[rabbitmq-discuss] RES: RES: [Rabbit + SSL connection] AMQP ☺closed ?? Is it normal?
Rodrigo Pimenta Carvalho
pimenta at inatel.br
Tue Jul 1 22:22:03 BST 2014
Hi Michael.
The exact command I have used is:
--------------------------------------------
openssl s_client -connect localhost:5671 -cert client/cert.pem -key client/key.pem -CAfile testca/cacert.pem
The exact result is:
----------------------
Loading 'screen' into random state - done
CONNECTED(000001BC)
depth=1 CN = MyTestCA
verify return:1
depth=0 CN = ICCSW-109, O = server
verify return:1
---
Certificate chain
0 s:/CN=ICCSW-109/O=server
i:/CN=MyTestCA
1 s:/CN=MyTestCA
i:/CN=MyTestCA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC4jCCAcqgAwIBAgIBATANBgkqhkiG9w0BAQUFADATMREwDwYDVQQDDAhNeVRl
c3RDQTAeFw0xNDA2MjcxMzAyMDBaFw0xNTA2MjcxMzAyMDBaMCUxEjAQBgNVBAMM
CUlDQ1NXLTEwOTEPMA0GA1UECgwGc2VydmVyMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAqyosJfGAjRgCbU3OP2VDAcE8vj8gNjHTFXlEkZnVeP1qyRr9
k67lG54YGttPsR/jislJgPd0sckrOoCfZikptU6ZGfYOO0b0/1rtkbuFqhdhZLle
z3XLC3RDE2hXMueDbY4vEuDKSZ2GRawCaMC4a7q5nRluI+VO8CJmHgr1uROsWQQ4
nAPJ/R3LPxbU4xmqGeOpRMl+Hw9UB3adAtIT+/zYg8JNu+1UBgHuXdL94yPG/lFm
c2WAJYflb+9yWMv5U/jHOEI2F3KWno4qiuquLCrpEX6uDNEnDhRwlu4A3oNiQXJQ
9+IO3f6icnoZxvhsq6hgnyrcrpyF7Ntvo1FlVQIDAQABoy8wLTAJBgNVHRMEAjAA
MAsGA1UdDwQEAwIFIDATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQUF
AAOCAQEAHzIDuherNlWYlJye6v4a10xnsG3gV8c/TgGLtnK+oMwx9Jj376hUH4Ga
lwZ/7c6cFFUUUVsenjFbK6VrHCQrQFIaQbs62bGj8gbQPVbixhNCcDeu/0oK7iVL
wked5VoKcfHQ6msdJ+gZmaG3pU+8iHCfDEpYab5YOr2HORld6E2TdIpRRw+zj2/U
K4DVh2oFiD/C8H8qwBi4dFa8qBAbE7L/Xxi44FSRUAg/5RZ+FbPqd0fzThLh646T
knhbA8nh3nrFVPfrHp/Bkog4fx8gnUjFPYPVyh/AuBpG+cb0i68f+baoKtg5yKtQ
eKyyaJxv7lL55Q3+mlJ/LflFhLSjLw==
-----END CERTIFICATE-----
subject=/CN=ICCSW-109/O=server
issuer=/CN=MyTestCA
---
Acceptable client certificate CA names
/CN=MyTestCA
---
SSL handshake has read 1728 bytes and written 2420 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : AES256-SHA256
Session-ID: 75DAF625DC4A8458E7B539A5430C13F8602304D1B841476ED04214ECDFB48CCC
Session-ID-ctx:
Master-Key: 01909073E5427FB2D81F0438F26A8EF64857BF08713DCE004C6E556D39FA565995716817C3A4EDA7D7FC861B0CFDFA2E
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1404247934
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
closed // closed after 10 seconds. And according to you, in an earlie email, it is ok.
Two terminals mean two prompts for commands, where I had tested keys and certificates with OpenSSL, exactly how it is explained in the RabbitMQ SSL Troubleshooting web page. All is ok here too. I´m using Windows 7.
My RabbitMQ java client is:
----------------------------------
public class Send_Hello {
private final static String QUEUE_NAME = "task_queue_r";
/**
* @param args
* @throws IOException
*/
public static void main(String[] args) throws IOException {
try {
char[] keyPassphrase = "XXXclp".toCharArray();
KeyStore ks = KeyStore.getInstance("PKCS12");
ks.load(new FileInputStream("E:\\path\\certificadosB\\server\\keycert.p12"), keyPassphrase);
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
kmf.init(ks, keyPassphrase);
char[] trustPassphrase = "XXXVVclp".toCharArray();
KeyStore tks = KeyStore.getInstance("JKS");
tks.load(new FileInputStream("E:\\path\\certificadosB\\server\\rabbitstore"), trustPassphrase);
TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
tmf.init(tks);
SSLContext c = SSLContext.getInstance("SSLv3");
c.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
ConnectionFactory factory = new ConnectionFactory(); // the exception rises here.
factory.setHost("localhost");
factory.setUsername("pimenta"); //pimenta is an administrator.
factory.setPassword("pimenta");
factory.setPort(5671);
factory.useSslProtocol(c);
Connection connection = factory.newConnection();
Channel channel = connection.createChannel();
boolean durable = true;
channel.queueDeclare(QUEUE_NAME, durable, false, false, null);
String message = "Hello World.";
channel.basicPublish("", QUEUE_NAME, MessageProperties.PERSISTENT_TEXT_PLAIN, message.getBytes());
System.out.println(" [x] Sent '" + message + "'");
channel.close();
connection.close();
} catch (KeyStoreException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (NoSuchAlgorithmException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (CertificateException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (UnrecoverableKeyException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (KeyManagementException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}
}
The output of this code is:
-------------------------------------
Exception in thread "main" java.net.SocketException: Software caused connection abort: recv failed
at java.net.SocketInputStream.socketRead0(Native Method)
at java.net.SocketInputStream.read(Unknown Source)
at java.net.SocketInputStream.read(Unknown Source)
at sun.security.ssl.InputRecord.readFully(Unknown Source)
at sun.security.ssl.InputRecord.read(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.writeRecord(Unknown Source)
at sun.security.ssl.AppOutputStream.write(Unknown Source)
at java.io.BufferedOutputStream.flushBuffer(Unknown Source)
at java.io.BufferedOutputStream.flush(Unknown Source)
at java.io.DataOutputStream.flush(Unknown Source)
at com.rabbitmq.client.impl.SocketFrameHandler.sendHeader(SocketFrameHandler.java:129)
at com.rabbitmq.client.impl.SocketFrameHandler.sendHeader(SocketFrameHandler.java:134)
at com.rabbitmq.client.impl.AMQConnection.start(AMQConnection.java:276)
at com.rabbitmq.client.ConnectionFactory.newConnection(ConnectionFactory.java:590)
at com.rabbitmq.client.ConnectionFactory.newConnection(ConnectionFactory.java:612)
at br.inatel.icc.prototypeRabbitMQ.Send_Hello.main(Send_Hello.java:81)
In the log I have:
-----------------------------------------------------------------------------
=INFO REPORT==== 1-Jul-2014::18:14:02 ===
accepting AMQP connection <0.361.0> (127.0.0.1:56445 -> 127.0.0.1:5671)
=ERROR REPORT==== 1-Jul-2014::18:14:02 ===
SSL: certify: ssl_handshake.erl:1358:Fatal error: handshake failure
=ERROR REPORT==== 1-Jul-2014::18:14:07 ===
error on AMQP connection <0.361.0>:
{ssl_upgrade_error,{tls_alert,"handshake failure"}}
In the config file I have
-----------------------------------
{ssl_listeners, [5671]},
{ssl_options, [{cacertfile, "E:/path/certificadosB/testca/cacert.pem"},
{certfile, "E:/path/certificadosB/server/cert.pem"},
{keyfile, "E:/path/certificadosB/server/key.pem"},
{verify, verify_peer},
{fail_if_no_peer_cert, false}]}
Would you like to see my key, certificates and CA certificate file? Could I send it attached in a next message?
Thank very much you for your effort in help !!
BR,
RODRIGO PIMENTA CARVALHO
Inatel Competence Center
Software
Ph: +55 35 3471 9979 (Brasil)
________________________________________
De: Michael Klishin [mklishin at gopivotal.com]
Enviado: terça-feira, 1 de julho de 2014 17:31
Para: Rodrigo Pimenta Carvalho; Legacy list about RabbitMQ
Assunto: Re: [rabbitmq-discuss] RES: [Rabbit + SSL connection] AMQP ☺closed ?? Is it normal?
On 2 July 2014 at 00:23:05, Rodrigo Pimenta Carvalho (pimenta at inatel.br) wrote:
> > So, now my unique problem is what happen when I use a RabbitMQ
> client. It is:
>
> 4. =ERROR REPORT==== 27-Jun-2014(http://airmail.calendar/2014-06-27%2012:00:00%20GMT+4)::13:44:56
> ===
> 5. SSL: certify: ssl_handshake.erl:1358:Fatal error: handshake
> failure
> 6.
> 7. =ERROR REPORT==== 27-Jun-2014()::13:45:01
> ===
> 8. error on AMQP connection <0.301.0>:
> 9. {ssl_upgrade_error,{tls_alert,"handshake failure"}}
This is a very generic error. Please post the code you use and s_client output
(and the exact command you run).
In an earlier email you say
"- Keys and certificates with OpenSSL is OK! The certificates and keys can be used to establish a secure link by connecting two terminals. "
I'm not sure what "two terminals" means. You need to use s_client with RabbitMQ server,
not openssl s_server, for example.
--
MK
Staff Software Engineer, Pivotal/RabbitMQ
More information about the rabbitmq-discuss
mailing list