RabbitMQ TLS issue

我想测试TLS 是否已经集成到RabbitMQ， 但是遇到这个问题

Issue one "tlsv1 alert insufficient security"

openssl s_client -connect localhost:5671 -cert /usr/local/etc/rabbitmq/ssl/client/rabbit-client.cert.pem -key /usr/local/etc/rabbitmq/ssl/client/rabbit-client.key.pem  -CAfile /usr/local/etc/rabbitmq/ssl/ca/cacert.pem
CONNECTED(00000003)
4574606956:error:1407742F:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert insufficient security:s23_clnt.c:802:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 307 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1556521976
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

Sloutions:  添加：”ciphers“， 我自己完整的 ”rabbitmq.config“

%% Both the client and rabbitmq server were running on the same machine, a MacBookPro laptop.
%%
%% rabbitmq.config was created in its default location for OS X: /usr/local/etc/rabbitmq/rabbitmq.config.
%%
%% The contents of the example rabbitmq.config are for demonstration purposes only. See https://www.rabbitmq.com/ssl.html for instructions about creating the test certificates and the contents of rabbitmq.config.
%%
%% Note that the {fail_if_no_peer_cert,false} option, states that RabbitMQ should accept clients that don't have a certificate to send to the broker, but through the {verify,verify_peer} option, we state that if the client does send a certificate to the broker, the broker must be able to establish a chain of trust to it.

 [
  {ssl, [{versions, ['tlsv1.2', 'tlsv1.1', tlsv1]},
         {ciphers,  [{dhe_rsa,aes_256_cbc,sha}]}
        ]},

  {rabbit, [
     {ssl_listeners, [5671]},
     {tcp_listeners, []},
     {ssl_options, [{cacertfile,"/usr/local/etc/rabbitmq/ssl/ca/cacert.pem"},
                    {certfile,"/usr/local/etc/rabbitmq/ssl/server/www.myrabbit.com.cert.pem"},
                    {keyfile,"/usr/local/etc/rabbitmq/ssl/server/www.myrabbit.com.key.pem"},
                    {verify,verify_peer},
                    {fail_if_no_peer_cert,false},
                    {versions, ['tlsv1.2', 'tlsv1.1', tlsv1]},
                    {ciphers, ["ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-RSA-AES256-GCM-SHA384",
                        "ECDHE-ECDSA-AES256-SHA384","ECDHE-RSA-AES256-SHA384", "ECDHE-ECDSA-DES-CBC3-SHA",
                        "ECDH-ECDSA-AES256-GCM-SHA384","ECDH-RSA-AES256-GCM-SHA384","ECDH-ECDSA-AES256-SHA384",
                        "ECDH-RSA-AES256-SHA384","DHE-DSS-AES256-GCM-SHA384","DHE-DSS-AES256-SHA256",
                        "AES256-GCM-SHA384","AES256-SHA256","ECDHE-ECDSA-AES128-GCM-SHA256",
                        "ECDHE-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES128-SHA256","ECDHE-RSA-AES128-SHA256",
                        "ECDH-ECDSA-AES128-GCM-SHA256","ECDH-RSA-AES128-GCM-SHA256","ECDH-ECDSA-AES128-SHA256",
                        "ECDH-RSA-AES128-SHA256","DHE-DSS-AES128-GCM-SHA256","DHE-DSS-AES128-SHA256",
                        "AES128-GCM-SHA256","AES128-SHA256","ECDHE-ECDSA-AES256-SHA",
                        "ECDHE-RSA-AES256-SHA","DHE-DSS-AES256-SHA","ECDH-ECDSA-AES256-SHA",
                        "ECDH-RSA-AES256-SHA","AES256-SHA","ECDHE-ECDSA-AES128-SHA",
                        "ECDHE-RSA-AES128-SHA","DHE-DSS-AES128-SHA","ECDH-ECDSA-AES128-SHA",
                        "ECDH-RSA-AES128-SHA","AES128-SHA"]},
                  {honor_cipher_order, true}
                   ]},
     {heartbeat,30}
   ]}
].

 

Testing/测试：

测试用例：

Huleis-MacBook-Pro:RabbitMQ llhu$ cat 7.py
#!/usr/bin/env python
import ssl
import pika
import logging

logging.basicConfig(level=logging.INFO)

context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
context.verify_mode = ssl.CERT_REQUIRED
#ssl._create_default_https_context = ssl._create_unverified_context
context.load_verify_locations('/usr/local/etc/rabbitmq/ssl/ca/cacert.pem')

cp = pika.ConnectionParameters(ssl_options=pika.SSLOptions(context))

conn = pika.BlockingConnection(cp)
ch = conn.channel()
print(ch.queue_declare("sslq"))
ch.basic_publish("", "sslq", "hello message!!!")
print(ch.basic_get("sslq"))

测试结果：

MacBook-Pro:RabbitMQ llhu$ ./7.py
INFO:pika.adapters.utils.connection_workflow:Pika version 1.0.1 connecting to ('::1', 5671, 0, 0)
INFO:pika.adapters.utils.io_services_utils:Socket connected: <socket.socket fd=8, family=AddressFamily.AF_INET6, type=SocketKind.SOCK_STREAM, proto=6, laddr=('::1', 61538, 0, 0), raddr=('::1', 5671, 0, 0)>
INFO:pika.adapters.utils.io_services_utils:SSL handshake completed successfully: <ssl.SSLSocket fd=8, family=AddressFamily.AF_INET6, type=SocketKind.SOCK_STREAM, proto=6, laddr=('::1', 61538, 0, 0), raddr=('::1', 5671, 0, 0)>
INFO:pika.adapters.utils.connection_workflow:Streaming transport linked up: (<pika.adapters.utils.io_services_utils._AsyncSSLTransport object at 0x10f45f4e0>, _StreamingProtocolShim: <SelectConnection PROTOCOL transport=<pika.adapters.utils.io_services_utils._AsyncSSLTransport object at 0x10f45f4e0> params=<ConnectionParameters host=localhost port=5671 virtual_host=/ ssl=True>>).
INFO:pika.adapters.utils.connection_workflow:AMQPConnector - reporting success: <SelectConnection OPEN transport=<pika.adapters.utils.io_services_utils._AsyncSSLTransport object at 0x10f45f4e0> params=<ConnectionParameters host=localhost port=5671 virtual_host=/ ssl=True>>
INFO:pika.adapters.utils.connection_workflow:AMQPConnectionWorkflow - reporting success: <SelectConnection OPEN transport=<pika.adapters.utils.io_services_utils._AsyncSSLTransport object at 0x10f45f4e0> params=<ConnectionParameters host=localhost port=5671 virtual_host=/ ssl=True>>
INFO:pika.adapters.blocking_connection:Connection workflow succeeded: <SelectConnection OPEN transport=<pika.adapters.utils.io_services_utils._AsyncSSLTransport object at 0x10f45f4e0> params=<ConnectionParameters host=localhost port=5671 virtual_host=/ ssl=True>>
INFO:pika.adapters.blocking_connection:Created channel=1

检查服务器日志：

2019-04-29 15:50:14.261 [info] <0.1637.0> accepting AMQP connection <0.1637.0> ([::1]:61538 -> [::1]:5671)
2019-04-29 15:50:14.265 [info] <0.1637.0> connection <0.1637.0> ([::1]:61538 -> [::1]:5671): user 'guest' authenticated and granted access to vhost '/'
2019-04-29 15:50:14.274 [warning] <0.1637.0> closing AMQP connection <0.1637.0> ([::1]:61538 -> [::1]:5671, vhost: '/', user: 'guest'):
client unexpectedly closed TCP connection