]}]}
].
and I've tried
[
{rabbit, [
{loopback_users, []},
{ssl_listeners, [5761]},
{ssl_options, [
{certfile, "/etc/rabbitmq/certs/cert.pem"},
{keyfile, "/etc/rabbitmq/certs/key.pem"},
{cacertfile, "/etc/rabbitmq/certs/cacerts.pem"},
{password, "changeme"},
{verify, verify_none},
{fail_if_no_peer_cert, false}
]
}]},
{rabbitmq_web_stomp,
[{ssl_config, [{port, 15671},
{backlog, 1024},
{certfile, "/etc/rabbitmq/certs/cert.pem"},
{keyfile, "/etc/rabbitmq/certs/key.pem"},
{cacertfile, "/etc/rabbitmq/certs/cacerts.pem"},
{password, "changeme"},
{fail_if_no_peer_cert, false}
]}]}
].
and
[
{rabbit, [
{loopback_users, []},
{ssl_listeners, [5761]},
{ssl_options, [
{certfile, "/etc/rabbitmq/certs/cert.pem"},
{keyfile, "/etc/rabbitmq/certs/key.pem"},
{cacertfile, "/etc/rabbitmq/certs/cacerts.pem"},
{password, "changeme"},
{verify, verify_none},
{fail_if_no_peer_cert, false}
]
}]},
{rabbitmq_web_stomp,
[{ssl_config, [{port, 15671},
{backlog, 1024},
{certfile, "/etc/rabbitmq/certs/cert.pem"},
{keyfile, "/etc/rabbitmq/certs/key.pem"},
{cacertfile, "/etc/rabbitmq/certs/cacerts.pem"},
{password, "changeme"},
{verify, verify_none},
{fail_if_no_peer_cert, false}
]}]}
].
Same result either way.
If I understand what's going on, rabbit wants the browser to present a certificate. But I thought the {fail_if_no_peer_cert, false} was supposed to turn that off.
On Jun 18, 2014, at 7:48 AM, Michael Klishin <mklishin at gopivotal.com> wrote:
>
>
> On 18 June 2014 at 18:20:46, Michael Klishin (mklishin at gopivotal.com) wrote:
>>> http://hg.rabbitmq.com/rabbitmq-web-stomp/rev/6d26ad85f65f
>>
>> Will be in 3.3.4.
>
> Also, while investigating and verifying a fix, I discovered a workaround:
> add an SSL listener to your rabbitmq.config (even if you're not going to use
> SSL with AMQP 0-9-1), that will start asn1 and other dependencies before
> Web STOMP is even started.
>
> So, the problem manifests itself only when you have Web STOMP configured to
> use SSL but not AMQP 0-9-1.
>
> HTH.
> --
> MK
>
> Software Engineer, Pivotal/RabbitMQ
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20140618/830b9f00/attachment.html>
More information about the rabbitmq-discuss
mailing list