[rabbitmq-discuss] sslv3 alert handshake failure for TLS Web Server certificates

• Previous message: [rabbitmq-discuss] sslv3 alert handshake failure for TLS Web Server certificates
• Next message: [rabbitmq-discuss] sslv3 alert handshake failure for TLS Web Server certificates
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Nate,

> A certificate with X509v3 Extended Key Usage of "TLS Web Client
> Authentication" will connect to our rabbitmq-2.4.1 server, but a
> certificate with "TLS Web Server Authentication" will not.

The broker does not and, to the extent of my knowledge, never did
inspect those fields in the certificate.  It normally relies on the
Erlang's interpretation of a valid certificate (configured via the
verify and fail_if_no_peer_cert options in rabbitmq.config).

So, are you using the same version of Erlang in both tests?  What's the
error in the 2.4.1 broker's log for the failed connection attempt?

> Is there a configuration option to accept  "TLS Web Server
> Authentication" certificates in rabbitmq-2.4.1?

As previously mentioned, RabbitMQ doesn't care about those fields.
AFAIK, Erlang doesn't either, so something else may be happening.

Cheers,
Alex

On Mon, Oct 24, 2011 at 05:24:33PM -0600, Nathaniel Haggard wrote:
> A certificate with X509v3 Extended Key Usage of "TLS Web Client
> Authentication" will connect to our rabbitmq-2.4.1 server, but a
> certificate with "TLS Web Server Authentication" will not.
> 
> It fails like this:
> $ openssl s_client -host 127.0.0.1 -port 5671 -key my.key -cert my.crt
> CONNECTED(00000003)
> depth=1 /C=US/ST=../L=...../O=.../CN=testingCA2/emailAddress=me at myhost.mydomain
> verify error:num=19:self signed certificate in certificate chain
> verify return:0
> 6837:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
> failure:s3_pkt.c:1102:SSL alert number 40
> 6837:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
> failure:s23_lib.c:188:
> 
> 
> However, both types of certificate work with rabbitmq-1.7.2.
> 
> Is there a configuration option to accept  "TLS Web Server
> Authentication" certificates in rabbitmq-2.4.1?
> 
> -Nate
> _______________________________________________
> rabbitmq-discuss mailing list
> rabbitmq-discuss at lists.rabbitmq.com
> https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss

• Previous message: [rabbitmq-discuss] sslv3 alert handshake failure for TLS Web Server certificates
• Next message: [rabbitmq-discuss] sslv3 alert handshake failure for TLS Web Server certificates
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]