【发布时间】:2017-06-04 18:57:43
【问题描述】:
我正在使用 Windows Server 2012、Erlang 19.2 和 RabbitMq 3.6.6。我在使用 TLS 配置端点之间的连接时遇到问题。我已经尝试了关于 SO 的所有答案,以及所有 RabbitMq 文档 here 和 here。不确定我们做错了什么。
在troubleshooting link here 中,所有测试都通过除了“尝试 SSL 连接到代理”部分。这就是问题所在,我不知道为什么。
当我浏览有关故障排除的文档以查看您是否可以通过端口 8443 上的 SSL 获得对等连接时,它工作正常。然后尝试连接到端口 5671 上的代理失败,说握手错误。
将 RabbitMq 配置文件切换到 8443 没有任何作用,除了让点对点在 5671 上工作而在 8443 上失败。
我的配置文件:
[
{rabbit, [
{ssl_listeners, [5671]},
{ssl_options, [{cacertfile,"C:\\rabbitcerts\\testca\\cacert.pem"},
{certfile,"C:\\rabbitcerts\\server\\cert.pem"},
{keyfile,"C:\\rabbitcerts\\server\\key.pem"},
{depth, 2},
{verify,verify_peer},
{fail_if_no_peer_cert,false}]}
]}
].
运行这个命令:
c:\rabbitcerts>openssl s_client -connect localhost:5671 -cert client/cert.pem -key client/key.pem -CAfile testca/cacert.pem
产生这个错误:
Loading 'screen' into random state - done
CONNECTED(000001BC)
write:errno=10054
并且在日志文件中:
=INFO REPORT==== 19-Jan-2017::16:42:50 ===
Memory limit set to 716MB of 1791MB total.
=INFO REPORT==== 19-Jan-2017::16:42:50 ===
Disk free limit set to 50MB
=INFO REPORT==== 19-Jan-2017::16:42:50 ===
Limiting to approx 8092 file handles (7280 sockets)
=INFO REPORT==== 19-Jan-2017::16:42:50 ===
FHC read buffering: OFF
FHC write buffering: ON
=INFO REPORT==== 19-Jan-2017::16:42:50 ===
Priority queues enabled, real BQ is rabbit_variable_queue
=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Starting rabbit_node_monitor
=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Management plugin: using rates mode 'basic'
=INFO REPORT==== 19-Jan-2017::16:42:51 ===
msg_store_transient: using rabbit_msg_store_ets_index to provide index
=INFO REPORT==== 19-Jan-2017::16:42:51 ===
msg_store_persistent: using rabbit_msg_store_ets_index to provide index
=INFO REPORT==== 19-Jan-2017::16:42:51 ===
started TCP Listener on [::]:5672
=INFO REPORT==== 19-Jan-2017::16:42:51 ===
started TCP Listener on 0.0.0.0:5672
=INFO REPORT==== 19-Jan-2017::16:42:51 ===
started SSL Listener on [::]:5671
=INFO REPORT==== 19-Jan-2017::16:42:51 ===
started SSL Listener on 0.0.0.0:5671
=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Management plugin started. Port: 15672
=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Statistics event collector started.
...
=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Statistics database started.
=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Statistics garbage collector started for table aggr_queue_stats_fine_stats with interval 5000.
=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Statistics garbage collector started for table aggr_queue_stats_deliver_get with interval 5000.
...
=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Statistics garbage collector started for table aggr_queue_exchange_stats_fine_stats with interval 5000.
=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Statistics garbage collector started for table aggr_vhost_stats_deliver_get with interval 5000.
=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Statistics garbage collector started for table aggr_vhost_stats_fine_stats with interval 5000.
=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Statistics garbage collector started for table aggr_vhost_stats_queue_msg_rates with interval 5000.
=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Statistics garbage collector started for table aggr_vhost_stats_queue_msg_counts with interval 5000.
=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Statistics garbage collector started for table aggr_vhost_stats_coarse_conn_stats with interval 5000.
=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Statistics garbage collector started for table aggr_channel_queue_stats_deliver_get with interval 5000.
=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Statistics garbage collector started for table aggr_channel_queue_stats_fine_stats with interval 5000.
=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Statistics garbage collector started for table aggr_channel_queue_stats_queue_msg_counts with interval 5000.
=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Statistics garbage collector started for table aggr_channel_stats_deliver_get with interval 5000.
=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Statistics garbage collector started for table aggr_channel_stats_fine_stats with interval 5000.
=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Statistics garbage collector started for table aggr_channel_stats_queue_msg_counts with interval 5000.
=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Statistics garbage collector started for table aggr_channel_stats_process_stats with interval 5000.
=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Statistics garbage collector started for table aggr_channel_exchange_stats_deliver_get with interval 5000.
=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Statistics garbage collector started for table aggr_channel_exchange_stats_fine_stats with interval 5000.
=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Statistics garbage collector started for table aggr_exchange_stats_fine_stats with interval 5000.
=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Statistics garbage collector started for table aggr_node_stats_coarse_node_stats with interval 5000.
...
=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Statistics garbage collector started for table connection_stats with interval 5000.
=INFO REPORT==== 19-Jan-2017::16:42:51 ===
Server startup complete; 6 plugins started.
* rabbitmq_management
* rabbitmq_web_dispatch
* webmachine
* mochiweb
* rabbitmq_management_agent
* amqp_client
=ERROR REPORT==== 19-Jan-2017::16:54:39 ===
SSL: hello: tls_handshake.erl:202:Fatal error: handshake failure - handshake_decode_error
我到底错过了什么?
我已经联系了我的网络管理员,以查看服务器上是否有我们可能丢失的配置,根据 answer on SO,但我想听听其他人的意见,因为我确定我不可能是唯一遇到任何问题的人...
更新
使用来自@jww 的新命令,我似乎越来越近了。
openssl s_client -connect mymachine:5671 -tls1 -servername mymachine
输出:
Loading 'screen' into random state - done
CONNECTED(000001BC)
depth=1 /CN=MyTestCA
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/CN=$(hostname)/O=server
i:/CN=MyTestCA
1 s:/CN=MyTestCA
i:/CN=MyTestCA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC5DCCAcygAwIBAgIBATANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDEwhNeVRl
c3RDQTAeFw0xNzAxMTkxNjA1NDhaFw0xODAxMTkxNjA1NDhaMCcxFDASBgNVBAMU
CyQoaG9zdG5hbWUpMQ8wDQYDVQQKEwZzZXJ2ZXIwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQC1WnL4V7VWwi9EytZT1UTR3ixQcXwCSWDe3aS8yk1KFadL
1ZPBgj3ZYDs/NwDX/KJ/d31yCgpwl/ZS6lWjn2Ect7BfHwKHd98L5SVl9Na2TPUP
73kLdITDYvJbACoQu+JT60CNPBXsTPww2L2OpFYUhDSXGwV721Y5rcaU9a2VPzjp
N0puT8qdxMmOz7Zp2WAjmkmSRpbOz2Z3/BbVI9zPMYLenmOeoLDOpM2vGqeLRSy1
ruBd7Rw3gFKvYN/flXZyfZkqrY5FOju6okp6n9KvnibnmgATS1OuSmADFS78x0Zz
XM7Cep23b4Ix+ckB4PzpAwRKsiWv534veN1lK42hAgMBAAGjLzAtMAkGA1UdEwQC
MAAwCwYDVR0PBAQDAgUgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEB
CwUAA4IBAQBolBD+sy7H1SdtgGsS45eYp1zSEPlOEZLZhmCsN4zN4rG0Qo6SGEvd
cODk3hIWfglgb50oouGGebE84ReTSLQvFp9eGoIokB8azy2l25weZPvyPjjkdBiF
/XI3Wn/oJaRX9t2nnMZjQE14W22KqwGewMh0PywdLcjV6llqmFzZAQv6GTIvyOZw
QqCZjanYXGtyi3QSK6D1MxBaDW7hg4/WaUkNEhKVEQ6Vm3EvnvGVD6XZVP7RM7Iy
oN7wXuGlasoBx7Zs5sJh1/uNYyN2QHYKu8z5tLgXACzA9phNLeOGaimxIZIUAjnJ
IY08bwLeo/hbDKNA3hvyQlgSpy7t2U4o
-----END CERTIFICATE-----
subject=/CN=$(hostname)/O=server
issuer=/CN=MyTestCA
---
Acceptable client certificate CA names
/CN=MyTestCA
---
SSL handshake has read 1659 bytes and written 453 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: 0E00F18E516DBD5C7EE7F7FE070BDC09FBE3B731FA8D1DF2ECD75E455BB8A6EF
Session-ID-ctx:
Master-Key: 61F018A5B629EE6015F88B076AEA8765E153A8CCB2241766DFD0BCC369DC703C9BF42249E47C93EEA318899615732390
Key-Arg : None
Start Time: 1484872012
Timeout : 7200 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
closed
【问题讨论】:
-
这是开发环境还是生产环境?
-
@AlexBuyny dev.
-
@jww 我发布了我正在使用的
s_client命令。在开发环境中,并且在同一台机器上使用代理,它应该可以正常工作,根据所有其他文档 - 该文章假设它是在网络上的。 -
@ragerory - 您使用的命令可能已损坏。请发布
s_client -connect example.com:443 -tls1 -servername example.com的输出。使用服务器名称和端口。如果它不适用于 TLS 1.0 (-tls1),请尝试 TLS 1.2 (-tls1_2)。 -
实际上,当我使用原始命令并将
-tls1添加到其中时,它正常工作并给了我Verify code: 0 (ok)- 所以它似乎在代理上使用了错误的类型。谢谢你把我带到我需要去的地方@jww
标签: windows ssl openssl erlang rabbitmq