[rabbitmq-discuss] Create an encrypted SSL connection without having to verify certificate

Ankur5 C ankur5.c at tcs.com
Thu Jul 31 06:59:19 BST 2014


Applogies.

Will do that for sure. Currently there are some technical issues, and 
getting some messages of there are some request processing issues .

Would request you to please let me know how one can instruct rabbitmq not 
verify peer and use the one connect without validating certificates ?

My config file:

[{rabbit,        [{tcp_listeners,    [5672]},{ssl_listeners, [5671]}, 
                        {ssl_options, 
[{cacertfile,"/etc/rabbitmq/testca/cacert.pem"},
                    {certfile,"/etc/rabbitmq/server/cert.pem"},
                    {keyfile,"/etc/rabbitmq/server/key.pem"},
                    {verify,verify_none},
                    {fail_if_no_peer_cert,false}]}]}
].

I have already mentioned verify none.
Restarted the server , but nothing happened.Still getting some ssl upgrade 
error.

Thanks and Regards,
Ankur Chakraborty
_



From:   Michael Klishin <mklishin at pivotal.io>
To:     Ankur5 C <ankur5.c at tcs.com>
Cc:     Legacy list about RabbitMQ <rabbitmq-discuss at lists.rabbitmq.com>
Date:   31-07-2014 11:12
Subject:        Re: Create an encrypted SSL connection without having to 
verify certificate



On 31 July 2014 at 09:33:17, Ankur5 C (ankur5.c at tcs.com) wrote:
> > The example given in https://www.rabbitmq.com/ssl.htmlfor 
> connecting a TLS port 5671 is not working.
> 
> Exception:
> accepting AMQP connection <0.231.0> (192.168.161.171:65208 
> -> 192.168.161.197:5671)
> =ERROR REPORT==== 30-Jul-2014::17:53:07 
> error on AMQP connection <0.231.0>:
> {ssl_upgrade_error,timeout}
> 
> In one of the solution you said "somehow end up connecting with 
> a non-TLS client on the TLS port. "

It is not a solution, it is the problem. A client connects to RabbitMQ on
port 5671, RabbitMQ expects the client to perform a TLS upgrade (this is
the default TLS connections port) but the client is not instructed to do 
it,
so it never does. After waiting for some time, RabbitMQ declares that
TLS upgrade has timed out and drops the TCP connection.

> So the example in https://www.rabbitmq.com/ssl.htmlfor "Connecting 
> without validating certificates", what is that? Is it a non TLS 
> client? How to make it TLS?

It demonstrates how to make the Java client use TLS connections, yes.

> I simply need to execute the java code right ? Or something more 
> I have to do?
> 
> Please suggest how to resolve this.

The "Connecting without validating certificates"
example on https://www.rabbitmq.com/ssl.html demonstrates the bare
minimum you have to do but because you instructed RabbitMQ to perform
peer verification, you need to use the second example,
"Presenting and validating certificates".

The guide at https://www.rabbitmq.com/ssl.html goes into a lot of detail
on every step you need to take to connect with TLS encryption from Java.

You can generate a bunch of certificates (including PCSK12 certificates 
used
by JDK's keytool) using tls-gen:
https://github.com/michaelklishin/tls-gen/

Unless a new thread is started (I've asked you to do so twice )
and you post your actual code, I'll refrain from replying to this thread.
-- 
MK 

Staff Software Engineer, Pivotal/RabbitMQ

=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain 
confidential or privileged information. If you are 
not the intended recipient, any dissemination, use, 
review, distribution, printing or copying of the 
information contained in this e-mail message 
and/or attachments to it are strictly prohibited. If 
you have received this communication in error, 
please notify us by reply e-mail or telephone and 
immediately and permanently delete the message 
and any attachments. Thank you


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20140731/847b00b0/attachment.html>


More information about the rabbitmq-discuss mailing list