https/web-mqtt listener displays incorrect port in management UI

[a727786719]

The ssl_config of rabbitmq_web_mqtt does not work. And the port of https/web_mqtt is same with http/web_mqtt.

[michaelklishin]

That's a good find, thank you.

This applies to both stable and master.

[michaelklishin]

So the options seem to be passed to Ranch but not passed on to the function that keeps track of listeners. I'm trying to reproduce.

[michaelklishin]

@a727786719 what's the expected behavior you are looking for? What is the setup that can be used to reproduce? I'm afraid a single highlighted line of code is not enough for me to be sure.

[michaelklishin]

I used the following config:

[
 {ssl,    [
           %% {versions,             ['tlsv1.2', 'tlsv1.1']},
           {secure_renegotiate,   true},
           {client_renegotiation, false}
          ]},
 {rabbit, [
           {vm_memory_calculation_strategy, allocated},
           {ssl_listeners, [5671]},
           {ssl_options, [{cacertfile, "/Users/antares/Development/Opensource/tls-gen.git/basic/result/ca_certificate.pem"},
                          {certfile,   "/Users/antares/Development/Opensource/tls-gen.git/basic/result/server_certificate.pem"},
                          {keyfile,    "/Users/antares/Development/Opensource/tls-gen.git/basic/result/server_key.pem"},
                          {depth,      2},
                          %% {versions, ['tlsv1.2', 'tlsv1.1']},
                          %% {ciphers,  [
                          %%             {ecdhe_ecdsa,aes_256_gcm,null,sha384},
                          %%             {ecdhe_rsa,aes_256_gcm,null,sha384},
                          %%             {ecdh_ecdsa,aes_256_gcm,null,sha384},
                          %%             {ecdh_rsa,aes_256_gcm,null,sha384},
                          %%             {dhe_rsa,aes_256_gcm,null,sha384},
                          %%             {rsa,aes_256_gcm,null,sha384},
                          %%             {ecdhe_ecdsa,aes_128_gcm,null,sha256},
                          %%             {ecdhe_rsa,aes_128_gcm,null,sha256},
                          %%             {ecdh_ecdsa,aes_128_gcm,null,sha256},
                          %%             {ecdh_rsa,aes_128_gcm,null,sha256},
                          %%             {dhe_rsa,aes_128_gcm,null,sha256},
                          %%             {ecdh_rsa,aes_128_gcm,null,sha256}
                          %%            ]},
                          {honor_cipher_order,   true},
                          {honor_ecc_order,      true},
                          {client_renegotiation, false},
                          {secure_renegotiate,   true},
                          {verify,               verify_peer},
                          {fail_if_no_peer_cert, false}]},
           {tcp_listen_options, [
                                 {backlog, 4096}
                                ]}
          ]}
, {rabbitmq_management,
   [{listener, [{port,     15672},
                {ssl,      false},
                {ssl_opts, [{cacertfile, "/Users/antares/Development/Opensource/tls-gen.git/basic/result/ca_certificate.pem"},
                            {certfile,   "/Users/antares/Development/Opensource/tls-gen.git/basic/result/server_certificate.pem"},
                            {keyfile,    "/Users/antares/Development/Opensource/tls-gen.git/basic/result/server_key.pem"}
                            %%, {verify,   verify_peer}
                            %% , {versions, ['tlsv1.2', 'tlsv1.1']}
                           ]}
               ]},
    {http_log_dir,  "/tmp/rabbit-mgmt"},
    {rates_mode,    basic}
   ]}

, {rabbitmq_web_stomp,
      [{ssl_config, [{port,       15677},
                     {cacertfile, "/Users/antares/Development/Opensource/tls-gen.git/basic/result/ca_certificate.pem"},
                     {certfile,   "/Users/antares/Development/Opensource/tls-gen.git/basic/result/server_certificate.pem"},
                     {keyfile,    "/Users/antares/Development/Opensource/tls-gen.git/basic/result/server_key.pem"}]}]}

, {rabbitmq_web_mqtt,
      [{ssl_config, [{port,       15678},
                     {cacertfile, "/Users/antares/Development/Opensource/tls-gen.git/basic/result/ca_certificate.pem"},
                     {certfile,   "/Users/antares/Development/Opensource/tls-gen.git/basic/result/server_certificate.pem"},
                     {keyfile,    "/Users/antares/Development/Opensource/tls-gen.git/basic/result/server_key.pem"}]}]}
].

to start a node. I then verified the listeners:

 {rabbitmq_web_mqtt,
     [{cowboy_opts,[]},
      {num_ssl_acceptors,1},
      {num_tcp_acceptors,10},
      {ssl_config,
          [{port,15678},
           {cacertfile,
               "/Users/antares/Development/Opensource/tls-gen.git/basic/result/ca_certificate.pem"},
           {certfile,
               "/Users/antares/Development/Opensource/tls-gen.git/basic/result/server_certificate.pem"},
           {keyfile,
               "/Users/antares/Development/Opensource/tls-gen.git/basic/result/server_key.pem"}]},
      {tcp_config,[]}]},
 {rabbitmq_web_stomp,
     [{cowboy_opts,[]},
      {num_ssl_acceptors,1},
      {num_tcp_acceptors,10},
      {port,15674},
      {sockjs_opts,[]},
      {ssl_config,
          [{port,15677},
           {cacertfile,
               "/Users/antares/Development/Opensource/tls-gen.git/basic/result/ca_certificate.pem"},
           {certfile,
               "/Users/antares/Development/Opensource/tls-gen.git/basic/result/server_certificate.pem"},
           {keyfile,
               "/Users/antares/Development/Opensource/tls-gen.git/basic/result/server_key.pem"}]},
      {tcp_config,[]},
      {use_http_auth,false},
      {ws_frame,text}]},

and open ports with netstat:

beam.smp 3650 antares   57u    IPv6 0x2391ab21aa65e09d        0t0        TCP *:amqp (LISTEN)
beam.smp 3650 antares   58u    IPv6 0x2391ab21b2a1551d        0t0        TCP *:5671 (LISTEN)
beam.smp 3650 antares   59u    IPv6 0x2391ab21b2a14f5d        0t0        TCP *:ibm-mqisdp (LISTEN)

beam.smp 3650 antares   66u    IPv4 0x2391ab21d533e59d        0t0        TCP *:15677 (LISTEN)
beam.smp 3650 antares   61u    IPv4 0x2391ab21d533eeed        0t0        TCP *:15678 (LISTEN)

beam.smp 3650 antares   62u    IPv6 0x2391ab21b7905add        0t0        TCP *:61613 (LISTEN)
beam.smp 3650 antares   63u    IPv4 0x2391ab21d6ca818d        0t0        TCP *:15672 (LISTEN)
…
beam.smp 3650 antares   65u    IPv4 0x2391ab21d5341d7d        0t0        TCP *:15674 (LISTEN)
beam.smp 3650 antares   60u    IPv4 0x2391ab21d380196d        0t0        TCP *:15675 (LISTEN)

I can connect to port 15678 using the same certificate key/value pairs generated with [tls-gen]():

openssl s_client -connect 127.0.0.1:15678 -cert ./client_certificate.pem -key ./client_key.pem -CAfile ./ca_certificate.pem                                                                                                                   130 ↵
CONNECTED(00000003)
depth=1 CN = TLSGenSelfSignedtRootCA, L = $$$$
verify return:1
depth=0 CN = warp10.local, O = server
verify return:1
---
Certificate chain
 0 s:/CN=warp10.local/O=server
   i:/CN=TLSGenSelfSignedtRootCA/L=$$$$
 1 s:/CN=TLSGenSelfSignedtRootCA/L=$$$$
   i:/CN=TLSGenSelfSignedtRootCA/L=$$$$
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDAzCCAeugAwIBAgIBATANBgkqhkiG9w0BAQsFADAxMSAwHgYDVQQDDBdUTFNH
ZW5TZWxmU2lnbmVkdFJvb3RDQTENMAsGA1UEBwwEJCQkJDAeFw0xNzEwMjkwMDEx
MzFaFw0yNzEwMjcwMDExMzFaMCgxFTATBgNVBAMMDHdhcnAxMC5sb2NhbDEPMA0G
A1UECgwGc2VydmVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4trz
E2U1ZQN7rDWu+fPF+xoU+nCnwLBzqh37w/UiXKVT4Rw1lxaWTxol85sVldYt0RWx
MMVJqw82aqGQeOZWvtAEOC5UlQ2Tzy7Q5O2BWCDqGJTmf/FrCuD+ZFNVa69TGDBL
SxRxuLwqNuMBLxjEw4QiaD/frXP4KhgP8LNe3g3u56C6FqIJbeNV5cP7fJC6zCrP
k5k5sNCz+fMl30VGBpxbnkJB4m14BxrmMKHAtQubSu5BdT9YUprweLyEfwbK78sE
0B0QwNL70nyDK5+qMBWfKR9IjeVl2ZZDhTGRLALR2gtM0oirlb5fW/iux/YUcCmT
YF66P2pUSo//oMzuTwIDAQABoy8wLTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIFoDAT
BgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAQEARiMCMad0HqR0
O2z5T3/bngW+MM9zyXaW+ucIumyRKA4Mul5lmmsLFyIBKoVTqRcMo2EQSh3iuXrc
E4K/7W+qf7YFw3x7GNcLELiw9blVEsZc/S867UhhkBqP8NdCOTtjcWgSd8LVf5Zn
thb8+oQ6NHnTZrEsh7Tc0OOnxX8e9QePOIMv3QHB/0aUfSdvlPCosDJV8ls20nBR
wjH0XKM8/FZC4x64KdXXNgjcOi8JK9I92wpohAoxQuWuds7icTU61h204XpoM27T
qH+eVI3+epREnUAhV/TlJvpYsjpFhdq3eCuU9JqN0y+iR54EogbP3PyzT2yL7hhS
+wau2Ka5Iw==
-----END CERTIFICATE-----
subject=/CN=warp10.local/O=server
issuer=/CN=TLSGenSelfSignedtRootCA/L=$$$$
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: DH, 2048 bits
---
SSL handshake has read 2501 bytes and written 626 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : DHE-RSA-AES256-GCM-SHA384
    Session-ID: CB7241FB701E23FD1A46805FF1CA7FF1BEDB15940D5C8C50E65ADDB3BED7082C
    Session-ID-ctx:
    Master-Key: 13A072A75CAAC2C4ADC9A16F20A7EEEB2FBD7803883092721EEE47158DADD07D03141D20E96CA6C775AABFED9BF1ED40
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1510570971
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

Therefore TLS listener is functional. What is off is the port reported to the management UI: it is 15675 for Web MQTT and 15677 for Web STOMP with the config above.

[michaelklishin]

@hairyhum helped verify my assumption. It's a typo that makes management UI report an incorrect value. Shouldn't take too long to correct.

[a727786719]

I found the port of http/web-mqtt is same with https/web-mqtt in management UI and rabbitmqctl status. And when I use wss protocol connect rabbitmq always fail.

WebSocket connection to 'wss://127.0.0.1:15678/ws' failed: WebSocket opening handshake timed out

This is my configuration: [ {rabbit, [ {loopback_users, []} ]}, {rabbitmq_web_mqtt, [{ssl_config, [ {port, 15678}, {backlog, 1024}, {certfile, "/usr/local/etc/rabbitmq/csr.pem"}, {keyfile, "/usr/local/etc/rabbitmq/key.pem"}, {cacertfile, "/usr/local/etc/rabbitmq/cacert.pem"}, {password, "the password of key"}]}, {tcp_config,[]} ]} ].

[michaelklishin]

We confirmed and fixed the port displayed in the management UI. TLS listener is started successfully, however. See Networking for a methodology for troubleshooting network connections.