<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 12 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span lang="CS">Hello,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="CS"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="CS">I have a problem with establishing SSL connections between Erlang AMQP client (v. 3.0.2) and RabbitMQ server (v. 3.1.3). I need to use mutual authentication, i.e. I need to authenticate the server to the client with the
server certificate as well as the client to the server with the client certificate. Authenticating the server to the client works fine (ssl_fail_if_no_peer_cert set to „true“ at the client and to „false“ at the server), but I am not able to make the client-to-servet
authentication work („true at both sides“).<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="CS"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="CS">My SSL configs are the following:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="CS">RabbitMQ:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="CS">---------<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="CS">{rabbit, [<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="CS"> {ssl_listeners, [5677]},<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="CS"> {ssl_options, [ {cacertfile, "/etc/ssl/xxx/ca_cert.pem"},<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="CS"> {certfile, "/etc/ssl/xxx/cert.pem"},<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="CS"> {keyfile, "/etc/ssl/xxx/key.pem"},<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="CS"> {fail_if_no_peer_cert, true},<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="CS"> {verify, verify_peer}<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="CS"> ]<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="CS"> }<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="CS"> ]<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="CS">},<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="CS"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="CS">Client:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="CS">--------<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="CS">{port, 5677},<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="CS">{ssl_cert_ca, "/etc/ssl/xxx/swim-ca_cert.pem"},<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="CS">{ssl_cert, "/etc/ssl/xxx/cert.pem"},<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="CS">{ssl_key, "/etc/ssl/xxx/key.pem"},<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="CS">{ssl_verify, verify_peer},<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="CS">{ssl_fail_if_no_peer_cert, true},<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="CS">{username, <<"aaa">>},<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="CS">{password, <<"aaa">>},<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="CS">-----------------<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="CS"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="CS">I tried everyting that was suggested on the troubleshooting website (<a href="http://www.rabbitmq.com/troubleshooting-ssl.html">http://www.rabbitmq.com/troubleshooting-ssl.html</a>) – check SSL support in Erlang, check the
client and server certificates using OpenSSL, check broker listenning on SSL port, attempt SSL connection to broker using OpenSSL, validate client connections with stunnel.. I did not get any errors! I even tried to connect with the Erlang AMQP client to the
OpenSSL server – this also worked! (I just got AMQP connection setup timeout after the SSL connection setup – which is not suprprising)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="CS"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="CS">The error I am getting on the client side is:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="CS">---------------------------------------------------<o:p></o:p></span></p>
<p class="MsoNormal">{error, esslconnect}<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The broker log says:<o:p></o:p></p>
<p class="MsoNormal">-------------------------<o:p></o:p></p>
<p class="MsoNormal">=ERROR REPORT==== 17-Sep-2013::10:39:40 ===<o:p></o:p></p>
<p class="MsoNormal">error on AMQP connection <0.9012.1>: {ssl_upgrade_error,esslaccept} (unknown POSIX error)<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">=INFO REPORT==== 17-Sep-2013::10:39:40 ===<o:p></o:p></p>
<p class="MsoNormal">accepting AMQP connection <0.9027.1> (xxx.xxx.138.17:56035 -> xxx.xxx.0.21:5677)<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">=ERROR REPORT==== 17-Sep-2013::10:39:40 ===<o:p></o:p></p>
<p class="MsoNormal">SSL: certify: ssl_connection.erl:496:Fatal error: handshake failure<o:p></o:p></p>
<p class="MsoNormal"><span lang="CS">---------------------------<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="CS"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="CS"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="CS">Do you have any idea what could be wrong and how to fix it?<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="CS"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="CS">Thank you for any thaughts!<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="CS">Michal<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="CS"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="CS"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="CS"><o:p> </o:p></span></p>
</div>
</body>
</html>