连接到 rabbitmq SSLError: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 警报握手失败 (_ssl.c:1108)

Question

我正在尝试使用 SSL 连接 rabbitmq，端口 61613 上的加密连接效果很好，但我无法使用 Let's Encrypt 连接到加密端口 61614。

我只需使用以下代码连接到 TLS 61614 rabbitmq stomp：

hostname='rabbitmq.DOMAIN.NAME'
context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH)

with socket.create_connection((hostname, 61614 )) as sock:
    with context.wrap_socket(sock, server_hostname=hostname) as ssock:
        print(ssock.version())

结果：

SSLError: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1108)

用 openssl 测试：

openssl s_client -connect rabbitmq.DOMAIN.NAME:61614

有这个结果：

CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = rabbitmq.DOMAIN.NAME
verify return:1
140003270226176:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1544:SSL alert number 40
---
Certificate chain
 0 s:CN = rabbitmq.DOMAIN.NAME
   i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
 1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFXzCCBEegAwIBAgISBNLfEcyZu5MmKWiRqiljwOY5MA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDA4MDcwOTA3MTZaFw0y
MDExMDUwOTA3MTZaMB8xHTAbBgNVBAMTFHJhYmJpdG1xLmxhbm9zLmNsb3VkMIIB
.....
GhqnyShKe63Uf/Buxy1gqOpBXRO+Sd8L8ww0IUciamomYoKGkwGkcT6Y+SB+IxCg
pA+3qsUUKjxE2kJ2S+lwsiHxpsHEMyoSXxFnmoELKF3FQEk=
-----END CERTIFICATE-----
subject=CN = rabbitmq.DOMAIN.NAME

issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3

---
Acceptable client certificate CA names
C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
CN = ************************
Client Certificate Types: ECDSA sign, RSA sign, DSA sign
Requested Signature Algorithms: ECDSA+SHA512:RSA+SHA512:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA256:RSA+SHA256:ECDSA+SHA224:RSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
Shared Requested Signature Algorithms: ECDSA+SHA512:RSA+SHA512:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA256:RSA+SHA256:ECDSA+SHA224:RSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3169 bytes and written 460 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: CF1*********************************7415F1B61
    Session-ID-ctx:
    Master-Key: 051*********************************B4
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1597525241
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---

有什么解决办法吗？

Answer 1

openssl s_client 的输出显示与 Python 的输出基本相同的错误：

.. ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1544:SSL alert number 40

但它也表明 TLS 握手的主要部分有效，即它获得了证书、密码等。它还表明服务器似乎要求提供客户端证书：

Acceptable client certificate CA names
C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
CN = ************************
Client Certificate Types: ECDSA sign, RSA sign, DSA sign

但是您的openssl s_client 和您的 Python 代码都没有提供任何客户端证书。很可能这个丢失的客户端证书是服务器最终放弃导致握手失败的 TLS 握手的原因。

因此，您需要更改不请求客户端证书的服务器配置，或者您需要通过提供预期的证书来匹配服务器对客户端证书的要求 - 不管这是什么（检查您的服务器）。

Answer 2

我只是忘了在 rabbitmq.conf 中添加这一行：

ssl_options.depth  = 2

现在一切都正确分叉了。

感谢您的帮助。