[rabbitmq-discuss] Client connection to ssl rabbitMQ is very slow
Rabbit001
rcrespopanizo at gmail.com
Thu Apr 12 08:33:02 BST 2012
I'm confused, with your instructions my client agent display this messages in
ssl debug mode,
trigger seeding of SecureRandom
done seeding SecureRandom
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
main, setSoTimeout(10000) called
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1317372735 bytes = { 76, 106, 8, 15, 157, 169, 170, 81,
26, 139, 188, 38, 162, 78, 118, 72, 247, 33, 111, 100, 141, 102, 119, 16,
87, 139, 107, 190 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA,
SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5,
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
***
main, WRITE: TLSv1 Handshake, length = 75
main, WRITE: SSLv2 client hello message, length = 101
main, READ: TLSv1 Handshake, length = 74
*** ServerHello, TLSv1
RandomCookie: GMT: 1317372729 bytes = { 156, 148, 232, 187, 191, 145, 24,
28, 51, 155, 203, 236, 126, 135, 166, 157, 173, 90, 220, 10, 160, 177, 84,
67, 152, 90, 78, 194 }
Session ID: {37, 88, 220, 40, 149, 121, 218, 58, 162, 191, 87, 212, 201,
16, 131, 216, 98, 63, 205, 168, 46, 58, 53, 213, 238, 228, 205, 71, 4, 245,
227, 129}
Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
Compression Method: 0
***
Warning: No renegotiation indication extension in ServerHello
%% Created: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
** SSL_RSA_WITH_RC4_128_MD5
main, READ: TLSv1 Handshake, length = 1474
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: O=server, CN=MdpQueue
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
modulus:
24334987968930982943981825187475436299008497607561573573631523764564684548469811266648724448544625619306915448884829059653148026682713134819159622851610665802136344975591672757687667031687154387433867924238004953412446642508173836476637867784982543240635609951624723163538133830316073386671198648519063730784583506433654210317223494465395785490801263975472397303659595998370054145999922092449831111420053502703651377024865842207190113400021631570198643096824223092956683480679689104179006662881694541917547715526331703763768468498407847738764426243314732078926021142975650072247517108406152577606651997494500325440503
public exponent: 65537
Validity: [From: Mon Apr 02 09:07:49 CEST 2012,
To: Tue Apr 02 09:07:49 CEST 2013]
Issuer: CN=rabbitMQCa
SerialNumber: [ 01]
Certificate Extensions: 3
[1]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
]
[2]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
Key_Encipherment
]
[3]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 7B C4 2B 9D 9D 4C 3E AB 6E CF 6D 5B FC A3 FC 8D ..+..L>.n.m[....
0010: 0D AB 56 4C A6 92 E4 17 17 AD BA 1C F4 3F 2D 50 ..VL.........?-P
0020: 5B F8 1D 41 9B 64 BA E0 B5 D8 DC 18 23 D4 40 F7 [..A.d......#. at .
0030: BB B7 C2 4A D7 4F 11 97 43 31 72 72 10 49 0E 0E ...J.O..C1rr.I..
0040: AA F8 FF 99 34 F3 20 FC 40 FE A2 81 52 BE 2C 00 ....4. . at ...R.,.
0050: 33 9C FE F1 07 16 0B 33 95 5A C4 06 45 E0 3E 09 3......3.Z..E.>.
0060: E4 CB D0 5A 46 7B D0 78 0C 8B A0 C3 CA C5 E2 5E ...ZF..x.......^
0070: 54 40 1F 1E 66 BE EE FE 08 01 E0 1E 26 D3 01 40 T at ..f.......&..@
0080: 00 DD 45 D6 8F 93 98 E6 B8 0F D2 61 AD 92 18 EC ..E........a....
0090: 82 DC 3B 79 A6 05 52 43 3F 8D 9F E7 04 6B B4 86 ..;y..RC?....k..
00A0: 94 BB 95 F3 7D 63 81 FB 68 24 12 C7 75 BB D9 A2 .....c..h$..u...
00B0: A0 2A 97 47 73 46 72 0D 9B 03 B1 67 29 72 EA 4F .*.GsFr....g)r.O
00C0: 6F CC 79 99 22 6D CC 59 3E EC 03 BE 29 41 89 78 o.y."m.Y>...)A.x
00D0: 6B DE F0 CD F6 F6 B6 6A 72 73 3B 3C B6 6A 44 A3 k......jrs;<.jD.
00E0: 49 C8 D3 FF 3A 70 15 E3 21 F5 72 23 4C 01 A1 03 I...:p..!.r#L...
00F0: 28 ED EE D4 DF 6A 9B 46 C8 D4 87 04 BA BC 69 EF (....j.F......i.
]
chain [1] = [
[
Version: V3
Subject: CN=rabbitMQCa
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
modulus:
18248746087467252200944236832325278424669636151934770607412859044474223256189932855084016557855926613771028068656808036187947675937254796758195884535556914971667322865350982711031725796002558363209549109860397534076839586787095955246512345600254524286338875779345081458059658636195587370951763953299337439192950834178442581857332221418797812357302842100055837043461572333613052191364110791214387914869357781679072330997864692304194270929303923018766081122118475979404194228545380152289084703482584350985406029286974099362125142672271699924650060974298570867776059293459310888926049474632091997882856434952322556490083
public exponent: 65537
Validity: [From: Mon Apr 02 09:02:32 CEST 2012,
To: Tue Apr 02 09:02:32 CEST 2013]
Issuer: CN=rabbitMQCa
SerialNumber: [ a653d3dc a21770c5]
Certificate Extensions: 2
[1]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
Key_CertSign
Crl_Sign
]
[2]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 32 15 CE 98 8E B3 AF 10 CD C1 70 4F 93 4A 8D 89 2.........pO.J..
0010: 8C 07 4B 7A 65 25 4B 23 4F 84 43 D5 52 43 73 D1 ..Kze%K#O.C.RCs.
0020: 29 AA 90 2C 0E 1F 9C 72 7C 26 5E F5 20 6D 25 EF )..,...r.&^. m%.
0030: 75 DF 70 C0 9F A5 21 97 6F 70 3A 43 F9 36 83 5E u.p...!.op:C.6.^
0040: 7A F1 F0 5C BE 05 BF 22 15 A9 D0 A1 E5 4F 91 B8 z..\...".....O..
0050: A3 4F F4 86 65 62 1D 44 0E C0 DC D9 3C 0F F0 5D .O..eb.D....<..]
0060: 18 38 36 FA 94 DB C0 34 E2 0F 93 92 6C 8F 60 50 .86....4....l.`P
0070: 22 DB 25 F9 57 2D C3 12 A7 9E D9 7D 7D AC 15 CE ".%.W-..........
0080: FC 1D C8 78 C8 40 BA A7 A3 46 05 E2 4D CC 8D 9E ...x. at ...F..M...
0090: 5D 15 31 BD C4 A7 52 74 E0 AF BC A2 E3 86 F7 16 ].1...Rt........
00A0: 3A D4 3A 19 90 E7 07 91 85 3E 56 F7 55 57 8B 58 :.:......>V.UW.X
00B0: F7 D4 51 C2 3F 73 6E A7 3B 71 76 09 79 D6 13 29 ..Q.?sn.;qv.y..)
00C0: C5 43 7A 2C 03 C2 02 A9 E2 90 4C 86 A9 90 19 BC .Cz,......L.....
00D0: 29 47 8B 7F 84 88 8A 69 D1 1B C0 32 3F 1C 3C 00 )G.....i...2?.<.
00E0: 8B 43 9F 6B 43 C1 A3 A6 D3 6A 52 E7 90 16 F0 D1 .C.kC....jR.....
00F0: 7D D3 BB B0 0E 34 79 99 85 26 84 0B B9 2E 7D 39 .....4y..&.....9
]
***
main, READ: TLSv1 Handshake, length = 8
*** CertificateRequest
Cert Types: RSA
Cert Authorities:
main, READ: TLSv1 Handshake, length = 4
*** ServerHelloDone
*** Certificate chain
***
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1
main, WRITE: TLSv1 Handshake, length = 269
SESSION KEYGEN:
PreMaster Secret:
0000: 03 01 A6 30 EE 15 4D BA 4B C3 28 3C AA 71 2A 19 ...0..M.K.(<.q*.
0010: 57 29 F8 72 E5 D8 1F DE 60 B1 E3 18 DB 8A 95 CF W).r....`.......
0020: AA BE 58 97 A3 86 87 62 D4 94 C0 73 1B 50 E2 83 ..X....b...s.P..
CONNECTION KEYGEN:
Client Nonce:
0000: 4F 86 83 3F 4C 6A 08 0F 9D A9 AA 51 1A 8B BC 26 O..?Lj.....Q...&
0010: A2 4E 76 48 F7 21 6F 64 8D 66 77 10 57 8B 6B BE .NvH.!od.fw.W.k.
Server Nonce:
0000: 4F 86 83 39 9C 94 E8 BB BF 91 18 1C 33 9B CB EC O..9........3...
0010: 7E 87 A6 9D AD 5A DC 0A A0 B1 54 43 98 5A 4E C2 .....Z....TC.ZN.
Master Secret:
0000: 19 C9 FE 4C 06 78 77 F0 5E 95 31 07 25 C3 42 DA ...L.xw.^.1.%.B.
0010: B4 FE D0 94 F7 90 FB CC 4C B7 1B 5F D7 B0 CD E9 ........L.._....
0020: DA 76 1E 78 00 A1 F7 69 A6 F1 A6 A0 72 2B E8 CE .v.x...i....r+..
Client MAC write Secret:
0000: CD E7 47 FE 44 19 51 83 6D EE 0D AA 9E 01 2C 04 ..G.D.Q.m.....,.
Server MAC write Secret:
0000: 46 64 25 F9 F6 84 6C BD 85 E2 5C 89 EA 05 C2 AE Fd%...l...\.....
Client write key:
0000: 4E 69 00 96 E5 D5 B1 AB 95 49 D6 CC 1C F4 13 06 Ni.......I......
Server write key:
0000: 9C 04 F6 18 1D E2 76 00 21 4E 3A 1A 06 5F DA F2 ......v.!N:.._..
... no IV used for this cipher
main, WRITE: TLSv1 Change Cipher Spec, length = 1
*** Finished
verify_data: { 57, 44, 198, 169, 225, 7, 158, 86, 155, 62, 36, 88 }
***
main, WRITE: TLSv1 Handshake, length = 32
main, READ: TLSv1 Change Cipher Spec, length = 1
main, READ: TLSv1 Handshake, length = 32
*** Finished
verify_data: { 162, 42, 28, 39, 215, 24, 120, 234, 180, 131, 242, 240 }
***
%% Cached client session: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
main, WRITE: TLSv1 Application Data, length = 24
AMQP Connection 172.30.34.11:5671, READ: TLSv1 Application Data, length =
351
main, WRITE: TLSv1 Application Data, length = 343
AMQP Connection 172.30.34.11:5671, READ: TLSv1 Application Data, length = 36
main, setSoTimeout(0) called
main, WRITE: TLSv1 Application Data, length = 36
main, WRITE: TLSv1 Application Data, length = 32
AMQP Connection 172.30.34.11:5671, READ: TLSv1 Application Data, length = 29
main, WRITE: TLSv1 Application Data, length = 29
AMQP Connection 172.30.34.11:5671, READ: TLSv1 Application Data, length = 32
main, WRITE: TLSv1 Application Data, length = 39
main, WRITE: TLSv1 Application Data, length = 38
main, WRITE: TLSv1 Application Data, length = 36
Tiempo: (1) 5246
Tiempo: (2) 24
Tiempo: (3) 4
main, WRITE: TLSv1 Application Data, length = 37
AMQP Connection 172.30.34.11:5671, READ: TLSv1 Application Data, length = 28
main, WRITE: TLSv1 Application Data, length = 37
AMQP Connection 172.30.34.11:5671, READ: TLSv1 Application Data, length = 28
AMQP Connection 172.30.34.11:5671, called close()
main, called close()
main, called closeInternal(true)
AMQP Connection 172.30.34.11:5671, called closeInternal(true)
main, SEND TLSv1 ALERT: warning, description = close_notify
main, WRITE: TLSv1 Alert, length = 18
AMQP Connection 172.30.34.11:5671, close invoked again; state = 7
AMQP Connection 172.30.34.11:5671, after primary close; state = 7
The connection has been established over SSL_RSA_WITH_RC4_128_MD5, but the
response time before the connection has been established was "Tiempo: (1)
5246" (miliseconds). It's not acceptable. My client agent code is,
import com.rabbitmq.client.*;
public class RabbitMQSSLSample {
public static void main(String[] args) throws Exception {
System.setProperty("javax.net.debug", "ssl");
ConnectionFactory factory = new ConnectionFactory();
factory.setHost("172.30.34.11");
factory.setPort(5671);
factory.setVirtualHost("/");
// Tells the library to setup the default Key and Trust managers for you
factory.useSslProtocol("TLS"); // which do not do any form of remote
// server trust verification
long time1 = System.currentTimeMillis();
Connection conn = factory.newConnection();
long time2 = System.currentTimeMillis();
Channel channel = conn.createChannel();
long time3 = System.currentTimeMillis();
// non-durable, exclusive, auto-delete queue
// channel.queueDeclare("sample", false, true, true, null);
channel.basicPublish("", "sample", null, "Hello, World".getBytes());
/*
* GetResponse chResponse = channel.basicGet("sample", false);
* if(chResponse == null) { System.out.println("No message retrieved");
* } else { byte[] body = chResponse.getBody();
* channel.basicAck(chResponse.getEnvelope().getDeliveryTag(), false);
* System.out.println("Recieved: " + new String(body)); }
*/
System.out.println(" Tiempo: (1) "
+ (System.currentTimeMillis() - time1));
System.out.println(" Tiempo: (2) "
+ (System.currentTimeMillis() - time2));
System.out.println(" Tiempo: (3) "
+ (System.currentTimeMillis() - time3));
channel.close();
conn.close();
}
}
Thanks again for your help,
Best Regards,
Carl Hörberg wrote:
>
> hum.. the client seems to support rsa aes 128 sha, but try to add some
> more like:
>
> {ciphers,[{rsa,aes_128_cbc,sha},{rsa,rc4_128,md5},{rsa,rc4_128,sha}]}
>
>
> On Tue, Apr 10, 2012 at 12:35, Emile Joubert <emile at rabbitmq.com> wrote:
>> Hi,
>>
>> On 09/04/12 08:23, Rabbit001 wrote:
>>> I follow your instructions and I've modified rabbitmq.config and put
>>> {ciphers,[{rsa,aes_128_cbc,sha}]}. The server starts correctly but my
>>> client
>>> display this error,
>>
>> The broker will stand a better chance of being able to negotiate a
>> cipher with the client if it offers more than one. Select some more from
>> the supported broker ciphers (reported by ssl:cipher_suites/0), avoiding
>> slow ones (like triple DES) and including at least one that is
>> compatible with your client.
>>
>>
>> -Emile
>>
>> _______________________________________________
>> rabbitmq-discuss mailing list
>> rabbitmq-discuss at lists.rabbitmq.com
>> https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
> _______________________________________________
> rabbitmq-discuss mailing list
> rabbitmq-discuss at lists.rabbitmq.com
> https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
>
>
--
View this message in context: http://old.nabble.com/Client-connection-to-ssl-rabbitMQ-is-very-slow-tp33544994p33673563.html
Sent from the RabbitMQ mailing list archive at Nabble.com.
More information about the rabbitmq-discuss
mailing list