| Author |
Message |
< RabbitMQ mailing list ~ Could not upgrade the network driver to ssl |
| Guest |
 Posted: Sat Oct 31, 2009 7:04 pm |
 |
|
|
Guest
|
OS: Ubuntu 8.04.1
Erlang Version: R12B-5
Rabbit Version: 1.7.0
I'm trying to get ssl going with the Erlang client. Have followed the
instructions here: http://www.rabbitmq.com/ssl.html creating all the
certificates etc.
I attempt to connect to the server with code like this:
SSLOptions = [{cacertfile, "/home/testca/cacert.pem"}, {certfile,
"/home/client/cert.pem"}, {keyfile,"/home/client/key.pem"},{verify_code,
0}],
Params = #amqp_params{username = <<"guest">>, password = <<"guest">>,
virtual_host = <<"/">>, host = "localhost", port = 5671, ssl_options =
SSLOptions},
Connection = amqp_connection:start_network(Params),
....
And the Erlang shell says:
=ERROR REPORT==== 31-Oct-2009::14:07:59 ===
SSL: certify: ./ssl_connection.erl:1356:Fatal error: internal_error
=ERROR REPORT==== 31-Oct-2009::14:07:59 ===
Could not upgrade the network driver to ssl: esslerrssl
** exception exit: {badmatch,{error,esslerrssl}}
in function amqp_connection:start_network_internal/2
in call from test_2:init/1
in call from gen_server:init_it/6
in call from proc_lib:init_p_do_apply/3
The rabbit.log says:
=INFO REPORT==== 31-Oct-2009::14:07:47 ===
started TCP Listener on 0.0.0.0:5672
=INFO REPORT==== 31-Oct-2009::14:07:47 ===
started SSL Listener on 0.0.0.0:5671
=INFO REPORT==== 31-Oct-2009::14:07:59 ===
accepted TCP connection on 0.0.0.0:5671 from 127.0.0.1:51406
=ERROR REPORT==== 31-Oct-2009::14:07:59 ===
SSL: hello: ./ssl_handshake.erl:227:Fatal error: internal_error
=ERROR REPORT==== 31-Oct-2009::14:07:59 ===
failed to upgrade TCP connection from 127.0.0.1:51406 to SSL:
esslerrssl
My rabbitmq.config file looks like this:
[{rabbit, [{ssl_listeners, [{"0.0.0.0",5671}]}, {ssl_options,
[{cacertfile,"/home/testca/cacert.pem"},
{certfile,"/home/server/cert.pem"}, {keyfile,"/home/server/key.pem"},
{verify_code, 0}]}]}].
Thanks!
_______________________________________________
rabbitmq-discuss mailing list
rabbitmq-discuss@lists.rabbitmq.com
http://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
Post received from mailinglist |
|
|
| Back to top |
|
| Guest |
| Posted: Sat Oct 31, 2009 7:35 pm |
|
|
|
Guest
|
Hi Steve,
Whilst I have had SSL working on Erlang as old as R12B5, I'm also
aware it is a little bit hit and miss. The SSL module shipped with
Erlang had more bugs back then and it sadly still has one or two bugs
even in the latest R13B02. SSL is also a fairly tricky thing to get
right it would seem - we've discovered bugs in the Mono implementation
too in the course of adding SSL support to RabbitMQ.
If you can, could you try to see if the Java tests work for you? If you
grab the Java client, build it, start up Rabbit, and then run:
rabbitmq-java-client# SSL_CERTS_DIR=/home/ PASSWORD=MySecretPassword ant test-ssl
where MySecretPassword is the password to the pkcs#12 file, and under
/home/ you have the client and server dirs as you seem to have, that
should give us some idea of whether it's a client or server issue - you
should, everything being well, get something like:
detect-ssl:
make-client-keystore:
[exec] Certificate was added to keystore
[exec] Certificate was added to keystore
test-ssl:
[junit] Running com.rabbitmq.client.test.ssl.SSLTests
[junit] Tests run: 3, Failures: 0, Errors: 0, Time elapsed: 1.166 sec
remove-client-keystore:
[delete] Deleting: /tmp/tmp.hIOPseDjbs
[delete] Deleting: /tmp/tmp.kfgI0FVTd6
You need the SSL_CERTS_DIR and PASSWORD env vars, otherwise the SSL
tests won't run. They will use the certs in /home/client
They should all work with verify_code set to 1 in the server - that's
how we run them as we deliberately have some negative tests to ensure
that the connection fails if the server asks for a certificate and the
client doesn't present one - so if you have verify_code set to 0, then
you will probably see one test fail as in that case, a connection can be
established when we were expecting it to fail.
If those won't work for you, I'd recommend you see if you can get hold
of a more recent version of Erlang - I certainly test the SSL support
with R13B02 frequently and it seems pretty reliable. That said, the
Erlang AMQP client is still not officially released and I suspect the
SSL code paths there get slightly less action. However, I've just
grabbed the latest version of the Erlang client default branch and run
the SSL tests (Don't have RabbitMQ running already. For these tests, I'm
reasonably sure you'll not only need to have compiled RabbitMQ yourself,
but also have the rabbitmq-server and rabbitmq-erlang-client directories
as siblings - the client tests will attempt to start up the broker
automatically):
rabbitmq-erlang-client# SSL_CERTS_DIR=/home/ make test_ssl
(PASSWORD isn't needed because neither the Erlang client nor server use
the pkcs#12 files), and all the tests pass for me on R13B02, so it may
very well be you're hitting a bug in R12B5's SSL module. I've also just
checked and realised that the tests in the Erlang client use the
new-style SSL module args, so you'll need to edit common.mk in the
Erlang client, and replace the
"{verify,verify_peer},{fail_if_no_peer_cert,true}" text with
"{verify_code,2}" to get the same behaviour.
Please let us know how you get on.
Matthew
_______________________________________________
rabbitmq-discuss mailing list
rabbitmq-discuss@lists.rabbitmq.com
http://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
Post received from mailinglist |
|
|
| Back to top |
|
| Guest |
| Posted: Mon Nov 02, 2009 2:15 pm |
|
|
|
Guest
|
Hi Matthew,
Thank you for your detailed response. It was easiest for me to try the
upgrade to R13B02-1 which seems to have fixed the problem. My rabbit.log
now looks like this and my call to start_network/1 no longer gives the
error.
=INFO REPORT==== 31-Oct-2009::16:45:12 ===
started TCP Listener on 0.0.0.0:5672
=INFO REPORT==== 31-Oct-2009::16:45:12 ===
started SSL Listener on 0.0.0.0:5671
=INFO REPORT==== 31-Oct-2009::16:45:22 ===
accepted TCP connection on 0.0.0.0:5671 from 127.0.0.1:54769
=INFO REPORT==== 31-Oct-2009::16:45:23 ===
upgraded TCP connection from 127.0.0.1:54769 to SSL
=INFO REPORT==== 31-Oct-2009::16:45:23 ===
starting TCP connection <0.171.0> from 127.0.0.1:54769
Hope this helps someone else!
Steve
_______________________________________________
rabbitmq-discuss mailing list
rabbitmq-discuss@lists.rabbitmq.com
http://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
Post received from mailinglist |
|
|
| Back to top |
|
| Guest |
| Posted: Mon Nov 02, 2009 2:34 pm |
|
|
|
Guest
|
Hi Steve,
On Mon, Nov 02, 2009 at 09:14:56AM -0500, Steve Ellis wrote:
> Thank you for your detailed response. It was easiest for me to try the
> upgrade to R13B02-1 which seems to have fixed the problem. My
> rabbit.log now looks like this and my call to start_network/1 no
> longer gives the error.
That's good to know and thanks for letting us know the outcome.
Matthew
_______________________________________________
rabbitmq-discuss mailing list
rabbitmq-discuss@lists.rabbitmq.com
http://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
Post received from mailinglist |
|
|
| Back to top |
|
|
|
All times are GMT
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum
|
|
|
Digg It
Del.icio.us
Reddit
Facebook
Stumble Upon
Technorati
