| Author |
Message |
|
| Guest |
 Posted: Wed Sep 23, 2009 3:33 pm |
 |
|
|
Guest
|
Hi,
I'm trying to test the native SSL support in the upcoming RabbitMQ
v1.7.0 using the Ruby v1.9.1 openssl library and Erlang R12B-5_1.
I've cloned the default branch of the server code (hg id gives me
b87b7ed85157) and can start the server successfully according to
rabbit.log -
=INFO REPORT==== 23-Sep-2009::09:21:25 ===
started TCP Listener on 0.0.0.0:5672
=INFO REPORT==== 23-Sep-2009::09:21:26 ===
started SSL Listener on 0.0.0.0:5671
I wanted to get the simplest case running which is to connect without
using any certificates. I decided to try to follow the instructions
in the wiki - https://dev.rabbitmq.com/wiki/SslSupport - and so
created a rabbit.conf file with similar contents to the example (only
the paths differ). It contains -
RABBITMQ_SERVER_START_ARGS="-rabbit ssl_listeners [{\"0.0.0.0\",
5671}] -rabbit ssl_options
[{cacertfile,\"/path/to/testca/cacert.pem\"},{certfile,\"/path/to/
server/cert.pem\"},
{keyfile,\"/path/to/server/key.pem\"},{verify,verify_peer},
{fail_if_no_peer_cert,false}]"
When I try to connect I get a 'Connection reset by peer' error and
these entries in rabbit.log -
=INFO REPORT==== 23-Sep-2009::09:22:24 ===
accepted TCP connection on 0.0.0.0:5671 from 127.0.0.1:51689
=ERROR REPORT==== 23-Sep-2009::09:22:24 ===
failed to upgrade TCP connection from 127.0.0.1:51689 to SSL:
{eoptions,{cacertfile,[]}}
I'm creating an ordinary TCP socket and then using
OpenSSL::SSL::SSLSocket.new to create the SSL socket like this -
@socket = OpenSSL::SSL::SSLSocket.new(@socket)
@socket.sync_close = true
@socket.connect
The connect call is the one that is failing. This code works when
connecting via stunnel.
Any help would be greatly appreciated.
Regards,
Chris
_______________________________________________
rabbitmq-discuss mailing list
rabbitmq-discuss@lists.rabbitmq.com
http://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
Post received from mailinglist |
|
|
| Back to top |
|
| Guest |
| Posted: Wed Sep 23, 2009 3:50 pm |
|
|
|
Guest
|
Hi Chris,
On Wed, Sep 23, 2009 at 04:32:13PM +0100, Chris Duncan wrote:
> I wanted to get the simplest case running which is to connect without
> using any certificates. I decided to try to follow the instructions
> in the wiki - https://dev.rabbitmq.com/wiki/SslSupport - and so
> created a rabbit.conf file with similar contents to the example (only
> the paths differ).
Please note that the instructions on that wiki page are not entirely
correct and indeed we are going to remove it. The SSL instructions have
been rewritten and will appear on the main website (not on dev.rabbitmq)
when v1.7 gets released.
> It contains -
>
> RABBITMQ_SERVER_START_ARGS="-rabbit ssl_listeners [{\"0.0.0.0\",
> 5671}] -rabbit ssl_options
> [{cacertfile,\"/path/to/testca/cacert.pem\"},{certfile,\"/path/to/
> server/cert.pem\"},
> {keyfile,\"/path/to/server/key.pem\"},{verify,verify_peer},
> {fail_if_no_peer_cert,false}]"
>
> When I try to connect I get a 'Connection reset by peer' error and
> these entries in rabbit.log -
>
> =INFO REPORT==== 23-Sep-2009::09:22:24 ===
> accepted TCP connection on 0.0.0.0:5671 from 127.0.0.1:51689
>
> =ERROR REPORT==== 23-Sep-2009::09:22:24 ===
> failed to upgrade TCP connection from 127.0.0.1:51689 to SSL:
> {eoptions,{cacertfile,[]}}
I think that it's not happy with your cacert file. That line in your
rabbit.conf file must be one single line. Also make sure there are no
spaces anywhere between the square brackets.
If you can't make any progress, can you send in your cacert.pem,
cert.pem and key.pem files (obviously, fakes, not the real thing!), and
we'll see if we can make it work.
Matthew
_______________________________________________
rabbitmq-discuss mailing list
rabbitmq-discuss@lists.rabbitmq.com
http://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
Post received from mailinglist |
|
|
| Back to top |
|
| Guest |
| Posted: Thu Sep 24, 2009 4:50 pm |
|
|
|
Guest
|
Hi Matthew,
I've now got this working 
On 23 Sep 2009, at 16:50, Matthew Sackman wrote:
> Hi Chris,
>
> On Wed, Sep 23, 2009 at 04:32:13PM +0100, Chris Duncan wrote:
>> I wanted to get the simplest case running which is to connect without
>> using any certificates. I decided to try to follow the instructions
>> in the wiki - https://dev.rabbitmq.com/wiki/SslSupport - and so
>> created a rabbit.conf file with similar contents to the example (only
>> the paths differ).
>
> Please note that the instructions on that wiki page are not entirely
> correct and indeed we are going to remove it. The SSL instructions
> have
> been rewritten and will appear on the main website (not on
> dev.rabbitmq)
> when v1.7 gets released.
>
>> It contains -
>>
>> RABBITMQ_SERVER_START_ARGS="-rabbit ssl_listeners [{\"0.0.0.0\",
>> 5671}] -rabbit ssl_options
>> [{cacertfile,\"/path/to/testca/cacert.pem\"},{certfile,\"/path/to/
>> server/cert.pem\"},
>> {keyfile,\"/path/to/server/key.pem\"},{verify,verify_peer},
>> {fail_if_no_peer_cert,false}]"
>>
>> When I try to connect I get a 'Connection reset by peer' error and
>> these entries in rabbit.log -
>>
>> =INFO REPORT==== 23-Sep-2009::09:22:24 ===
>> accepted TCP connection on 0.0.0.0:5671 from 127.0.0.1:51689
>>
>> =ERROR REPORT==== 23-Sep-2009::09:22:24 ===
>> failed to upgrade TCP connection from 127.0.0.1:51689 to SSL:
>> {eoptions,{cacertfile,[]}}
>
> I think that it's not happy with your cacert file. That line in your
> rabbit.conf file must be one single line. Also make sure there are no
> spaces anywhere between the square brackets.
>
Thanks for the pointer. I regenerated a self-signed server
certificate and key (I think I messed up the CN bit before) then I
put the following in my rabbit.conf file -
RABBITMQ_SERVER_START_ARGS="-rabbit ssl_listeners [{\"0.0.0.0\",
5671}] -rabbit ssl_options [{cacertfile,\"/path/to/testca/server.crt
\"},{certfile,\"/path/to/server/server.crt\"},{keyfile,\"/path/to/
server/server.key\"},{verify,verify_none},{fail_if_no_peer_cert,false}]"
I connected using openssl s_client and my Ruby code
> If you can't make any progress, can you send in your cacert.pem,
> cert.pem and key.pem files (obviously, fakes, not the real thing!),
> and
> we'll see if we can make it work.
>
> Matthew
>
> _______________________________________________
> rabbitmq-discuss mailing list
> rabbitmq-discuss@lists.rabbitmq.com
> http://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
_______________________________________________
rabbitmq-discuss mailing list
rabbitmq-discuss@lists.rabbitmq.com
http://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
Post received from mailinglist |
|
|
| Back to top |
|
|
|
All times are GMT
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum
|
|
|
Digg It
Del.icio.us
Reddit
Facebook
Stumble Upon
Technorati
