I am trying to establish ssl connection with rabbitmq broker.
I follow this page to help me and I find my bug, but I don't know who to resolve it. I am stuck at the test connection with the broker :
openssl s_client -connect localhost:5671 -cert client/cert.pem -key client/key.pem -CAfile testca/cacert.pem
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 289 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1470206187
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
And I have no log but I need accepting AMQP connection.
#Rabbimq.conf
[
{rabbit, [
{ssl_listeners, [5671]},
{ssl_options, [{cacertfile,".../testca/cacert.pem"},
{certfile,".../server/cert.pem"},
{keyfile,".../server/key.pem"},
{ciphers, [{rsa,aes_256_cbc,sha256}]},
{verify,verify_peer},
{fail_if_no_peer_cert,false}]}
]}
].
The certificates that I use are validated, verified and created with the doc.
I think is this issue that does not allow me to perform a ssl connection.
Thanks
Edit: I created the certificates at /var/lib/rabbitmq with the user rabbitmq and like this permissions goes right and the server can access to the certs.
Everything worked for me after I replaced in rabbitmq.config
{certfile,".../server/cert.pem"},
to full file path.
{certfile,"/data/server/cert.pem"}
The rabbitmq says nothing when it can't find or can't read certificate file.
Check permissions for certificate files!
Related
TIBCO version - TIBCO ActiveMatrix BusinessWorks 5.7.2
Problem:
I am the consumer of the TIBCO server, getting SSL handshake failure. I have tried the following openssl commands to see if it can accept connections. Below are my results:
openssl s_client -showcerts -connect tibco-server:port -verify 3 -tls1 -state
verify depth is 3
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv3 write client hello A
SSL3 alert read:fatal:unexpected_message
SSL_connect:failed in error
139827261306768:error:140943F2:SSL routines:ssl3_read_bytes:sslv3 alert unexpected message:s3_pkt.c:1493:SSL alert number 10
139827261306768:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:659:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1581402078
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
However the same is working when I hit with ssl3 option
openssl s_client -showcerts -connect tibco-server:port -verify 3 -ssl3 -state
verify depth is 3
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=0 C = AU, ST = <state>, L = <location>, O = <org>, OU = <unit>, CN = <cn>
verify error:num=18:self signed certificate
verify return:1
depth=0 C = AU, ST = <state>, L = <location>, O = <org>, OU = <unit>, CN = <cn>
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
---
Certificate chain
-----BEGIN CERTIFICATE-----
.....
.....
-----END CERTIFICATE-----
---
Server certificate
subject=...
issuer=...
---
No client certificate CA names sent
Server Temp Key: DH, 1024 bits
---
SSL handshake has read 1779 bytes and written 362 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : SSLv3
Cipher : DHE-RSA-AES128-SHA
Session-ID: 8BCEAEADC85613876FFF0E2EAB590A92
Session-ID-ctx:
Master-Key: <master-key-here>
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1581402661
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
---
I have masked some of the output data.
Any help on why, openssl can connect TIBCO via ssl3 but not tls1.0 ?
This issue got resolved after the security configuration changes in TIBCO server. Now the clients can successfully negotiate TLS1.0 connections with TIBCO server.
FIX
Changed security to be j2se instead of entrust
java.property.TIBCO_SECURITY_VENDOR=j2se
References
https://support.tibco.com/s/article/Tibco-KnowledgeArticle-Article-38616
https://community.tibco.com/questions/tls-compatibility-tibco-bw
I'm performing this command in order to check whether I'm able to create a SSL connection:
openssl s_client -connect private-server:5000
private-server is a server I've set up with a self-generated certificate.
The output is:
CONNECTED(00000003)
140180300502672:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 308 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1467812448
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
What I need to get the connection right?
Thanks.
SSL handshake has read 0 bytes and written 308 bytes
The client has started with the SSL handshake but the server has closed the connection without sending anything back. There might be a lot of reasons for this like a firewall blocking the connection, various configuration errors on the server, server not expecting TLS at all, server expecting SNI ...
Unfortunately it can not be said from the information you provide which exactly is the cause of the problem. You might try with different clients (browser) to find out, if the problem is more at the server or middlebox site (i.e. none of the clients work) or if it is more a problem which can maybe fixed on the client site (some clients work, others not).
Following the directions stated here, I have set up a certificate authority and created the rabbitmq.config with the appropriate fields. However, when I try to connect to the RabbitMQ server with
openssl s_client -connect 127.0.0.1:5671 -tls1
I get the following in standard output:
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1449612785
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
and I see the following error in the logs:
=ERROR REPORT==== 8-Dec-2015::16:13:10 ===
Error on AMQP connection <0.257.0>:
{ssl_upgrade_error,
{options,
{cacertfile,"/home/nthompson/learn_celery/testca/cacert.pem",
{error,eacces}}}}
What could be the problem?
I have tried the following, with no success:
Open up the permissions of cacert.pem, i.e., I ran chmod 444 cacert.pem as well as some more hopeless permissions, no dice.
Validated that all intermediate directories have permissions of 775.
Validated that the RabbitMQ server was indeed listening on port 5671, and it was:
$ sudo rabbitmq status
{listeners,[{clustering,25672,"::"},{amqp,5672,"::"},{'amqp/ssl',5671,"::"}]},
Checked all paths in rabbitmq.config, and loosened up the certificate exchange policy by setting {verify,verify_none} and {fail_if_no_peer_cert,false}.
Enabled the use of the rabbitmq_auth_mechanism_ssl plugin via
$ sudo rabbitmq-plugins enable rabbitmq_auth_mechanism_ssl
and verified that it was picked up by rabbitmq-server. In addition, I added {auth_mechanisms, ['PLAIN', 'AMQPLAIN', 'EXTERNAL']} to the rabbitmq.config.
RabbitMQ version is 3.5.4 (default apt-get), but I also upgraded to 3.5.6 (latest) to see if this would go away.
After a lot of messing around and searching I FINALLY got it!
In my case, the issue was caused by the certification files ownership and permissions.
I edited my /etc/rabbitmq/rabbitmq.config so that the certificate, key and CAfile pointed to /etc/rabbitmq/conf/<file>.pem, copied the original .pem files in /etc/rabbitmq/conf/ then I chown -R rabbitmq:rabbitmq /etc/rabbitmq/conf and restarted the service service rabbitmq-server restart and it worked.
I have an Android app that has some trouble with a site's certificate when connecting via https. As I'm experiencing trouble even when using a custom keystore with the certificates ("No peer certificate") I'm trying to get more information about the connection, handshake and certificates actually given by the server.
The version of openssl is follows:
$ openssl version
OpenSSL 1.0.1e 11 Feb 2013
When I just try to get info about the certificates I get this response:
$ openssl s_client -showcerts -connect [hostname]:443 </dev/null
CONNECTED(00000003)
3069977808:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:749:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 308 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
This is how Chrome describes the connection (sorry for the Norwegian text, but you get an idea of the connection and encryption type:
Based on the info from Chrome I've tried different commands to get the certificates, but they all seem to fail. My top candidate was this one:
$ openssl s_client -showcerts -connect [hostname]:443 -tls1_2 -cipher RC4-MD5
CONNECTED(00000003)
3069396176:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1258:SSL alert number 40
3069396176:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1414399499
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
Anyone got any hints based on the info given?
This might be an SNI issue, where the server has no default certificate defined for non-SNI clients. Android included a version of Apaches httpclient which is known to not support SNI and your openssl s_client command also does not use SNI.
Please try openssl s_client -servername hostname -connect ... to use SNI and see if this helps.
My production app uses ActiveMerchant and is unable to process credit cards over https with a single gateway, Moneris. All other gateways Authorize.net, Paypal, Beanstream, etc) experience no errors. The error I receive is:
OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed):
The people at Moneris have told me that they have updated their SSL certificate
to 2048bit SSL encryption (from the current 1024 SSL encryption) and that the upgraded certificate will be issued by VeriSign. Our wildcard SSL uses 2432--more than the Moneris 2047 requirement.
So, they suggested that in addition to the files I normally upload for my SSL bundle, I have to add their Verisign certs. My Heroku command looks like this:
$ heroku certs:upgrade --app myapp AddTrustExternalCARoot.crt ComodoUTNSGCCA.crt EssentialSSLCA_2.crt STAR_myapp_com.crt UTNAddTrustSGCCA.crt Verisign_chain_Gr.cer Verisign_G5.cer server.key
I have tried virtually everything including the fix_ssl.rb suggestion here (OpenSSL::SSL::SSLError on Heroku) where I call the ca-certificates.crt from my /usr/lib/ssl/certs directory from Heroku.
require 'open-uri'
require 'net/https'
module Net
class HTTP
alias_method :original_use_ssl=, :use_ssl=
def use_ssl=(flag)
self.ca_path = Rails.root.join('/usr/lib/ssl/certs/ca-certificates.crt').to_s
self.verify_mode = OpenSSL::SSL::VERIFY_PEER
self.original_use_ssl = flag
end
end
end
I've tried everything: placing the Heroku bundle in my /lib directory, adding the 'certified' gem, etc, etc. and spent hours on the phone with Moneris to no avail. Does anyone know what more I can do to allow this one gateway to process credit cards?
My guess is that the trusted list of CA certificates that openssl is using to verify Moneris' server certificate is out-dated. So try getting the cacert.pem extracted from Mozilla's ca-bundle (http://curl.haxx.se/docs/caextract.html does this for you). This is more necessary these days as far as openssl is concerned as openssl is no longer bundled with CA certs which is why I'm suspecting whatever ca-certs you're using might be out of date.
First I tried to reproduce your problem with the command:
openssl s_client -connect www3.moneris.com:443
and got ...
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : RC4-MD5
Session-ID: 73178D4019035AE86399D0E6D2FFB904A1412D0F5D3F83370E52F50E9E26B73C
Session-ID-ctx:
Master-Key: 0BB841912F11185B7CBAFA524571765DD7372990819EBC44E311DE4EF0C70E480501D6F87C8AA439C4F827B0908123F7
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1380816775
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
Then I used the cacert.pem extracted from Mozilla thanks to http://curl.haxx.se/docs/caextract.html
and re-issued the openssl command like so:
openssl s_client -connect www3.moneris.com:443 -CAfile cacert.pem
and got ...
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : RC4-MD5
Session-ID: 73178D401902F7EB6399D0E6D2FFB804CE0F7219344405EA0E52F50E9E26B4DB
Session-ID-ctx:
Master-Key: C0B32810FB7E0158A156E7D05DBB35F3CE8935284F165C3FB636700EEEC8BCE991BCE8850D39020E298F337B6E58132A
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1380816992
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
So in your code snippet, above, try replacing:
self.ca_path = Rails.root.join('/usr/lib/ssl/certs/ca-certificates.crt').to_s
with:
self.ca_file = <full path name>/cacert.pem
where cacert.pem is extracted from the Mozilla ca-bundle