RabbitMQ TLS issue

本文档记录了在RabbitMQ中集成并测试TLS的过程,包括解决tlsv1alertinsufficientsecurity错误,通过配置rabbitmq.config文件指定TLS版本和加密套件,以及使用Python脚本进行连接测试。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

我想测试TLS 是否已经集成到RabbitMQ, 但是遇到这个问题

Issue one "tlsv1 alert insufficient security"

openssl s_client -connect localhost:5671 -cert /usr/local/etc/rabbitmq/ssl/client/rabbit-client.cert.pem -key /usr/local/etc/rabbitmq/ssl/client/rabbit-client.key.pem  -CAfile /usr/local/etc/rabbitmq/ssl/ca/cacert.pem
CONNECTED(00000003)
4574606956:error:1407742F:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert insufficient security:s23_clnt.c:802:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 307 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1556521976
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

Sloutions:  添加:”ciphers“, 我自己完整的 ”rabbitmq.config“

%% Both the client and rabbitmq server were running on the same machine, a MacBookPro laptop.
%%
%% rabbitmq.config was created in its default location for OS X: /usr/local/etc/rabbitmq/rabbitmq.config.
%%
%% The contents of the example rabbitmq.config are for demonstration purposes only. See https://www.rabbitmq.com/ssl.html for instructions about creating the test certificates and the contents of rabbitmq.config.
%%
%% Note that the {fail_if_no_peer_cert,false} option, states that RabbitMQ should accept clients that don't have a certificate to send to the broker, but through the {verify,verify_peer} option, we state that if the client does send a certificate to the broker, the broker must be able to establish a chain of trust to it.


 [
  {ssl, [{versions, ['tlsv1.2', 'tlsv1.1', tlsv1]},
         {ciphers,  [{dhe_rsa,aes_256_cbc,sha}]}
        ]},

  {rabbit, [
     {ssl_listeners, [5671]},
     {tcp_listeners, []},
     {ssl_options, [{cacertfile,"/usr/local/etc/rabbitmq/ssl/ca/cacert.pem"},
                    {certfile,"/usr/local/etc/rabbitmq/ssl/server/www.myrabbit.com.cert.pem"},
                    {keyfile,"/usr/local/etc/rabbitmq/ssl/server/www.myrabbit.com.key.pem"},
                    {verify,verify_peer},
                    {fail_if_no_peer_cert,false},
                    {versions, ['tlsv1.2', 'tlsv1.1', tlsv1]},
                    {ciphers, ["ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-RSA-AES256-GCM-SHA384",
                        "ECDHE-ECDSA-AES256-SHA384","ECDHE-RSA-AES256-SHA384", "ECDHE-ECDSA-DES-CBC3-SHA",
                        "ECDH-ECDSA-AES256-GCM-SHA384","ECDH-RSA-AES256-GCM-SHA384","ECDH-ECDSA-AES256-SHA384",
                        "ECDH-RSA-AES256-SHA384","DHE-DSS-AES256-GCM-SHA384","DHE-DSS-AES256-SHA256",
                        "AES256-GCM-SHA384","AES256-SHA256","ECDHE-ECDSA-AES128-GCM-SHA256",
                        "ECDHE-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES128-SHA256","ECDHE-RSA-AES128-SHA256",
                        "ECDH-ECDSA-AES128-GCM-SHA256","ECDH-RSA-AES128-GCM-SHA256","ECDH-ECDSA-AES128-SHA256",
                        "ECDH-RSA-AES128-SHA256","DHE-DSS-AES128-GCM-SHA256","DHE-DSS-AES128-SHA256",
                        "AES128-GCM-SHA256","AES128-SHA256","ECDHE-ECDSA-AES256-SHA",
                        "ECDHE-RSA-AES256-SHA","DHE-DSS-AES256-SHA","ECDH-ECDSA-AES256-SHA",
                        "ECDH-RSA-AES256-SHA","AES256-SHA","ECDHE-ECDSA-AES128-SHA",
                        "ECDHE-RSA-AES128-SHA","DHE-DSS-AES128-SHA","ECDH-ECDSA-AES128-SHA",
                        "ECDH-RSA-AES128-SHA","AES128-SHA"]},
                  {honor_cipher_order, true}
                   ]},
     {heartbeat,30}
   ]}
].

 

Testing/测试:

测试用例:

Huleis-MacBook-Pro:RabbitMQ llhu$ cat 7.py
#!/usr/bin/env python
import ssl
import pika
import logging

logging.basicConfig(level=logging.INFO)

context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
context.verify_mode = ssl.CERT_REQUIRED
#ssl._create_default_https_context = ssl._create_unverified_context
context.load_verify_locations('/usr/local/etc/rabbitmq/ssl/ca/cacert.pem')

cp = pika.ConnectionParameters(ssl_options=pika.SSLOptions(context))

conn = pika.BlockingConnection(cp)
ch = conn.channel()
print(ch.queue_declare("sslq"))
ch.basic_publish("", "sslq", "hello message!!!")
print(ch.basic_get("sslq"))

测试结果:

MacBook-Pro:RabbitMQ llhu$ ./7.py
INFO:pika.adapters.utils.connection_workflow:Pika version 1.0.1 connecting to ('::1', 5671, 0, 0)
INFO:pika.adapters.utils.io_services_utils:Socket connected: <socket.socket fd=8, family=AddressFamily.AF_INET6, type=SocketKind.SOCK_STREAM, proto=6, laddr=('::1', 61538, 0, 0), raddr=('::1', 5671, 0, 0)>
INFO:pika.adapters.utils.io_services_utils:SSL handshake completed successfully: <ssl.SSLSocket fd=8, family=AddressFamily.AF_INET6, type=SocketKind.SOCK_STREAM, proto=6, laddr=('::1', 61538, 0, 0), raddr=('::1', 5671, 0, 0)>
INFO:pika.adapters.utils.connection_workflow:Streaming transport linked up: (<pika.adapters.utils.io_services_utils._AsyncSSLTransport object at 0x10f45f4e0>, _StreamingProtocolShim: <SelectConnection PROTOCOL transport=<pika.adapters.utils.io_services_utils._AsyncSSLTransport object at 0x10f45f4e0> params=<ConnectionParameters host=localhost port=5671 virtual_host=/ ssl=True>>).
INFO:pika.adapters.utils.connection_workflow:AMQPConnector - reporting success: <SelectConnection OPEN transport=<pika.adapters.utils.io_services_utils._AsyncSSLTransport object at 0x10f45f4e0> params=<ConnectionParameters host=localhost port=5671 virtual_host=/ ssl=True>>
INFO:pika.adapters.utils.connection_workflow:AMQPConnectionWorkflow - reporting success: <SelectConnection OPEN transport=<pika.adapters.utils.io_services_utils._AsyncSSLTransport object at 0x10f45f4e0> params=<ConnectionParameters host=localhost port=5671 virtual_host=/ ssl=True>>
INFO:pika.adapters.blocking_connection:Connection workflow succeeded: <SelectConnection OPEN transport=<pika.adapters.utils.io_services_utils._AsyncSSLTransport object at 0x10f45f4e0> params=<ConnectionParameters host=localhost port=5671 virtual_host=/ ssl=True>>
INFO:pika.adapters.blocking_connection:Created channel=1

检查服务器日志:

2019-04-29 15:50:14.261 [info] <0.1637.0> accepting AMQP connection <0.1637.0> ([::1]:61538 -> [::1]:5671)
2019-04-29 15:50:14.265 [info] <0.1637.0> connection <0.1637.0> ([::1]:61538 -> [::1]:5671): user 'guest' authenticated and granted access to vhost '/'
2019-04-29 15:50:14.274 [warning] <0.1637.0> closing AMQP connection <0.1637.0> ([::1]:61538 -> [::1]:5671, vhost: '/', user: 'guest'):
client unexpectedly closed TCP connection

 

 

https://dl.bintray.com/rabbitmq-erlang/rpm/erlang/23/el/8/repodata/repomd.xml: [Errno 14] HTTPS Error 404 - Not Found 正在尝试其它镜像。 To address this issue please refer to the below wiki article https://wiki.centos.org/yum-errors If above article doesn't help to resolve this issue please use https://bugs.centos.org/. One of the configured repositories failed (rabbitmq-erlang), and yum doesn't have enough cached data to continue. At this point the only safe thing yum can do is fail. There are a few ways to work "fix" this: 1. Contact the upstream for the repository and get them to fix the problem. 2. Reconfigure the baseurl/etc. for the repository, to point to a working upstream. This is most often useful if you are using a newer distribution release than is supported by the repository (and the packages for the previous distribution release still work). 3. Run the command with the repository temporarily disabled yum --disablerepo=rabbitmq-erlang ... 4. Disable the repository permanently, so yum won't use it by default. Yum will then just ignore the repository until you permanently enable it again or use --enablerepo for temporary usage: yum-config-manager --disable rabbitmq-erlang or subscription-manager repos --disable=rabbitmq-erlang 5. Configure the failing repository to be skipped, if it is unavailable. Note that yum will try to contact the repo. when it runs most commands, so will have to try and fail each time (and thus. yum will be be much slower). If it is a very temporary problem though, this is often a nice compromise: yum-config-manager --save --setopt=rabbitmq-erlang.skip_if_unavailable=true failure: repodata/repomd.xml from rabbitmq-erlang: [Errno 256] No more mirrors to try. https://dl.bintray.com/rabbitmq-erlang/rpm/erlang/23/el/8/repodata/repomd.xml: [Errno 14] HTTPS Error 404 - Not Found
最新发布
07-13
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值