4

I fail to setup a rabbitmq shovel over amqps. The same shovel works fine over amqp.

my (edited) uri:

amqps://un:pw@myhost.example.com:5679?cacertfile=/etc/ssl/certs/example.com.cacert.crt&certfile=/etc/ssl/certs/example.com.crt&keyfile=/etc/ssl/private/example.com.key&verify=verify_peer

the error in the stunnel log:

SSL_accept: 14094410: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure

and the shovel status is

{{badmatch,{error,{tls_alert,"handshake failure"}}}

Connecting via openssl from the shell works:

openssl s_client -connect myhost.example.com:5679 -cert /etc/ssl/certs/example.com.crt -key /etc/ssl/private/example.com.key -CAfile /etc/ssl/certs/example.com.cacert.crt

returns

Negotiated TLSv1/SSLv3 ciphersuite: ECDHE-RSA-AES256-GCM-SHA384 (256-bit encryption)

My rabbitmq.config:

[
  {kernel, [

  ]},
  {ssl, [{versions, ['tlsv1.2', 'tlsv1.1' ]}]},
  {rabbit, [
    {ssl_listeners, [5671]},
    {ssl_options, [{cacertfile,"/etc/ssl/certs/example.com.cacert.crt"},
                    {certfile,"/etc/ssl/certs/example.com.crt"},
                    {keyfile,"/etc/ssl/private/example.com.key"},
                    {versions, ['tlsv1.2', 'tlsv1.1']},
                    {depth, 2},
                    {verify,verify_peer},
                    {fail_if_no_peer_cert,false}]},
    {tcp_listen_options, [binary, {packet,raw},
                                  {reuseaddr,true},
                                  {backlog,128},
                                  {nodelay,true},
                                  {exit_on_close,false},
                                  {keepalive,false}]},

    {default_user, <<"guest">>},
    {default_pass, <<"guest">>},
    {heartbeat, 580}
  ]}
]
dazl
  • 51
  • 5
  • Why have you disabled TLSv1? Your log from the openssl-call shows, that TLSv1 or SSL3 was used, but it's forbidden for rabbitmq. – sebix Apr 02 '15 at 11:32
  • The openssl call is over TLSv1.2 - from the log: `SSL handshake has read 6051 bytes and written 431 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384` I disabled TLSv1 because it's vulnerable to a variation of the poodle attack. I had same results with TLSv1 enabled. If I add the -tls1_2 flag the log still says `New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384` – dazl Apr 02 '15 at 17:33

0 Answers0