He configurado una conexión SSL Rabbitmq en mi servidor remoto según los documentos aquí:https://www.rabbitmq.com/ssl.html
Estoy usando java Rabbitmqclient para conectarme al servidor remoto y enviar un mensaje de saludo a una cola en el servidor Rabbitmq. La conexión funciona bien desde mi máquina local Ubuntu 14.04 pero no funciona desde una máquina CentOS 6.
Comando abierto SSL s_client utilizado:
openssl s_client -connect rabbitserver:5671 -cert cert.pem -key key.pem -CAfile cacert.pem
Abra la salida SSL en ubuntu:
CONNECTED(00000003)
depth=1 CN = MyTestCA
verify return:1
depth=0 CN = LAP0078, O = server
verify return:1
---
Certificate chain
0 s:/CN=LAP0078/O=server
i:/CN=MyTestCA
1 s:/CN=MyTestCA
i:/CN=MyTestCA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC4DCCAcigAwIBAgIBATANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDEwhNeVRl
c3RDQTAeFw0xODAyMTUwODAwMTRaFw0yODAyMTMwODAwMTRaMCMxEDAOBgNVBAMM
B0xBUDAwNzgxDzANBgNVBAoMBnNlcnZlcjCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAMQmDjoWiZYSugEHGGBBV1eEhJiyGHxgACtQ5al6SVPnPM3PYGOH
N5nkPJIl/khymJWAav6B0zF4u46W01MZ90OzwvBvwWHJOBZCjrYCwclFhEW00Wte
QB7thTfo8kO9LnDQ//gAOx/3oxZUsyv85snlA3IiZDiOBNTNi7i4rmEF1X6St9cy
Bhm13k13MSMPGvg5cwt0DPax78PiJuDJmcLv6jV0dtyuOOaVRKN2XQsw4nJ7mPDh
rymnaWo2XL663vwDDkG306jpYR0BpeYBjcxM9BDDQLxydGj1DQPuG4yS1BLsfPCT
HyBklwW7tsYMH4NLejWYOkpBUA0F9rN318cCAwEAAaMvMC0wCQYDVR0TBAIwADAL
BgNVHQ8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQAD
ggEBAD3UFwHy1cYMI7PemLzRGrIK8fuuScRr1XHqZ6Jm8IY15l4DKaOP2bfa8l8f
2gvrDlQRe+wAA4rzHVfHar8Y5EwVklf8y9xb2+5kDrG10dfD97EQpGC2mihdOB7Z
BfUlreIsazsZS4n/pGVvdMLPKAxIv8r8Gc9GMYRmLPn9mnx3k3u7AHLMKrbF7Dr4
KLyV09CtfiYz/Cp7A2/QHY+bR4J9kJKlzBQTtp1o+A+ek598AUTUF1SDlhNf4o17
K6FzDyABWLcJdzqJPmgR9RDRYO8+B2ej8nmqV8xoqSSsM5NCpn8XTGICVDXVjWhu
mjPA+HtO4q1d8ig4ErkfygEzhDE=
-----END CERTIFICATE-----
subject=/CN=LAP0078/O=server
issuer=/CN=MyTestCA
---
Acceptable client certificate CA names
/CN=MyTestCA
---
SSL handshake has read 2160 bytes and written 2298 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-SHA384
Session-ID: 3DFE01EE903538C9084A8B9E7FDD68021106C1992DC35B313A7C86A3D4CE5579
Session-ID-ctx:
Master-Key: D64753633EC177935CB2E19A630DD6C8285779D02D52D480B9CE2265658D92F5F827C62E5BE3B816CF3A2E14BFEB547B
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1519115155
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
closed
Salida de Openssl en CentOS:
CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 0x8256ab0 [0x82573f0] (247 bytes => -1 (0xFFFFFFFF))
SSL_connect:error in SSLv2/v3 write client hello B
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
Salida SSL del proceso java:
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
pool-2-thread-1, setSoTimeout(10000) called
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1.1
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1502197153 bytes = { 240, 9, 18, 141, 86, 242, 197, 223, 248, 4, 162, 202, 246, 53, 139, 10, 48, 117, 190, 160, 172, 78, 177, 16, 228, 123, 156, 90 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA
***
pool-2-thread-1, WRITE: TLSv1.2 Handshake, length = 207
pool-2-thread-1, waiting for close_notify or alert: state 1
pool-2-thread-1, Exception while waiting for close java.net.SocketException: Connection reset
pool-2-thread-1, handling exception: java.net.SocketException: Connection reset
pool-2-thread-1, SEND TLSv1.2 ALERT: fatal, description = unexpected_message
pool-2-thread-1, WRITE: TLSv1.2 Alert, length = 2
pool-2-thread-1, Exception sending alert: java.net.SocketException: Broken pipe
pool-2-thread-1, called closeSocket()
pool-2-thread-1, called close()
pool-2-thread-1, called closeInternal(true)
Versiones de tarro/paquete:
- cliente conejomq: 3.3.1
- camello: 2.18.1
- conejomq: 3.6.15
- erlang: 19.3.6
- java: 8
¿Cómo puedo establecer la conexión desde mi máquina centOS?
Respuesta1
Creo que su problema es con Java, necesita instalar los archivos de política de jurisdicción de fuerza ilimitada de Java Cryptography Extension (JCE), ya que de forma predeterminada, el Java instalado solo tiene habilitada una fuerza limitada (aparentemente para permitir la distribución mundial - requisitos legales locales especiales)
Debido a las restricciones de control de importación de algunos países, la versión de los archivos de políticas JCE que se incluyen en el entorno Java Runtime Environment, o JRE(TM), 8 permite el uso de criptografía "fuerte" pero limitada. Este paquete de descarga (el que incluye este archivo README) proporciona archivos de políticas de "fuerza ilimitada" que no contienen restricciones en cuanto a la fuerza criptográfica.
Este pensamiento surge de la comparación de los 2 intentos de conexión, el exitoso afirma:
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
Mientras que el que falla afirma (entre otros):
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384