RabbitMQ SSL support in Windows - ssl

I have a RabbitMQ installed on Windows 2012 server.
I need SSL\TLS support enabled - have read the following guide.
Unfortunately, SSL listener is unable to start without any errors in log file (after broker restart):
Starting RabbitMQ 3.7.7 on Erlang 21.0
Copyright (C) 2007-2018 Pivotal Software, Inc.
Licensed under the MPL. See http://www.rabbitmq.com/
2018-12-11 09:47:15.205 [info] <0.269.0>
node : rabbit#WIN-055QHB70C6Q
home dir : C:\Windows\system32\config\systemprofile
config file(s) : c:/Users/ADMINI~1.WIN/AppData/Roaming/RabbitMQ/advanced.config
: c:/Users/ADMINI~1.WIN/AppData/Roaming/RabbitMQ/rabbitmq.conf
cookie hash : r+sVz1OsZ1pBik8phgF0Ag==
log(s) : C:/Users/ADMINI~1.WIN/AppData/Roaming/RabbitMQ/log/RABBIT~1.LOG
: C:/Users/ADMINI~1.WIN/AppData/Roaming/RabbitMQ/log/rabbit#WIN-055QHB70C6Q_upgrade.log
database dir : c:/Users/ADMINI~1.WIN/AppData/Roaming/RabbitMQ/db/RABBIT~1
2018-12-11 09:47:16.363 [info] <0.277.0> Memory high watermark set to 1638 MiB (1717772288 bytes) of 4095 MiB (4294430720 bytes) total
2018-12-11 09:47:16.367 [info] <0.279.0> Enabling free disk space monitoring
2018-12-11 09:47:16.367 [info] <0.279.0> Disk free limit set to 50MB
2018-12-11 09:47:16.371 [info] <0.281.0> Limiting to approx 8092 file handles (7280 sockets)
2018-12-11 09:47:16.371 [info] <0.282.0> FHC read buffering: OFF
2018-12-11 09:47:16.371 [info] <0.282.0> FHC write buffering: ON
2018-12-11 09:47:16.372 [info] <0.269.0> Waiting for Mnesia tables for 30000 ms, 9 retries left
2018-12-11 09:47:16.398 [info] <0.269.0> Waiting for Mnesia tables for 30000 ms, 9 retries left
2018-12-11 09:47:16.398 [info] <0.269.0> Peer discovery backend rabbit_peer_discovery_classic_config does not support registration, skipping registration.
2018-12-11 09:47:16.399 [info] <0.269.0> Priority queues enabled, real BQ is rabbit_variable_queue
2018-12-11 09:47:16.411 [info] <0.302.0> Starting rabbit_node_monitor
2018-12-11 09:47:16.435 [info] <0.269.0> Management plugin: using rates mode 'basic'
2018-12-11 09:47:16.435 [info] <0.334.0> Making sure data directory 'c:/Users/ADMINI~1.WIN/AppData/Roaming/RabbitMQ/db/RABBIT~1/msg_stores/vhosts/628WB79CIFDYO9LJI6DKMI09L' for vhost '/' exists
2018-12-11 09:47:16.438 [info] <0.334.0> Starting message stores for vhost '/'
2018-12-11 09:47:16.438 [info] <0.338.0> Message store "628WB79CIFDYO9LJI6DKMI09L/msg_store_transient": using rabbit_msg_store_ets_index to provide index
2018-12-11 09:47:16.440 [info] <0.334.0> Started message store of type transient for vhost '/'
2018-12-11 09:47:16.440 [info] <0.341.0> Message store "628WB79CIFDYO9LJI6DKMI09L/msg_store_persistent": using rabbit_msg_store_ets_index to provide index
2018-12-11 09:47:16.441 [info] <0.334.0> Started message store of type persistent for vhost '/'
2018-12-11 09:47:16.446 [info] <0.376.0> started TCP Listener on [::]:5672
2018-12-11 09:47:16.447 [info] <0.391.0> started TCP Listener on 0.0.0.0:5672
2018-12-11 09:47:16.447 [info] <0.269.0> Setting up a table for connection tracking on this node: 'tracked_connection_on_node_rabbit#WIN-055QHB70C6Q'
2018-12-11 09:47:16.447 [info] <0.269.0> Setting up a table for per-vhost connection counting on this node: 'tracked_connection_per_vhost_on_node_rabbit#WIN-055QHB70C6Q'
2018-12-11 09:47:16.452 [warning] <0.408.0> Could not find handle.exe, please install from sysinternals
2018-12-11 09:47:16.480 [info] <0.451.0> Management plugin started. Port: 15672
2018-12-11 09:47:16.480 [info] <0.557.0> Statistics database started.
2018-12-11 09:47:16.481 [notice] <0.111.0> Changed loghwm of C:/Users/ADMINI~1.WIN/AppData/Roaming/RabbitMQ/log/RABBIT~1.LOG to 50
2018-12-11 09:47:16.566 [info] <0.7.0> Server startup complete; 3 plugins started.
* rabbitmq_management
* rabbitmq_web_dispatch
* rabbitmq_management_agent
Environment:
Win Server 2012R2, Erlang, RabbitMQ
Erlang: esl-erlang_21.0_windows_amd64.exe
1> erlang:system_info(otp_release).
"21"
Rabbit MQ: rabbitmq-server-3.7.7.exe
rabbitmqctl status
{rabbit,"RabbitMQ","3.7.7"},
Modified config file according to this guide:
c:/Users/ADMINI~1.WIN/AppData/Roaming/RabbitMQ/rabbitmq.conf
[
{rabbit, [
{ssl_listeners, [5671]},
{tcp_listeners, [{"localhost",5672}]},
{tcp_listen_options, [binary,
{packet, raw},
{reuseaddr, true},
{backlog, 128},
{nodelay, true},
{exit_on_close, false},
{keepalive, true}]},
{ssl_options, [{cacertfile,"C:\\temp\\cacert1.pem"},
{certfile,"C:\\temp\\cert.pem"},
{keyfile,"C:\\temp\\key.pem"},
{verify,verify_none},
{fail_if_no_peer_cert,false}]}
]}
].
Certificates were previously created using openssl and checked on Ubuntu - the same service is running without errors (with SSL enabled).
I have verified the SSL configuration according to this guide:
werl.exe
ssl:versions().
Erlang/OTP 21 [erts-10.0] [64-bit] [smp:2:2] [ds:2:2:10] [async-threads:1]
Eshell V10.0 (abort with ^G)
1> ssl:versions().
[{ssl_app,"9.0"},
{supported,['tlsv1.2','tlsv1.1',tlsv1]},
{supported_dtls,['dtlsv1.2',dtlsv1]},
{available,['tlsv1.2','tlsv1.1',tlsv1,sslv3]},
{available_dtls,['dtlsv1.2',dtlsv1]}]
2>
and this guide:
PS C:\temp> & '..\Program Files\OpenSSL-Win64\bin\openssl.exe' s_server -accept 8443 -cert "C:\temp\cert.pem" -key "C:\t
emp\key.pem" -CAfile "C:\temp\cacert1.pem"
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MH0CAQECAgMEBAITAgQgvBHCGaTQPFgF9V3OLCgGudWcTNUPj+VUaYVjoeX32ZYE
MHsxeVDcMSw4Fl5y12GDWlDqdhmomdlS2hOgeXDr21jRcP7kabTg92GvP08hnIIz
1aEGAgRcD80YogQCAhwgpAYEBAEAAACuBgIEeKP8gQ==
-----END SSL SESSION PARAMETERS-----
Shared ciphers:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:
ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-
CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256
-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-S
HA256:ECDHE-ECDSA-AES256-SHA
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:
RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:ECDSA+SHA1:RSA+SHA224:RSA+SHA
1:DSA+SHA224:DSA+SHA1:DSA+SHA256:DSA+SHA384:DSA+SHA512
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+
SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:ECDSA+SHA1:RSA+SHA224:
RSA+SHA1
Supported Elliptic Groups: X25519:P-256:X448:P-521:P-384
Shared Elliptic groups: X25519:P-256:X448:P-521:P-384
---
No server certificate CA names sent
CIPHER is TLS_AES_256_GCM_SHA384
Secure Renegotiation IS supported
PS C:\temp> & '..\Program Files\OpenSSL-Win64\bin\openssl.exe' s_client -connect localhost:8443 -cert "C:\temp\cert.pem"
-key "C:\temp\key.pem" -CAfile "C:\temp\cacert1.pem"
CONNECTED(00000108)
depth=1 CN = MyTestCA
verify return:1
depth=0 CN = 192.168.1.112, ST = RU, C = RU, O = EPAM, OU = EPAM
verify return:1
---
Certificate chain
0 s:CN = 192.168.1.112, ST = RU, C = RU, O = EPAM, OU = EPAM
i:CN = MyTestCA
1 s:CN = MyTestCA
i:CN = MyTestCA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDDTCCAfWgAwIBAgIBAzANBgkqhkiG9w0BAQUFADATMREwDwYDVQQDDAhNeVRl
c3RDQTAeFw0xODEyMTAxNTI2MjRaFw0xOTEyMTAxNTI2MjRaMFAxFjAUBgNVBAMM
DTE5Mi4xNjguMS4xMTIxCzAJBgNVBAgMAlJVMQswCQYDVQQGEwJSVTENMAsGA1UE
CgwERVBBTTENMAsGA1UECwwERVBBTTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALwy/2dxLMj4JjK8ggj/a9VG8beD5aBwjGu4+uXnQ5Liesfx1HE4seG2
Fr5j0aBz+vf0Km1Vf6S6yln/Z3BhI0nPKlGJvHjtwzof15pNH6Qh1WDlXRqOhoLR
GWtAb/U56ZC3PAG78nmdkS2DUCEFnERwcTWqW/XxpgYnGX0rPBtUGdKQB5rVaSCk
wM4UwEr9hq90BfeUuUZREzrZT7l+zxvgBPOR3H+Z2bS1TIqHjiH6jnC41M/S9KEb
8jn+2JjeR1NrIPdSy++hXc5UoWJMqCWu5PLOhheHHqDTS2MU8nHXL3KctH8qTzaz
+FQwbPNZgQKRTIdaRpxB1y3EUFC2B1cCAwEAAaMvMC0wCQYDVR0TBAIwADALBgNV
HQ8EBAMCBSAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQEFBQADggEB
ABVn9/RUDWW+QaD97uFiMrdWXlaSSbg/YJuKYg+HXX2SO4ZsLRgU+ycyiTrq1E8W
vqP3BSyQ+Ao7tMzmAUWltcmKtETnO9jX6XN6pktCDfV2NPfq6zc/txH+6QDgrP/I
qwF6Csqch7TcVBzLJ2nI4k/6bNVttzgDNK0B7KTvtQIOBu53WQlPHQSyELwBocAS
NZrdy4FrJ0lMtno3WIcQEmy6XcRDULBWuWVjr0THQ+DstIXkX/qvkI08eRaIjaur
hc2enws5KjuXYX6ernqsOMWwOspUwETiGtKEl4sRApnwQz7vlOpU5W7bF7lpRycL
mDbOMf+6KxHOktQF4LJRyYE=
-----END CERTIFICATE-----
subject=CN = 192.168.1.112, ST = RU, C = RU, O = EPAM, OU = EPAM
issuer=CN = MyTestCA
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2060 bytes and written 391 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 1FB4C4A756AF733EA4819D8350B4B66E5568DCB1C598D08D4B7C657C13F4EC78
Session-ID-ctx:
Resumption PSK: 55578B334D92C9CDBE66FA20C7D0A9BF55F0E50F37F026BD08BC69908EA1826DE75ACD1E6F3C365777DB890967420469
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 61 05 4b aa 0d dc 90 74-b6 ed a0 af ef bd cf 9e a.K....t........
0010 - d7 13 91 f5 d2 9e 30 e7-57 61 a3 4a 50 8f ac fc ......0.Wa.JP...
0020 - 9b b1 17 5f 45 4b 79 fa-57 62 5c 41 eb 17 26 a1 ..._EKy.Wb\A..&.
0030 - 90 3f 3e b0 65 fa a3 ff-3b d2 da 3c 4b 38 d4 ef .?>.e...;..<K8..
0040 - 11 d5 a9 59 69 37 97 f4-2e 84 2c ec 28 aa 7b 92 ...Yi7....,.(.{.
0050 - a5 50 91 40 8d 9e 83 90-a0 5d f7 41 5c d6 ba 8b .P.#.....].A\...
0060 - 32 b9 47 cf 58 dc 72 26-6a ca ea 71 2f ee c6 5b 2.G.X.r&j..q/..[
0070 - e7 ee bf 0d 68 0e 0c 32-4d 24 8e 91 73 5e 1d 9f ....h..2M$..s^..
0080 - ed 5a 6f 51 6e bc 7f ba-5e e7 25 3f a9 ad 91 0b .ZoQn...^.%?....
0090 - b7 26 17 1c 6b 89 11 e3-40 77 5f 38 59 98 64 dc .&..k...#w_8Y.d.
00a0 - d9 3b d3 ff 1d ca 6f c6-df e5 e6 8c db 1e 25 4c .;....o.......%L
00b0 - 50 b6 d5 e5 82 26 04 6e-b3 ca 11 95 d0 92 05 8e P....&.n........
00c0 - 60 a6 a8 a7 fe 3a 18 93-0f 8d 17 4d 2e a2 ce 69 `....:.....M...i
Start Time: 1544539416
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 658363DA6FF899DD69009F26444543E1E839BBF0ACAE5288FD0BA019084F141A
Session-ID-ctx:
Resumption PSK: 7B317950DC312C38165E72D761835A50EA7619A899D952DA13A07970EBDB58D170FEE469B4E0F761AF3F4F219C8233D5
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 61 05 4b aa 0d dc 90 74-b6 ed a0 af ef bd cf 9e a.K....t........
0010 - 20 3b a8 d4 62 e7 56 9a-42 36 02 81 2a 48 d2 94 ;..b.V.B6..*H..
0020 - a8 0b 21 aa ca 0a b1 60-a5 17 c7 4f a5 44 0e b7 ..!....`...O.D..
0030 - 42 bf 1d 7e b5 f2 a9 8e-f4 5d ff 5c 9b c8 b8 c0 B..~.....].\....
0040 - 19 d2 4e 5a f8 df 1b 96-bb f6 52 a4 eb 35 d5 fa ..NZ......R..5..
0050 - a5 c6 16 f2 ae a7 49 9d-f5 fd da 52 8e 9e a4 b3 ......I....R....
0060 - 14 93 cd 71 dc f6 66 ea-f6 69 d8 19 05 ce c0 61 ...q..f..i.....a
0070 - 39 83 7f d1 5f d9 ed 1d-92 f7 92 2d 59 5d 8d 7e 9..._......-Y].~
0080 - 77 43 30 67 aa f4 78 5e-02 20 a2 59 f4 b4 04 40 wC0g..x^. .Y...#
0090 - a8 6b 11 40 0c 03 4d 36-26 36 d2 a7 13 20 f2 3b .k.#..M6&6... .;
00a0 - e8 43 00 ca 65 30 6b 6b-1c 58 b9 7d 0d 89 b3 dc .C..e0kk.X.}....
00b0 - 2a 07 77 3a 7e 99 a3 e1-7e 35 09 fd e3 7a 7a a7 *.w:~...~5...zz.
Start Time: 1544539416
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
Broker restarted via *.bat files:
RabbitMQ Service - start
RabbitMQ Service - stop
Service status:
C:\Program Files\RabbitMQ Server\rabbitmq_server-3.7.7\sbin>rabbitmqctl status
Status of node rabbit#WIN-055QHB70C6Q ...
[{pid,2192},
{running_applications,
[{rabbitmq_management,"RabbitMQ Management Console","3.7.7"},
{rabbitmq_web_dispatch,"RabbitMQ Web Dispatcher","3.7.7"},
{cowboy,"Small, fast, modern HTTP server.","2.2.2"},
{amqp_client,"RabbitMQ AMQP Client","3.7.7"},
{rabbitmq_management_agent,"RabbitMQ Management Agent","3.7.7"},
{rabbit,"RabbitMQ","3.7.7"},
{rabbit_common,
"Modules shared by rabbitmq-server and rabbitmq-erlang-client",
"3.7.7"},
{recon,"Diagnostic tools for production use","2.3.2"},
{ranch_proxy_protocol,"Ranch Proxy Protocol Transport","1.5.0"},
{ranch,"Socket acceptor pool for TCP protocols.","1.5.0"},
{ssl,"Erlang/OTP SSL application","9.0"},
{public_key,"Public key infrastructure","1.6"},
{mnesia,"MNESIA CXC 138 12","4.15.4"},
{asn1,"The Erlang ASN1 compiler version 5.0.6","5.0.6"},
{os_mon,"CPO CXC 138 46","2.4.5"},
{cowlib,"Support library for manipulating Web protocols.","2.1.0"},
{inets,"INETS CXC 138 49","7.0"},
{jsx,"a streaming, evented json parsing toolkit","2.8.2"},
{xmerl,"XML parser","1.3.17"},
{crypto,"CRYPTO","4.3"},
{lager,"Erlang logging framework","3.6.3"},
{goldrush,"Erlang event stream processor","0.1.9"},
{compiler,"ERTS CXC 138 10","7.2"},
{syntax_tools,"Syntax tools","2.1.5"},
{syslog,"An RFC 3164 and RFC 5424 compliant logging framework.","3.4.2"},
{sasl,"SASL CXC 138 11","3.2"},
{stdlib,"ERTS CXC 138 10","3.5"},
{kernel,"ERTS CXC 138 10","6.0"}]},
{os,{win32,nt}},
{erlang_version,
"Erlang/OTP 21 [erts-10.0] [64-bit] [smp:2:2] [ds:2:2:10] [async-threads:64
]\n"},
{memory,
[{connection_readers,0},
{connection_writers,0},
{connection_channels,0},
{connection_other,31988},
{queue_procs,0},
{queue_slave_procs,0},
{plugins,465588},
{other_proc,29769468},
{metrics,195780},
{mgmt_db,150248},
{mnesia,74600},
{other_ets,2872488},
{binary,169712},
{msg_index,30080},
{code,27499185},
{atom,1131721},
{other_system,9895974},
{allocated_unused,9764240},
{reserved_unallocated,0},
{strategy,rss},
{total,[{erlang,72286832},{rss,82051072},{allocated,82051072}]}]},
{alarms,[]},
{listeners,
[{clustering,25672,"::"},
{amqp,5672,"::"},
{amqp,5672,"0.0.0.0"},
{http,15672,"::"},
{http,15672,"0.0.0.0"}]},
{vm_memory_calculation_strategy,rss},
{vm_memory_high_watermark,0.4},
{vm_memory_limit,1717772288},
{disk_free_limit,50000000},
{disk_free,74446868480},
{file_descriptors,
[{total_limit,8092},
{total_used,2},
{sockets_limit,7280},
{sockets_used,0}]},
{processes,[{limit,1048576},{used,398}]},
{run_queue,1},
{uptime,82},
{kernel,{net_ticktime,60}}]

Your configuration file is named rabbitmq.conf, but is in the wrong format for that file extension. You should rename the file to have a .config extension, then restart the RabbitMQ service:
C:/Users/ADMINI~1.WIN/AppData/Roaming/RabbitMQ/rabbitmq.config
If you want to use the rabbitmq.conf file, you must use the ini-style format that is documented here: https://www.rabbitmq.com/configure.html#config-file-formats.
NOTE: the RabbitMQ team monitors the rabbitmq-users mailing list and only sometimes answers questions on StackOverflow.

In my case (in the same OS RabbitMQ 3.8.11, Erlang 22.3), I had to replace:
"C:\\temp\\cacert1.pem"
with:
C:/temp/cacert1.pem
Not sure what would happen if the path included whitespaces.

Related

Letsencrypt: alert certificate expired / alert SSL alert number 45 [closed]

Closed. This question is not about programming or software development. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 5 days ago.
Improve this question
I've got some trouble with one of my clients (docker container based on Alpine) connecting a mail server with a Letsencrypt SSL certificate:
Nov 2 14:39:50 mail postfix/smtpd[878799]: warning: TLS library problem: error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:../ssl/record/rec_layer_s3.c:1543:SSL alert number 45:
I know that Letsencrypt uses the new ISRG Root X1 since 1st Oct 2021. After Downloading the CA pem file from here https://letsencrypt.org/de/certificates/ I checked that the certificate is available.
Seems to be okay for me:
/etc/ssl/certs # grep -ri "emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=" .
./4042bcee.1:emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
./ca-certificates.crt:emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
./ca-certificates.crt:emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
./ca-cert-isrgrootx1.pem.pem:emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
./4042bcee.0:emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
./ca-cert-ISRG_Root_X1.pem:emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
Additionally I installed the Certificate by hand (snippet of the Dockerfile):
COPY etc/ssl/isrgrootx1.pem /usr/local/share/ca-certificates/
RUN apk update && apk add --no-cache ca-certificates && update-ca-certificates
No luck. The SSL chain seems to be strange (domain is masked with xxx):
/etc/ssl/certs # openssl s_client -starttls smtp -connect mail.xxx.de:587
CONNECTED(00000003)
depth=1 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
verify return:0
depth=1 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
verify return:0
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
verify return:0
---
Certificate chain
0 s:/CN=mail.xxx.de
i:/C=US/O=Let's Encrypt/CN=R3
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=/CN=mail.xxx.de
issuer=/C=US/O=Let's Encrypt/CN=R3
---
No client certificate CA names sent
Server Temp Key: ECDH, X25519, 253 bits
---
SSL handshake has read 4895 bytes and written 328 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: D0DA2252D5091779AA2CDF832A856F846A2AFD4C4C73CEDA24D64647FD998CB4
Session-ID-ctx:
Master-Key: BA703221FC54ADE822079229A36672AADFF4621EBEFDDA338D3E5F8025DC9668BBAFA152A1708C569B72AFF09F80AC5D
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 18 80 2d 38 6c e0 da 60-77 43 b1 62 d7 80 84 3f ..-8l..`wC.b...?
0010 - 1e 28 23 23 f7 34 ef 30-21 09 a2 34 92 b7 bf 10 .(##.4.0!..4....
0020 - ae c1 b7 50 ea 85 11 32-1c 28 f9 09 9f ff 20 7a ...P...2.(.... z
0030 - 7b e2 61 8d 8d 06 e3 66-6e 7c 93 31 95 29 e9 2d {.a....fn|.1.).-
0040 - 6a 93 bc 06 1d e2 26 58-00 32 48 67 aa f5 45 ed j.....&X.2Hg..E.
0050 - b8 5a 0d 93 84 7e c4 36-cf 06 39 4f d3 6a 45 e1 .Z...~.6..9O.jE.
0060 - a6 fc 49 31 3a 1c c4 32-d3 ae d2 2c 2e 34 e9 c2 ..I1:..2...,.4..
0070 - 8c 58 ee 98 08 48 56 d9-58 c3 3a 2c 21 6e a8 3b .X...HV.X.:,!n.;
0080 - 85 22 9b 90 6c 21 06 79-f2 e6 6c b0 dd c9 1e 2c ."..l!.y..l....,
0090 - c1 62 11 4b 7b 19 5d ac-d9 ba 69 6a 17 fb 7b ab .b.K{.]...ij..{.
Start Time: 1636139076
Timeout : 7200 (sec)
Verify return code: 10 (certificate has expired)
---
250 CHUNKING
Here one of my Alpine Containers with a successfully connection:
/var/www/html # openssl s_client -starttls smtp -connect mail.xxx.de:587
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = mail.xxx.de
verify return:1
---
Certificate chain
0 s:CN = mail.xxx.de
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=CN = mail.xxx.de
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4834 bytes and written 435 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
250 CHUNKING
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: A60E19C667530A8C575213D7ECCA704F55D32294779DDA198D182909ACF72EC9
Session-ID-ctx:
Resumption PSK: F341E73946627D59D9AEAEDDDF23D0F9B5BBFF8CE5603550A30E0A17BC884174A8883D2BBF1D4335D6835470A9DBED6D
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 4e 14 1b 3c 6f 76 8f da-4c 91 b0 71 f0 95 f8 f6 N..<ov..L..q....
0010 - a2 bd 18 a8 75 00 a3 0c-dc 18 7a 95 2c 74 a4 62 ....u.....z.,t.b
0020 - 4e aa 8e d4 dc 75 6a 1e-1b 3b c1 87 9d ca ff ce N....uj..;......
0030 - 24 a4 7b fb 35 e8 c1 8e-ff a0 a4 38 db 52 7d fd $.{.5......8.R}.
0040 - 95 42 0d 8f 0b ba c4 5b-27 d5 94 2b bc f3 92 34 .B.....['..+...4
0050 - 41 e4 12 6e f7 c4 f0 33-81 bc 9d 07 12 8f b2 8b A..n...3........
0060 - f1 8d 59 2f ee 49 e6 c8-17 e6 66 64 b6 b8 8f a0 ..Y/.I....fd....
0070 - d0 40 bc 28 71 96 d1 a7-b9 e3 00 db ba 5b 85 43 .#.(q........[.C
0080 - e2 dc d0 42 21 8a d1 57-21 01 5e b9 5f e2 ec 16 ...B!..W!.^._...
0090 - fb 00 d6 5b ae b6 2b d1-42 c8 2c ae f6 2d 21 48 ...[..+.B.,..-!H
00a0 - dc d2 a9 c3 5c 75 33 21-a8 c2 ca d3 7b 86 ec 65 ....\u3!....{..e
00b0 - d2 1b 1f e5 c7 b2 45 94-96 56 48 74 e5 d5 22 18 ......E..VHt..".
00c0 - bf c4 5d f4 9e 1c 37 e2-b7 9a cc 3a e1 0e 9b ee ..]...7....:....
Start Time: 1636139616
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
Any idea? Thank you very much!

NGINX Reverse Proxy: 20:unable to get local issuer certificate

I am running nginx and i want to proxy another https host and to verify it's certificate.
I've created a CA cert, created a cert for the proxied host and signed it with the CA. The CA cert was added to the server's root certificates.
My nginx config is the following:
proxy_ssl_verify_depth 1; # tried 0,1,2,3
proxy_ssl_trusted_certificate /etc/nginx/ca.pem;
proxy_ssl_verify on;
When a request is done, nginx log returns:
[error] 26578#26578: *2 upstream SSL certificate verify error: (20:unable to get local issuer certificate) while SSL handshaking to upstream
Running openssl s_client -connect 1.1.1.1:8000 returns:
CONNECTED(00000003)
depth=1 C = CY, ST = CY, L = CY, O = TEST.TEST, CN = TEST.TEST, emailAddress = admin#test.test
verify return:1
depth=0 C = CY, ST = CY, L = CY, O = TEST.TEST, OU = TEST.TEST, CN = 1.1.1.1
verify return:1
---
Certificate chain
0 s:/C=CY/ST=CY/L=CY/O=TEST.TEST/OU=test.test/CN=1.1.1.1
i:/C=CY/ST=CY/L=CY/O=TEST.TEST/CN=test.test/emailAddress=admin#test.test
---
Server certificate
-----BEGIN CERTIFICATE-----
.... cer
-----END CERTIFICATE-----
subject=/C=CY/ST=CY/L=CY/O=TEST.TEST/OU=test.test/CN=1.1.1.1
issuer=/C=CY/ST=CY/L=CY/O=TEST.TEST/CN=test.test/emailAddress=admin#test.test
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1491 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 94195986FED8C203B09C6A3870DC8B972A6FB3C98D69868CFAF9C4BFC2B7A714
Session-ID-ctx:
Master-Key: D804526744415E7E6C3E0AFBAF4F5BB3B6315BE8785C46FCF7AA232A31E6D7C780E7A8D4B8413BE8D1F1758CF8DD8FE8
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 0a 5f b9 15 a5 78 d0 6c-32 24 77 3b 16 7a 10 75 ._...x.l2$w;.z.u
0010 - 76 ed 08 18 8b 23 a8 15-24 3f eb 83 d8 6e 56 d6 v....#..$?...nV.
0020 - 98 13 c2 36 62 35 17 42-b4 f9 e9 f7 99 50 14 77 ...6b5.B.....P.w
0030 - 8b a3 e6 b5 2f ef ca af-7d 25 7c d8 7e b8 3a 96 ..../...}%|.~.:.
0040 - 11 87 b2 e2 0a d6 de b6-60 75 c5 4a 58 57 8b 1b ........`u.JXW..
0050 - 73 6d 36 c6 9f 6a ec 31-71 2d 02 ad 50 45 8a 14 sm6..j.1q-..PE..
0060 - 01 c1 6c 4a 2f 46 9b cb-e6 4c 09 97 17 fa 46 f4 ..lJ/F...L....F.
0070 - 29 e6 a5 cb a7 37 fb 31-b3 a0 d7 55 ac cb fd 59 )....7.1...U...Y
0080 - 42 a5 7b 45 9a 53 24 90-52 8c 8e 1c eb c4 db f9 B.{E.S$.R.......
0090 - 27 04 b9 7e ba 0a 2d 9e-3b 92 67 ec 42 d6 69 78 '..~..-.;.g.B.ix
Start Time: 1527255600
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
IP/cert names replaced by dummy versions in this result.
curl https://1.1.1.1 also works without problems.
I've been reading googling and checking all similar stackoverflow questions, but none of the proposed fixes seemed to resolve this.

routines:SSL23_GET_CLIENT_HELLO:unknown protocol (Redis Cluster + Stunnel)

I have a Redis cluster that I wish to setup stunnel on for the purpose of encrypting traffic to and from each master/slave, and to and from the HAproxy layer above redis. I have configured stunnel with the following configuration file:
pid=/var/stunnel-redis.pid
foreground = yes
debug = info
output = stunnel.log
sslVersion = all
#options = NO_SSLv2
fips = no
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
[redis-server]
cert = /etc/stunnel/cert.pem
key = /etc/stunnel/key.pem
TIMEOUTclose = 0
accept = 0.0.0.0:7001
connect = 127.0.0.1:7002
[redis-client]
client = yes
accept = 127.0.0.1:7002
connect = 127.0.0.1:6379
CAfile = /etc/stunnel/redis.pem
verify = 0
EDIT I should explain how each service is setup, network-wise.
redis-server binds 127.0.0.1:6379
stunnel redis-server binds 0.0.0.0:7001
stunnel redis-client binds 127.0.0.1:7002
A redis client connection will connect to stunnel's redis-server on 0.0.0.0:7001. Stunnel will then connect to the redis-client on 127.0.0.1:7002, and stunnel's redis-client will connect to the redis server on 127.0.0.1:6379.
When attempting to run redis-cli -h my_remote_stunnel_ip -p 7001 I receive the following error in the logs:
2017.01.31 09:45:11 LOG3[16062]: SSL_accept: 140760FC: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
2017.01.31 09:45:11 LOG5[16062]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
I have tried disabling the redis-client section in the config, I have tried changing sslVersion to sslVersion = TLSv1, sslVersion = TLSv1.2. When I change sslVersion to sslVersion = TLSv1 I receive the following error upon attempting connection:
2017.01.31 09:38:33 LOG3[15830]: SSL_accept: 1408F10B: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
Is this due to a version mismatch? And if so, how? Both daemons are running on the same host.
EDIT:
Output of openssl s_client -connect :7001 -tls1:
No client certificate CA names sent
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2452 bytes and written 319 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : ECDHE-RSA-AES256-SHA
Session-ID: 0A05C63AA7596D37B4D18B5CF377213A0B245B681E3E1CD28506E877311A862A
Session-ID-ctx:
Master-Key: 54EE658224A3BB08E25416F05CBCAB5D58EA075E7C157AEE31B94D2AA289CE694558CDF27B3EA0B8FB90738C3EEE4EE8
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 12 55 cd c7 bc ab e8 6c-c7 e7 ca 9c 05 bf 5b dd .U.....l......[.
0010 - bb 17 b9 d5 68 e0 be 54-a1 b6 06 00 0a fe db 17 ....h..T........
0020 - 4a 89 93 6b 95 18 1e be-45 f9 cb a8 6c 07 5b 45 J..k....E...l.[E
0030 - ef 47 60 b7 0d 7e 51 95-ca 68 48 5f 03 5b d9 0e .G`..~Q..hH_.[..
0040 - 62 0b f5 33 bb b6 ce 03-6d d7 d3 69 12 de 3a 63 b..3....m..i..:c
0050 - db 8d 98 ba ac e6 e1 f8-9a f1 b1 50 5e 63 1a 24 ...........P^c.$
0060 - 9c ad 1d a8 ef 85 9d 64-9a 00 d7 76 b3 77 73 05 .......d...v.ws.
0070 - dc 04 94 ae c3 c7 89 3e-26 c1 25 d7 a7 f2 45 97 .......>&.%...E.
0080 - f8 2d e9 21 cc 7c 44 e2-a8 3d 93 00 e5 09 d0 38 .-.!.|D..=.....8
0090 - 53 4f 22 fd 75 52 37 f8-3d c5 0e 22 5a 55 b4 8b SO".uR7.=.."ZU..
Start Time: 1485881728
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
---
read:errno=104

How to configure WSO2 ESB SSL access with HostnameVerifier AllowAll

I have been struggling with the configuration of WSO2 ESB for a few days now when trying to access an https web service. I have followed numerous pieces of advice and what I have done so far is to
import the web service client certificate into client-truststore.jks in repostory/resources/security
added proxy access parameters to repository/conf/axis2/axis2.xml (because the ESB is behind corporate firewall)
added AllowAll parameter to transportSender https in axis2.xml
restarted esb and still get the exception
http-nio-9443-exec-50, SEND TLSv1 ALERT: fatal, description = certificate_unknown
http-nio-9443-exec-50, WRITE: TLSv1 Alert, length = 2
http-nio-9443-exec-50, called closeSocket()
http-nio-9443-exec-50, handling exception: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching my.domain.com found
http-nio-9443-exec-50, WRITE: TLSv1 Application Data, length = 1
http-nio-9443-exec-50, WRITE: TLSv1 Application Data, length = 154
I am using jdk1.6_34 and tried with WSO2 ESB 4.5.1 and 4.6 with the same results.
The logging is showing the ssl handshake being started but then ends with the error above. All the googling suggests that the hostnameverifier parameter should do the trick but clearly doesn't. Is there somewhere else I should be configuring this or if this parameter is being overridden somewhere else? I have run out of options and places to look with this.
Edit:
I have had another attempt at this and by setting the host name in my hosts file to the CN specified in the client certificate I can now get a bit further but I am now getting another error which I can't seem to fathom out.
The specific error is "... no IV used for this cipher", but with the debug trace being
Found trusted certificate:
[
[
Version: V1
Subject: CN=mydomain.com, O=my o, ST=INTERFACES, C=GB
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 1024 bits
modulus:#### loads of numbers here ####
public exponent: 65537
Validity: [From: Mon Apr 22 14:26:25 BST 2013,
To: Tue Apr 22 14:26:25 BST 2014]
Issuer: CN=ath-st2-API-a, O=Northgate IS, ST=INTERFACES, C=GB
SerialNumber: [ a4cf31a6 9c0d920d]
]
Algorithm: [SHA1withRSA]
Signature:
### signature here ###
]
http-nio-9443-exec-13, READ: SSLv3 Handshake, length = 98
*** CertificateRequest
Cert Types: RSA, DSS
Cert Authorities:
<CN=mydomain.com, O=my o, ST=INTERFACES, C=GB>
*** ServerHelloDone
http-nio-9443-exec-13, SEND SSLv3 ALERT: warning, description = no_certificate
http-nio-9443-exec-13, WRITE: SSLv3 Alert, length = 2
*** ClientKeyExchange, RSA PreMasterSecret, SSLv3
http-nio-9443-exec-13, WRITE: SSLv3 Handshake, length = 132
SESSION KEYGEN:
PreMaster Secret:
###master secret here ####
CONNECTION KEYGEN:
Client Nonce:
0000: 52 45 86 22 10 B0 E2 EF 19 10 B1 04 ED C9 6F B0 RE."..........o.
0010: C3 8E BC D6 2C C9 5E D0 CA 8E 88 6B 22 53 1D B0 ....,.^....k"S..
Server Nonce:
0000: 52 45 86 23 B0 56 30 EC 84 F0 48 C1 F7 31 0C 5C RE.#.V0...H..1.\
0010: 43 B3 CB 25 DA 19 4C 0E B1 71 CB 17 8E 0C 62 04 C..%..L..q....b.
Master Secret:
0000: C3 F4 6B 9B EB 50 67 BD 6C A8 F0 63 88 A1 5A C7 ..k..Pg.l..c..Z.
0010: E5 CD A4 9A 46 95 3F B3 13 2D 4E BF 77 2C 64 86 ....F.?..-N.w,d.
0020: 44 D2 89 B5 09 EE 96 E5 8B 8D E2 30 04 09 F2 D3 D..........0....
Client MAC write Secret:
0000: F7 76 83 C9 16 F5 CB 33 E3 43 3F 7B 68 2E 8A 6F .v.....3.C?.h..o
Server MAC write Secret:
0000: CC FB 14 CE 21 AD C8 BC 20 C1 A5 2B 0B 2B 83 35 ....!... ..+.+.5
Client write key:
0000: 9C 9E FA A5 68 6E 27 2C E0 6E 80 9D ED C9 1C 01 ....hn',.n......
Server write key:
0000: B7 5A 24 DD 6F 65 5A 7E C8 AD 4A 29 E4 09 08 6D .Z$.oeZ...J)...m
... no IV used for this cipher
http-nio-9443-exec-13, WRITE: SSLv3 Change Cipher Spec, length = 1
*** Finished
verify_data: { 174, 247, 182, 190, 5, 104, 242, 127, 216, 79, 94, 15, 215, 236, 236, 211, 30, 51, 116, 56, 138, 144, 19, 125, 0, 54, 52, 114, 173, 138, 170, 166, 24, 67, 108, 102 }
***
http-nio-9443-exec-13, WRITE: SSLv3 Handshake, length = 56
http-nio-9443-exec-13, READ: SSLv3 Alert, length = 2
http-nio-9443-exec-13, RECV SSLv3 ALERT: fatal, handshake_failure
http-nio-9443-exec-13, called closeSocket()
http-nio-9443-exec-13, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert
: handshake_failure
http-nio-9443-exec-13, WRITE: TLSv1 Application Data, length = 1
http-nio-9443-exec-13, WRITE: TLSv1 Application Data, length = 154
http-nio-9443-ClientPoller-0, called closeOutbound()
http-nio-9443-ClientPoller-0, closeOutboundInternal()
http-nio-9443-ClientPoller-0, SEND TLSv1 ALERT: warning, description = close_notify
http-nio-9443-ClientPoller-0, WRITE: TLSv1 Alert, length = 32
Finalizer, called close()
Finalizer, called closeInternal(true)
I have tried passing https.protocols=SSLv3,SSLv2Hello or https.protocols=SSLv3 in the axis2 config file as a to the https sender transport but this doesn't help either.
Suggestions welcome.
thanks
Conrad

How to solve RECV SSLv3 ALERT: fatal, bad_record_mac

Over the last few days I have tried to install a working CAS server (Jasig CAS) on Ubuntu 10.10. I installed Tomcat 6 and configured (server.xml) it for SSL port 8443:
<!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
<Connector port="8443"
maxHttpHeaderSize="8192"
maxThreads="150"
minSpareThreads="25"
disableUploadTimeout="true"
acceptCount="100"
scheme="https"
secure="true"
clientAuth="false"
SSLEnabled="true"
SSLProtocol="SSLv3"
SSLCertificateFile="/etc/ssl/certs/server_cert.pem"
SSLCertificateKeyFile="/etc/ssl/private/server_key.pem"
SSLCACertificateFile="/etc/ssl/certs/ca_cert.pem"
SSLCACertificatePath="/etc/ssl/certs"
SSLPassword="password"
/>
server_cert.pem, server_key.pem are self-signed x509 certificates. Further, I created a x509v3 certificate for a windows test server (apache2 - xampp) (both servers are in the same LAN and have the IPs 10.0.0.*) . these certificate is installed in the java keystore (cacerts) which is located in the java directory. Since I had always problems with the "alternative subject name" in the client certificate I used an extended version of the openssl config file to create it.
The apache2 ssl config file looks as follows:
<IfModule ssl_module>
....
<VirtualHost 10.0.0.2:443>
SSLEngine on
ServerName 10.0.0.2:443
#ServerAlias 10.0.0.2
DocumentRoot c:/xampp/htdocs
SSLProtocol -all +SSLv3
SSLCertificateFile C:/xampp/ssl/certs/powercomputer_cert.pem
SSLCertificateKeyFile C:/xampp/ssl/private/powercomputer_key.pem
SSLCACertificateFile C:/xampp/ssl/certs/ca_cert.pem
</VirtualHost>
...
</IfModule>
SSL connections are working on both servers (tested by using IE and firefox).
Now comes the hard task. I used a module called phpCAS, programmed in php, on the windows machine to communicate with the CAS server. The module sends a callback url to the CAS server and the server sends a proxy ticket back etc. etc.
BUT I was not able to ensure a valid SSL handshake between both servers. openssl -s_client -connect... for both servers it did not show any errors so I debugged the complete SSL handshake (here is only the relevant part):
...
* ServerHelloDone
* ClientKeyExchange, RSA PreMasterSecret, SSLv3 http-apr-8443-exec-3, WRITE: SSLv3 Handshake, length = 132 SESSION
KEYGEN: PreMaster Secret: 0000: 03 00 78 96 8F EE D3 4A 2F A8 CC F8
F9 D7 2F CB ..x....J/...../. 0010: 9E 3A 58 66 43 0E D5 49 3C 8A B0
3D 3F 2C 89 A0 .:XfC..I<..=?,.. 0020: BC E2 B2 12 F8 D9 55 73 F2 2C
1F CC 81 80 94 22 ......Us.,....." CONNECTION KEYGEN: Client Nonce:
0000: 4E D1 94 ED 32 7F FA 72 40 3C 43 C8 05 E2 62 D0
N...2..r#
91 E2 D0 1C 90 3D 30 DD ..n;W6.......=0. Master Secret: 0000: EB 25
F0 A2 A3 FF 37 06 BB 79 41 C5 E5 07 1C 64 .%....7..yA....d 0010: 77
66 A3 37 71 97 63 AF DB A2 79 47 85 E2 9C 74 wf.7q.c...yG...t 0020:
5F 14 3D 26 57 E8 AD 9B A1 7C AC 33 00 04 4A E0 _.=&W......3..J.
Client MAC write Secret: 0000: C9 20 BF A5 A6 2B C1 DA A8 4E 93 E0
DE 76 06 53 . ...+...N...v.S Server MAC write Secret: 0000: 66 77 5A
3E BD E7 19 55 A4 80 1E E6 8A 9E 2A 5E fwZ>...U......*^ Client
write key: 0000: 58 D1 29 38 13 D8 83 EF 4F BD 7A 18 C8 35 D7 B4
X.)8....O.z..5.. Server write key: 0000: 3A 7B 6A 6E 66 E9 E1 42 A4
3C C3 19 D0 7F 21 FF :.jnf..B.<....!. ... no IV used for this cipher
http-apr-8443-exec-3, WRITE: SSLv3 Change Cipher Spec, length = 1
* Finished verify_data: { 71, 19, 125, 80, 118, 60, 64, 122, 243, 112, 45, 18, 254, 144, 12, 143, 221, 125, 10, 94, 15, 221, 122, 21,
90, 190, 76, 224, 224, 57, 67, 172, 228, 75, 181, 228 }
* http-apr-8443-exec-3, WRITE: SSLv3 Handshake, length = 56 http-apr-8443-exec-3,
READ: SSLv3 Alert, length = 2
http-apr-8443-exec-3, RECV SSLv3 ALERT: fatal, bad_record_mac
http-apr-8443-exec-3, called closeSocket() http-apr-8443-exec-3,
handling exception: javax.net.ssl.SSLException: Received fatal alert:
bad_record_mac 2011-11-27 02:39:57,315 ERROR
[org.jasig.cas.util.HttpClient] -
bad_record_mac> javax.net.ssl.SSLException: Received fatal alert:
bad_record_mac at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) at
sun.security.ssl.Alerts.getSSLException(Alerts.java:154) at
....
I did not find any solution in the last few days and I really do not have a clue what is the problem. btw I forced the use of SSLv3.
Thank you very much for any suggestions.