[rabbitmq-discuss] Could not upgrade the network driver to ssl

Matthew Sackman matthew at lshift.net
Sat Oct 31 19:37:08 GMT 2009

Hi Steve,

Whilst I have had SSL working on Erlang as old as R12B5, I'm also
aware it is a little bit hit and miss. The SSL module shipped with
Erlang had more bugs back then and it sadly still has one or two bugs
even in the latest R13B02. SSL is also a fairly tricky thing to get
right it would seem - we've discovered bugs in the Mono implementation
too in the course of adding SSL support to RabbitMQ.

If you can, could you try to see if the Java tests work for you? If you
grab the Java client, build it, start up Rabbit, and then run:

rabbitmq-java-client# SSL_CERTS_DIR=/home/ PASSWORD=MySecretPassword ant test-ssl

where MySecretPassword is the password to the pkcs#12 file, and under
/home/ you have the client and server dirs as you seem to have, that
should give us some idea of whether it's a client or server issue - you
should, everything being well, get something like:


     [exec] Certificate was added to keystore
     [exec] Certificate was added to keystore

    [junit] Running com.rabbitmq.client.test.ssl.SSLTests
    [junit] Tests run: 3, Failures: 0, Errors: 0, Time elapsed: 1.166 sec

   [delete] Deleting: /tmp/tmp.hIOPseDjbs
   [delete] Deleting: /tmp/tmp.kfgI0FVTd6

You need the SSL_CERTS_DIR and PASSWORD env vars, otherwise the SSL
tests won't run. They will use the certs in /home/client

They should all work with verify_code set to 1 in the server - that's
how we run them as we deliberately have some negative tests to ensure
that the connection fails if the server asks for a certificate and the
client doesn't present one - so if you have verify_code set to 0, then
you will probably see one test fail as in that case, a connection can be
established when we were expecting it to fail.

If those won't work for you, I'd recommend you see if you can get hold
of a more recent version of Erlang - I certainly test the SSL support
with R13B02 frequently and it seems pretty reliable. That said, the
Erlang AMQP client is still not officially released and I suspect the
SSL code paths there get slightly less action. However, I've just
grabbed the latest version of the Erlang client default branch and run
the SSL tests (Don't have RabbitMQ running already. For these tests, I'm
reasonably sure you'll not only need to have compiled RabbitMQ yourself,
but also have the rabbitmq-server and rabbitmq-erlang-client directories
as siblings - the client tests will attempt to start up the broker

rabbitmq-erlang-client# SSL_CERTS_DIR=/home/ make test_ssl

(PASSWORD isn't needed because neither the Erlang client nor server use
the pkcs#12 files), and all the tests pass for me on R13B02, so it may
very well be you're hitting a bug in R12B5's SSL module. I've also just
checked and realised that the tests in the Erlang client use the
new-style SSL module args, so you'll need to edit common.mk in the
Erlang client, and replace the
"{verify,verify_peer},{fail_if_no_peer_cert,true}" text with
"{verify_code,2}" to get the same behaviour.

Please let us know how you get on.


More information about the rabbitmq-discuss mailing list