Closed a727786719 closed 6 years ago
So the options seem to be passed to Ranch but not passed on to the function that keeps track of listeners. I'm trying to reproduce.
@a727786719 what's the expected behavior you are looking for? What is the setup that can be used to reproduce? I'm afraid a single highlighted line of code is not enough for me to be sure.
I used the following config:
[
{ssl, [
%% {versions, ['tlsv1.2', 'tlsv1.1']},
{secure_renegotiate, true},
{client_renegotiation, false}
]},
{rabbit, [
{vm_memory_calculation_strategy, allocated},
{ssl_listeners, [5671]},
{ssl_options, [{cacertfile, "/Users/antares/Development/Opensource/tls-gen.git/basic/result/ca_certificate.pem"},
{certfile, "/Users/antares/Development/Opensource/tls-gen.git/basic/result/server_certificate.pem"},
{keyfile, "/Users/antares/Development/Opensource/tls-gen.git/basic/result/server_key.pem"},
{depth, 2},
%% {versions, ['tlsv1.2', 'tlsv1.1']},
%% {ciphers, [
%% {ecdhe_ecdsa,aes_256_gcm,null,sha384},
%% {ecdhe_rsa,aes_256_gcm,null,sha384},
%% {ecdh_ecdsa,aes_256_gcm,null,sha384},
%% {ecdh_rsa,aes_256_gcm,null,sha384},
%% {dhe_rsa,aes_256_gcm,null,sha384},
%% {rsa,aes_256_gcm,null,sha384},
%% {ecdhe_ecdsa,aes_128_gcm,null,sha256},
%% {ecdhe_rsa,aes_128_gcm,null,sha256},
%% {ecdh_ecdsa,aes_128_gcm,null,sha256},
%% {ecdh_rsa,aes_128_gcm,null,sha256},
%% {dhe_rsa,aes_128_gcm,null,sha256},
%% {ecdh_rsa,aes_128_gcm,null,sha256}
%% ]},
{honor_cipher_order, true},
{honor_ecc_order, true},
{client_renegotiation, false},
{secure_renegotiate, true},
{verify, verify_peer},
{fail_if_no_peer_cert, false}]},
{tcp_listen_options, [
{backlog, 4096}
]}
]}
, {rabbitmq_management,
[{listener, [{port, 15672},
{ssl, false},
{ssl_opts, [{cacertfile, "/Users/antares/Development/Opensource/tls-gen.git/basic/result/ca_certificate.pem"},
{certfile, "/Users/antares/Development/Opensource/tls-gen.git/basic/result/server_certificate.pem"},
{keyfile, "/Users/antares/Development/Opensource/tls-gen.git/basic/result/server_key.pem"}
%%, {verify, verify_peer}
%% , {versions, ['tlsv1.2', 'tlsv1.1']}
]}
]},
{http_log_dir, "/tmp/rabbit-mgmt"},
{rates_mode, basic}
]}
, {rabbitmq_web_stomp,
[{ssl_config, [{port, 15677},
{cacertfile, "/Users/antares/Development/Opensource/tls-gen.git/basic/result/ca_certificate.pem"},
{certfile, "/Users/antares/Development/Opensource/tls-gen.git/basic/result/server_certificate.pem"},
{keyfile, "/Users/antares/Development/Opensource/tls-gen.git/basic/result/server_key.pem"}]}]}
, {rabbitmq_web_mqtt,
[{ssl_config, [{port, 15678},
{cacertfile, "/Users/antares/Development/Opensource/tls-gen.git/basic/result/ca_certificate.pem"},
{certfile, "/Users/antares/Development/Opensource/tls-gen.git/basic/result/server_certificate.pem"},
{keyfile, "/Users/antares/Development/Opensource/tls-gen.git/basic/result/server_key.pem"}]}]}
].
to start a node. I then verified the listeners:
{rabbitmq_web_mqtt,
[{cowboy_opts,[]},
{num_ssl_acceptors,1},
{num_tcp_acceptors,10},
{ssl_config,
[{port,15678},
{cacertfile,
"/Users/antares/Development/Opensource/tls-gen.git/basic/result/ca_certificate.pem"},
{certfile,
"/Users/antares/Development/Opensource/tls-gen.git/basic/result/server_certificate.pem"},
{keyfile,
"/Users/antares/Development/Opensource/tls-gen.git/basic/result/server_key.pem"}]},
{tcp_config,[]}]},
{rabbitmq_web_stomp,
[{cowboy_opts,[]},
{num_ssl_acceptors,1},
{num_tcp_acceptors,10},
{port,15674},
{sockjs_opts,[]},
{ssl_config,
[{port,15677},
{cacertfile,
"/Users/antares/Development/Opensource/tls-gen.git/basic/result/ca_certificate.pem"},
{certfile,
"/Users/antares/Development/Opensource/tls-gen.git/basic/result/server_certificate.pem"},
{keyfile,
"/Users/antares/Development/Opensource/tls-gen.git/basic/result/server_key.pem"}]},
{tcp_config,[]},
{use_http_auth,false},
{ws_frame,text}]},
and open ports with netstat
:
beam.smp 3650 antares 57u IPv6 0x2391ab21aa65e09d 0t0 TCP *:amqp (LISTEN)
beam.smp 3650 antares 58u IPv6 0x2391ab21b2a1551d 0t0 TCP *:5671 (LISTEN)
beam.smp 3650 antares 59u IPv6 0x2391ab21b2a14f5d 0t0 TCP *:ibm-mqisdp (LISTEN)
beam.smp 3650 antares 66u IPv4 0x2391ab21d533e59d 0t0 TCP *:15677 (LISTEN)
beam.smp 3650 antares 61u IPv4 0x2391ab21d533eeed 0t0 TCP *:15678 (LISTEN)
beam.smp 3650 antares 62u IPv6 0x2391ab21b7905add 0t0 TCP *:61613 (LISTEN)
beam.smp 3650 antares 63u IPv4 0x2391ab21d6ca818d 0t0 TCP *:15672 (LISTEN)
…
beam.smp 3650 antares 65u IPv4 0x2391ab21d5341d7d 0t0 TCP *:15674 (LISTEN)
beam.smp 3650 antares 60u IPv4 0x2391ab21d380196d 0t0 TCP *:15675 (LISTEN)
I can connect to port 15678 using the same certificate key/value pairs generated with [tls-gen]():
openssl s_client -connect 127.0.0.1:15678 -cert ./client_certificate.pem -key ./client_key.pem -CAfile ./ca_certificate.pem 130 ↵
CONNECTED(00000003)
depth=1 CN = TLSGenSelfSignedtRootCA, L = $$$$
verify return:1
depth=0 CN = warp10.local, O = server
verify return:1
---
Certificate chain
0 s:/CN=warp10.local/O=server
i:/CN=TLSGenSelfSignedtRootCA/L=$$$$
1 s:/CN=TLSGenSelfSignedtRootCA/L=$$$$
i:/CN=TLSGenSelfSignedtRootCA/L=$$$$
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDAzCCAeugAwIBAgIBATANBgkqhkiG9w0BAQsFADAxMSAwHgYDVQQDDBdUTFNH
ZW5TZWxmU2lnbmVkdFJvb3RDQTENMAsGA1UEBwwEJCQkJDAeFw0xNzEwMjkwMDEx
MzFaFw0yNzEwMjcwMDExMzFaMCgxFTATBgNVBAMMDHdhcnAxMC5sb2NhbDEPMA0G
A1UECgwGc2VydmVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4trz
E2U1ZQN7rDWu+fPF+xoU+nCnwLBzqh37w/UiXKVT4Rw1lxaWTxol85sVldYt0RWx
MMVJqw82aqGQeOZWvtAEOC5UlQ2Tzy7Q5O2BWCDqGJTmf/FrCuD+ZFNVa69TGDBL
SxRxuLwqNuMBLxjEw4QiaD/frXP4KhgP8LNe3g3u56C6FqIJbeNV5cP7fJC6zCrP
k5k5sNCz+fMl30VGBpxbnkJB4m14BxrmMKHAtQubSu5BdT9YUprweLyEfwbK78sE
0B0QwNL70nyDK5+qMBWfKR9IjeVl2ZZDhTGRLALR2gtM0oirlb5fW/iux/YUcCmT
YF66P2pUSo//oMzuTwIDAQABoy8wLTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIFoDAT
BgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAQEARiMCMad0HqR0
O2z5T3/bngW+MM9zyXaW+ucIumyRKA4Mul5lmmsLFyIBKoVTqRcMo2EQSh3iuXrc
E4K/7W+qf7YFw3x7GNcLELiw9blVEsZc/S867UhhkBqP8NdCOTtjcWgSd8LVf5Zn
thb8+oQ6NHnTZrEsh7Tc0OOnxX8e9QePOIMv3QHB/0aUfSdvlPCosDJV8ls20nBR
wjH0XKM8/FZC4x64KdXXNgjcOi8JK9I92wpohAoxQuWuds7icTU61h204XpoM27T
qH+eVI3+epREnUAhV/TlJvpYsjpFhdq3eCuU9JqN0y+iR54EogbP3PyzT2yL7hhS
+wau2Ka5Iw==
-----END CERTIFICATE-----
subject=/CN=warp10.local/O=server
issuer=/CN=TLSGenSelfSignedtRootCA/L=$$$$
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: DH, 2048 bits
---
SSL handshake has read 2501 bytes and written 626 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : DHE-RSA-AES256-GCM-SHA384
Session-ID: CB7241FB701E23FD1A46805FF1CA7FF1BEDB15940D5C8C50E65ADDB3BED7082C
Session-ID-ctx:
Master-Key: 13A072A75CAAC2C4ADC9A16F20A7EEEB2FBD7803883092721EEE47158DADD07D03141D20E96CA6C775AABFED9BF1ED40
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1510570971
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
Therefore TLS listener is functional. What is off is the port reported to the management UI: it is 15675 for Web MQTT and 15677 for Web STOMP with the config above.
@hairyhum helped verify my assumption. It's a typo that makes management UI report an incorrect value. Shouldn't take too long to correct.
I found the port of http/web-mqtt is same with https/web-mqtt in management UI and rabbitmqctl status. And when I use wss protocol connect rabbitmq always fail.
WebSocket connection to 'wss://127.0.0.1:15678/ws' failed: WebSocket opening handshake timed out
This is my configuration:
[ {rabbit, [ {loopback_users, []} ]}, {rabbitmq_web_mqtt, [{ssl_config, [ {port, 15678}, {backlog, 1024}, {certfile, "/usr/local/etc/rabbitmq/csr.pem"}, {keyfile, "/usr/local/etc/rabbitmq/key.pem"}, {cacertfile, "/usr/local/etc/rabbitmq/cacert.pem"}, {password, "the password of key"}]}, {tcp_config,[]} ]} ].
We confirmed and fixed the port displayed in the management UI. TLS listener is started successfully, however. See Networking for a methodology for troubleshooting network connections.
The ssl_config of rabbitmq_web_mqtt does not work. And the port of https/web_mqtt is same with http/web_mqtt.