gpt4 book ai didi

ssl - RabbitMQ:尝试使用 SSL 证书时出现握手错误

转载 作者:太空宇宙 更新时间:2023-11-03 12:42:11 24 4
gpt4 key购买 nike

我正在尝试将 SSL 证书与 RabbitMQ 一起使用,但我不断收到与代理的握手错误。

当在单独的终端窗口中使用 openssl 's_client' 和 's_server' 命令并使用端口 8443 时,我生成的证书工作正常,详见 SSL 故障排除指南 (http://www.rabbitmq.com/troubleshooting-ssl.html)。

当我尝试使用相同的 openssl 's_client' 命令连接到 RabbitMQ SSL 端口 5671 时出现问题:

运行这个:

openssl s_client -connect localhost:5671 -cert /etc/rabbitmq/ssl/client/cert.pem -key /etc/rabbitmq/ssl/client/key.pem -CAfile /etc/rabbitmq/ssl/certificate_auth/cacert.pem

产生这个:

CONNECTED(00000003)
depth=1 CN = RMQCA
verify return:1
depth=0 CN = roger.xxxxxx.com, O = server
verify return:1
139997248210760:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1256:SSL alert number 40
139997248210760:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
---

如 RabbitMQ 日志中所示,SSL 监听器正常启动:

=INFO REPORT==== 19-May-2014::15:45:34 ===
started TCP Listener on [::]:5672

=INFO REPORT==== 19-May-2014::15:45:34 ===
started SSL Listener on [::]:5671

尝试使用“s_client”连接到端口 5671 时出现错误:

=INFO REPORT==== 19-May-2014::17:20:39 ===
accepting AMQP connection <0.3263.0> ([::1]:58538 -> [::1]:5671)

=ERROR REPORT==== 19-May-2014::17:20:39 ===
SSL: certify: ssl_handshake.erl:1346:Fatal error: handshake failure

=ERROR REPORT==== 19-May-2014::17:20:44 ===
error on AMQP connection <0.3263.0>: {ssl_upgrade_error,
{tls_alert,"handshake failure"}} (unknown POSIX error)

RabbitMQ 配置文件:

[    
{rabbit, [
{ssl_listeners, [5671]},
{ssl_options, [{cacertfile, "/etc/rabbitmq/ssl/certificate_auth/cacert.pem"},
{certfile, "/etc/rabbitmq/ssl/server/cert.pem"},
{keyfile, "/etc/rabbitmq/ssl/server/key.pem"},
{verify, verify_peer},
{fail_if_no_peer_cert, false}]}
]}
].

RabbitMQ 信息:

[{pid,10375},
{running_applications,
[{rabbitmq_management,"RabbitMQ Management Console","3.2.3"},
{rabbitmq_web_dispatch,"RabbitMQ Web Dispatcher","3.2.3"},
{webmachine,"webmachine","1.10.3-rmq3.2.3-gite9359c7"},
{mochiweb,"MochiMedia Web Server","2.7.0-rmq3.2.3-git680dba8"},
{rabbitmq_management_agent,"RabbitMQ Management Agent","3.2.3"},
{rabbit,"RabbitMQ","3.2.3"},
{ssl,"Erlang/OTP SSL application","5.3.3"},
{public_key,"Public key infrastructure","0.21"},
{crypto,"CRYPTO version 2","3.2"},
{asn1,"The Erlang ASN1 compiler version 2.0.4","2.0.4"},
{os_mon,"CPO CXC 138 46","2.2.14"},
{inets,"INETS CXC 138 49","5.9.8"},
{mnesia,"MNESIA CXC 138 12","4.11"},
{amqp_client,"RabbitMQ AMQP Client","3.2.3"},
{xmerl,"XML parser","1.3.6"},
{sasl,"SASL CXC 138 11","2.3.4"},
{stdlib,"ERTS CXC 138 10","1.19.4"},
{kernel,"ERTS CXC 138 10","2.16.4"}]},
{os,{unix,linux}},
{erlang_version,
"Erlang R16B03-1 (erts-5.10.4) [source] [64-bit] [smp:2:2] [async-threads:30] [hipe] [kernel-poll:true]\n"},
{memory,
[{total,43812088},
{connection_procs,5616},
{queue_procs,42528},
{plugins,451248},
{other_proc,13805200},
{mnesia,72752},
{mgmt_db,10208},
{msg_index,34560},
{other_ets,1159472},
{binary,1030272},
{code,21819091},
{atom,793505},
{other_system,4587636}]},
{vm_memory_high_watermark,0.4},
{vm_memory_limit,787819724},
{disk_free_limit,50000000},
{disk_free,31267266560},
{file_descriptors,
[{total_limit,924},{total_used,4},{sockets_limit,829},{sockets_used,2}]},
{processes,[{limit,1048576},{used,215}]},
{run_queue,0},
{uptime,7893}]
...done.

任何帮助将不胜感激

提前致谢。

更新:

尝试连接 rabbitmqadmin 实用程序时出现以下错误。

日志文件:

=INFO REPORT==== 20-May-2014::14:39:12 ===
accepting AMQP connection <0.16589.0> ([::1]:58922 -> [::1]:5671)

=ERROR REPORT==== 20-May-2014::14:39:12 ===
SSL: certify: ssl_handshake.erl:1346:Fatal error: handshake failure

=ERROR REPORT==== 20-May-2014::14:39:17 ===
error on AMQP connection <0.16589.0>: {ssl_upgrade_error,
{tls_alert,"handshake failure"}} (unknown POSIX error)

rabbitmqadmin 命令产生了以下内容:

*** Could not connect: [Errno 1] _ssl.c:492: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure

最佳答案

我遇到了与@user3653959 相同的问题,@Sarah Messer 的回答让我找到了解决方案。

您的客户端证书必须 TLS Web Client Authentication“X509v3 Extended Key Usage”属性。由于客户端生成脚本中的错误,我的只有 TLS Web 服务器身份验证

要检查您的客户端证书的功能,您可以使用此命令:

openssl x509 -noout -text -in client-certificate.pem

然后查找“X509v3 扩展:”部分和“X509v3 扩展 key 用法:”小节。

如果您使用示例 openssl.conf 以及官方 "RabbitMQ - TLS Support" guide 中提供的客户端和服务器命令生成客户端证书,它应该开箱即用。

正如@Sarah Messer 指出的那样,这里的关键是 openssl.conf 中的 extendedKeyUsage = 1.3.6.1.5.5.7.3.2 openssl 配置选项。这就是“TLS Web 客户端身份验证”功能。 OpenSSL s_server 不需要此功能,这就是为什么默认情况下它可以使用它,但不能使用 RabbitMQ。 keyUsage = digitalSignature 作为主要使用选项就足够了。此外,客户端证书的“通用名称”(CN) 并不重要。

仅供引用

我的环境:

  • RabbitMQ 3.6.2
  • 二郎 18.2
  • Ubuntu 14.04.2 LTS(64 位)
  • 仅启用 TLSv1.2。

我在 RabbitMQ 日志中看到的错误:

=ERROR REPORT==== 21-Jun-2016::13:28:21 ===
SSL: certify: ssl_handshake.erl:1492:Fatal error: handshake failure

我通过 openssl s_client 看到的错误:

140735165813584:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt.c:1472:SSL alert number 40
140735165813584:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:656:

关于ssl - RabbitMQ:尝试使用 SSL 证书时出现握手错误,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/23746135/

24 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com