我想测试TLS 是否已经集成到RabbitMQ, 但是遇到这个问题
Issue one "tlsv1 alert insufficient security"
openssl s_client -connect localhost:5671 -cert /usr/local/etc/rabbitmq/ssl/client/rabbit-client.cert.pem -key /usr/local/etc/rabbitmq/ssl/client/rabbit-client.key.pem -CAfile /usr/local/etc/rabbitmq/ssl/ca/cacert.pem
CONNECTED(00000003)
4574606956:error:1407742F:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert insufficient security:s23_clnt.c:802:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 307 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1556521976
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
Sloutions: 添加:”ciphers“, 我自己完整的 ”rabbitmq.config“
%% Both the client and rabbitmq server were running on the same machine, a MacBookPro laptop.
%%
%% rabbitmq.config was created in its default location for OS X: /usr/local/etc/rabbitmq/rabbitmq.config.
%%
%% The contents of the example rabbitmq.config are for demonstration purposes only. See https://www.rabbitmq.com/ssl.html for instructions about creating the test certificates and the contents of rabbitmq.config.
%%
%% Note that the {fail_if_no_peer_cert,false} option, states that RabbitMQ should accept clients that don't have a certificate to send to the broker, but through the {verify,verify_peer} option, we state that if the client does send a certificate to the broker, the broker must be able to establish a chain of trust to it.
[
{ssl, [{versions, ['tlsv1.2', 'tlsv1.1', tlsv1]},
{ciphers, [{dhe_rsa,aes_256_cbc,sha}]}
]},
{rabbit, [
{ssl_listeners, [5671]},
{tcp_listeners, []},
{ssl_options, [{cacertfile,"/usr/local/etc/rabbitmq/ssl/ca/cacert.pem"},
{certfile,"/usr/local/etc/rabbitmq/ssl/server/www.myrabbit.com.cert.pem"},
{keyfile,"/usr/local/etc/rabbitmq/ssl/server/www.myrabbit.com.key.pem"},
{verify,verify_peer},
{fail_if_no_peer_cert,false},
{versions, ['tlsv1.2', 'tlsv1.1', tlsv1]},
{ciphers, ["ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-RSA-AES256-GCM-SHA384",
"ECDHE-ECDSA-AES256-SHA384","ECDHE-RSA-AES256-SHA384", "ECDHE-ECDSA-DES-CBC3-SHA",
"ECDH-ECDSA-AES256-GCM-SHA384","ECDH-RSA-AES256-GCM-SHA384","ECDH-ECDSA-AES256-SHA384",
"ECDH-RSA-AES256-SHA384","DHE-DSS-AES256-GCM-SHA384","DHE-DSS-AES256-SHA256",
"AES256-GCM-SHA384","AES256-SHA256","ECDHE-ECDSA-AES128-GCM-SHA256",
"ECDHE-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES128-SHA256","ECDHE-RSA-AES128-SHA256",
"ECDH-ECDSA-AES128-GCM-SHA256","ECDH-RSA-AES128-GCM-SHA256","ECDH-ECDSA-AES128-SHA256",
"ECDH-RSA-AES128-SHA256","DHE-DSS-AES128-GCM-SHA256","DHE-DSS-AES128-SHA256",
"AES128-GCM-SHA256","AES128-SHA256","ECDHE-ECDSA-AES256-SHA",
"ECDHE-RSA-AES256-SHA","DHE-DSS-AES256-SHA","ECDH-ECDSA-AES256-SHA",
"ECDH-RSA-AES256-SHA","AES256-SHA","ECDHE-ECDSA-AES128-SHA",
"ECDHE-RSA-AES128-SHA","DHE-DSS-AES128-SHA","ECDH-ECDSA-AES128-SHA",
"ECDH-RSA-AES128-SHA","AES128-SHA"]},
{honor_cipher_order, true}
]},
{heartbeat,30}
]}
].
Testing/测试:
测试用例:
Huleis-MacBook-Pro:RabbitMQ llhu$ cat 7.py
#!/usr/bin/env python
import ssl
import pika
import logging
logging.basicConfig(level=logging.INFO)
context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
context.verify_mode = ssl.CERT_REQUIRED
#ssl._create_default_https_context = ssl._create_unverified_context
context.load_verify_locations('/usr/local/etc/rabbitmq/ssl/ca/cacert.pem')
cp = pika.ConnectionParameters(ssl_options=pika.SSLOptions(context))
conn = pika.BlockingConnection(cp)
ch = conn.channel()
print(ch.queue_declare("sslq"))
ch.basic_publish("", "sslq", "hello message!!!")
print(ch.basic_get("sslq"))
测试结果:
MacBook-Pro:RabbitMQ llhu$ ./7.py
INFO:pika.adapters.utils.connection_workflow:Pika version 1.0.1 connecting to ('::1', 5671, 0, 0)
INFO:pika.adapters.utils.io_services_utils:Socket connected: <socket.socket fd=8, family=AddressFamily.AF_INET6, type=SocketKind.SOCK_STREAM, proto=6, laddr=('::1', 61538, 0, 0), raddr=('::1', 5671, 0, 0)>
INFO:pika.adapters.utils.io_services_utils:SSL handshake completed successfully: <ssl.SSLSocket fd=8, family=AddressFamily.AF_INET6, type=SocketKind.SOCK_STREAM, proto=6, laddr=('::1', 61538, 0, 0), raddr=('::1', 5671, 0, 0)>
INFO:pika.adapters.utils.connection_workflow:Streaming transport linked up: (<pika.adapters.utils.io_services_utils._AsyncSSLTransport object at 0x10f45f4e0>, _StreamingProtocolShim: <SelectConnection PROTOCOL transport=<pika.adapters.utils.io_services_utils._AsyncSSLTransport object at 0x10f45f4e0> params=<ConnectionParameters host=localhost port=5671 virtual_host=/ ssl=True>>).
INFO:pika.adapters.utils.connection_workflow:AMQPConnector - reporting success: <SelectConnection OPEN transport=<pika.adapters.utils.io_services_utils._AsyncSSLTransport object at 0x10f45f4e0> params=<ConnectionParameters host=localhost port=5671 virtual_host=/ ssl=True>>
INFO:pika.adapters.utils.connection_workflow:AMQPConnectionWorkflow - reporting success: <SelectConnection OPEN transport=<pika.adapters.utils.io_services_utils._AsyncSSLTransport object at 0x10f45f4e0> params=<ConnectionParameters host=localhost port=5671 virtual_host=/ ssl=True>>
INFO:pika.adapters.blocking_connection:Connection workflow succeeded: <SelectConnection OPEN transport=<pika.adapters.utils.io_services_utils._AsyncSSLTransport object at 0x10f45f4e0> params=<ConnectionParameters host=localhost port=5671 virtual_host=/ ssl=True>>
INFO:pika.adapters.blocking_connection:Created channel=1
检查服务器日志:
2019-04-29 15:50:14.261 [info] <0.1637.0> accepting AMQP connection <0.1637.0> ([::1]:61538 -> [::1]:5671)
2019-04-29 15:50:14.265 [info] <0.1637.0> connection <0.1637.0> ([::1]:61538 -> [::1]:5671): user 'guest' authenticated and granted access to vhost '/'
2019-04-29 15:50:14.274 [warning] <0.1637.0> closing AMQP connection <0.1637.0> ([::1]:61538 -> [::1]:5671, vhost: '/', user: 'guest'):
client unexpectedly closed TCP connection