Open nvinzens opened 1 month ago
@nvinzens I think I misread it the first time so I am updating my comment. It is the not the server chain that is the problem it is the client chain. The code that determines if there is a un-handled critical extension in a certificate chain is located in the public_key application.
You could try tracing:
dbg:tracer(). dbg:p(all, call). dbg:tpl(pubkey_cert, verify_fun).
@nvinzens Do you have any addition information? We need to know what the client certificate looks like to determine why it is considered unsupported. I can also recommend OTP-26.2.5.1 to probably get some more information from the logs.
Describe the bug After upgrading OTP from 25.3.1 to 26.2.5 we can no longer establish TLS sessions in rabbitMQ. Current assumption is that the cause is that we are using a ca cert that contains a critical extension. Related logs:
We were using the same rabbitMQ version with both versions. Downgrading the Erlang version again fixes the issue.
To Reproduce Use a ca cert that looks like below (redacted some parts), the relevant part should be
X509v3 Basic Constraints
:Expected behavior The TLS connection should work with the same critical extension in versions
26.2.5
and25.3.1
.Affected versions
26.2.5
Additional context I'm very unfamiliar with Erlang in general but the relevant code seems to be here on master: https://github.com/erlang/otp/blob/master/lib/ssl/src/ssl_handshake.erl#L2168
The relevant part of the RabbitMQ config that configures TLS:
If I can provide any additional needed information please let me know.