[rabbitmq-discuss] sslv3 alert handshake failure for TLS Web Server certificates

Nathaniel Haggard natester at gmail.com
Tue Oct 25 17:52:20 BST 2011


On Mon, Oct 24, 2011 at 5:36 PM, Alexandru Scvorţov
<alexandru at rabbitmq.com> wrote:
> Hi Nate,
>
>> A certificate with X509v3 Extended Key Usage of "TLS Web Client
>> Authentication" will connect to our rabbitmq-2.4.1 server, but a
>> certificate with "TLS Web Server Authentication" will not.
>
> The broker does not and, to the extent of my knowledge, never did
> inspect those fields in the certificate.  It normally relies on the
> Erlang's interpretation of a valid certificate (configured via the
> verify and fail_if_no_peer_cert options in rabbitmq.config).
>
> So, are you using the same version of Erlang in both tests?

Yes.

> What's the
> error in the 2.4.1 broker's log for the failed connection attempt?

=INFO REPORT==== 25-Oct-2011::16:30:06 ===
accepted TCP connection on 0.0.0.0:5671 from 127.0.0.1:50640

=INFO REPORT==== 25-Oct-2011::16:30:06 ===
starting TCP connection <0.20472.193> from 127.0.0.1:50640

=ERROR REPORT==== 25-Oct-2011::16:30:06 ===
SSL: certify_certificate: ./ssl_handshake.erl:566:Fatal error: handshake failure

=ERROR REPORT==== 25-Oct-2011::16:30:06 ===
error on TCP connection <0.20472.193>:{ssl_upgrade_error,esslaccept}

=INFO REPORT==== 25-Oct-2011::16:30:06 ===
closing TCP connection <0.20472.193>


>
>> Is there a configuration option to accept  "TLS Web Server
>> Authentication" certificates in rabbitmq-2.4.1?
>
> As previously mentioned, RabbitMQ doesn't care about those fields.
> AFAIK, Erlang doesn't either, so something else may be happening.

The tests I'm do go like this:

1. openssl s_client -host 127.0.0.1 -port 5671 -key
keys/serverlike.key -cert keys/serverlike.crt
2. openssl s_client -host 127.0.0.1 -port 5671 -key
keys/clientlike.key -cert keys/clientlike.crt
3. openssl s_client -host myrabbit172 -port 5671 -key
keys/serverlike.key -cert keys/serverlike.crt
4. openssl s_client -host myrabbit172 -port 5671 -key
keys/clientlike.key -cert keys/clientlike.crt

1 fails and 2 passes on rabbitmq-2.4.1 with erlang R14B03.

3 and 4 pass on rabbitmq-1.7.2 with erlang R13B04.



>
> Cheers,
> Alex
>
> On Mon, Oct 24, 2011 at 05:24:33PM -0600, Nathaniel Haggard wrote:
>> A certificate with X509v3 Extended Key Usage of "TLS Web Client
>> Authentication" will connect to our rabbitmq-2.4.1 server, but a
>> certificate with "TLS Web Server Authentication" will not.
>>
>> It fails like this:
>> $ openssl s_client -host 127.0.0.1 -port 5671 -key my.key -cert my.crt
>> CONNECTED(00000003)
>> depth=1 /C=US/ST=../L=...../O=.../CN=testingCA2/emailAddress=me at myhost.mydomain
>> verify error:num=19:self signed certificate in certificate chain
>> verify return:0
>> 6837:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
>> failure:s3_pkt.c:1102:SSL alert number 40
>> 6837:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
>> failure:s23_lib.c:188:
>>
>>
>> However, both types of certificate work with rabbitmq-1.7.2.
>>
>> Is there a configuration option to accept  "TLS Web Server
>> Authentication" certificates in rabbitmq-2.4.1?
>>
>> -Nate
>> _______________________________________________
>> rabbitmq-discuss mailing list
>> rabbitmq-discuss at lists.rabbitmq.com
>> https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
>


More information about the rabbitmq-discuss mailing list