ssl - RabbitMQ Web-MQTT WSS​​ 关闭客户端连接。不安全的 WS 和其他安全协议(protocol)工作

Question

我有一个 RabbitMQ 部署，它使用自己的证书进行端到端加密。它同时使用 AMQP 和 MQTT-over-WSS 来连接多种类型的客户端。 AMQP 客户端能够安全连接，所以我知道证书设置良好。

使用 WS 访问 ws://hostname:15675/ws 的客户端可以正常连接，但显然不安全。尝试连接到 wss://hostname:15676/ws 的客户端已关闭连接。 15676 是您将看到的端口，我已将 web-mqtt ssl 监听器绑定(bind)到，如下所示。我已经阅读了 RabbitMQ 的 networking 和 tls 帮助指南，我看到端口正确绑定(bind)并且可以确认它已公开并可供客户端使用。

相关的rabbit.conf:

listeners.tcp.default = 5671
listeners.ssl.default = 5671

ssl_options.cacertfile = /path/to/fullchain.pem
ssl_options.certfile = /path/to/cert.pem
ssl_options.keyfile = /path/to/privkey.pem

ssl_options.verify = verify_none
ssl_options.fail_if_no_peer_cert = false

web_mqtt.ssl.port = 15676
web_mqtt.ssl.backlog = 1024
web_mqtt.ssl.cacertfile = /path/to/fullchain.pem
web_mqtt.ssl.certfile = /path/to/cert.pem
web_mqtt.ssl.keyfile = /path/to/privkey.pem

基本上，我想知道我的连接字符串是否有误 (wss://hostname:15675/ws)？我需要转到 /wss 吗？我的客户端是在 localhost 上运行的浏览器——而不是 HTTPS，这是个问题吗？我的配置设置不正确吗——我是否遗漏了一个？如果在 RabbitMQ 网站之外有更好的文档/示例来源，我也会感兴趣。

Answer 1

可能配置不匹配如果私有(private)文件有任何密码，您还需要添加它。引用下面的示例rabbitmq.conf

listeners.ssl.default = 5671
ssl_options.cacertfile = <path/ca-bundle (.pem/.cabundle)>
ssl_options.certfile   = <path/cert (.pem/.crt)>
ssl_options.keyfile    = <path/key (.pem/.key)>
ssl_options.password   = <your private key password>
ssl_options.versions.1 = tlsv1.3

ssl_options.verify               = verify_peer
ssl_options.fail_if_no_peer_cert = true

ssl_options.ciphers.1  = TLS_AES_256_GCM_SHA384
ssl_options.ciphers.2  = TLS_AES_128_GCM_SHA256
ssl_options.ciphers.3  = TLS_CHACHA20_POLY1305_SHA256
ssl_options.ciphers.4  = TLS_AES_128_CCM_SHA256
ssl_options.ciphers.5  = TLS_AES_128_CCM_8_SHA256

ssl_options.honor_cipher_order   = true
ssl_options.honor_ecc_order      = true

web_mqtt.ssl.port       = 15676
web_mqtt.ssl.backlog    = 1024
web_mqtt.ssl.cacertfile = <path/ca-bundle (.pem/.cabundle)>
web_mqtt.ssl.certfile   = <path/crt (.pem/.crt)>
web_mqtt.ssl.keyfile    = <path/key (.pem/.key)>
web_mqtt.ssl.password   = <your private key password>

web_mqtt.ssl.honor_cipher_order   = true
web_mqtt.ssl.honor_ecc_order      = true
web_mqtt.ssl.client_renegotiation = false
web_mqtt.ssl.secure_renegotiate   = true

web_mqtt.ssl.versions.1 = tlsv1.2
web_mqtt.ssl.versions.2 = tlsv1.1
web_mqtt.ssl.ciphers.1 = ECDHE-ECDSA-AES256-GCM-SHA384
web_mqtt.ssl.ciphers.2 = ECDHE-RSA-AES256-GCM-SHA384
web_mqtt.ssl.ciphers.3 = ECDHE-ECDSA-AES256-SHA384
web_mqtt.ssl.ciphers.4 = ECDHE-RSA-AES256-SHA384
web_mqtt.ssl.ciphers.5 = ECDH-ECDSA-AES256-GCM-SHA384
web_mqtt.ssl.ciphers.6 = ECDH-RSA-AES256-GCM-SHA384
web_mqtt.ssl.ciphers.7 = ECDH-ECDSA-AES256-SHA384
web_mqtt.ssl.ciphers.8 = ECDH-RSA-AES256-SHA384
web_mqtt.ssl.ciphers.9 = DHE-RSA-AES256-GCM-SHA384

这是 ubuntu 20.04 上 rabbitmq-server 的工作配置文件

1. 重启rabbitmq服务器
2. 列出监听器端口(确保已启用 SSL 端口)(rabbitmq-diagnostics listeners)
3. 测试 SSL (testssl localhost:16567)
4. 同时测试 telnet(telnet localhost 16567)

请引用:https://www.rabbitmq.com/ssl.html#erlang-otp-requirements和 troubleshooting

这对我有用:-)