HTTPS endpoint support

[jshiell]

This is a simple change to allow for a WSS endpoint, primarily as IE doesn't seem to allow connecting from a HTTPS website to WS endpoint.

Apologies for any mess, my knowledge of Erlang is pretty minimal.

[rclayton-the-terrible]

Any action on this? This is a killer feature and I think it would be awesome if it made it into the plugin?

[hyperthunk]

We're reviewing at the moment and we'll let you know as soon as possible!

[rclayton-the-terrible]

@hyperthunk - I've compiled and deployed @jshiell's implementation and verified that it works. The implementation could be a little more robust (I wish I knew enough Erlang to do it myself).

[hyperthunk]

@berico-rclayton thanks for that. We're in the process of planning the RabbitMQ 3.2.0 release and web-stomp bugs/features are under discussion. I'll let you know the outcome and status asap.

[jar349]

Any updates on this in the past 60 days?

[hyperthunk]

Sorry guys, there have been a lot more pressing bugs that have taken up our time and attention. We haven't forgotten about it though.

[ppetermann]

and there we are.. 4 month later, no update?

[emile]

Development of this feature is taking place on the branch named 'bug25913' in http://hg.rabbitmq.com/rabbitmq-web-stomp . Unfortunately the pull request also includes changes that do not relate to SSL so this cannot be pulled directly.

[emile]

Are there any volunteers that would like to help test the SSL websocket support on this branch? This implementation is slightly different from the pull request: http://hg.rabbitmq.com/rabbitmq-web-stomp/rev/7c7c60d6ab05

Here's a sample config:

    [
      {rabbitmq_web_stomp,
          [{ssl_config, [{port,       15671},
                         {backlog,    1024},
                         {certfile,   "path/to/certs/client/cert.pem"},
                         {keyfile,    "path/to/certs/client/key.pem"},
                         {cacertfile, "path/to/certs/testca/cacert.pem"},
                         {password,   "changeme"}]}]}
    ].

The cowboy code comments describe the options: https://github.com/rabbitmq/cowboy/blob/4b93c2d19a10e5d9cee207038103bb83f1ab9436/src/cowboy_ssl_transport.erl#L40

[jar349]

Ya, we'll give this a spin in the next week or so and let you know how it goes.

@berico-rclayton @dretay @tenaciousjzh

[dretay]

Is there a particular version of rabbitmq this was supposed to target?

I built this branch and activated the plugins into a rabbitmq 3.2.2 UNIX install:

 ./sbin/rabbitmq-server

              RabbitMQ 3.2.2. Copyright (C) 2007-2013 GoPivotal, Inc.

I'm using erlang R16B03:
erl -v
Erlang R16B03 (erts-5.10.4) [source] [64-bit] [smp:8:8] [async-threads:10] [hipe] [kernel-poll:false]

I'm compiled with openssl 1.0.1f:
openssl version
OpenSSL 1.0.1f 6 Jan 2014

Here's my list of activated plugins: 

 62$ ./sbin/rabbitmq-plugins list
[e] amqp_client        0.0.0
[e] cowboy             0.5.0-rmq0.0.0-git4b93c2d
[ ] rabbit_common      0.0.0
[E] rabbitmq_stomp     0.0.0
[E] rabbitmq_web_stomp 0.0.0
[e] sockjs             0.3.4-rmq0.0.0-git3132eb9

I used the following configuration:

  {rabbitmq_web_stomp,
          [{ssl_config, [{port,       15680},
                         {backlog,    1024},
                         {certfile,   "/etc/pki/rabbitmq/rabbit.pem"},
                         {keyfile,    "/etc/pki/rabbitmq/certs/rabbit-key.pem"},
                         {cacertfile, "/etc/pki/rabbitmq/cacert.pem"},
                         {password,   "#######"}
                ]}
        ]}, 

But it appears that the server is not properly presenting certs: 
 openssl s_client -connect rabbit:15680 
CONNECTED(00000003)
140735205688160:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:787:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 320 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

These certificates worked correctly with the original SSL patch to stomp

[kekekeks]

@dretay It's a bug in Erlang. I had a similar issue and downgrade to Erlang 1.15 solved it.

[michaelklishin]

@kekekeks 1.15 is not an Erlang or erts version. Do you mean one of the R15* releases? If so, which one exactly?

[kekekeks]

http://packages.ubuntu.com/raring/erlang-nox - that one ( 1:15.b.1-dfsg-4ubuntu1 )

[carlhoerberg]

Would be even better if the mgmt interface and web stomp could share the same port, so both could receive traffic at 443. saw somewhere something like a mochiweb on cowboy adapter..

@kekekeks you probably want to tweak the accepted key xchange algos and chipers, as erlang 16 supports edhce etc.. also, i think r16b03-1 (latest update) fixes a tls thing which cause problems for some tls clients..

[michaelklishin]

@dretay can you provide a way to reproduce the error you are seeing on rabbitmq-discuss?

We are ready to merge this but need to verify that there are no regressions.

[michaelklishin]

I'm going to close this as RabbitMQ does not use github PRs (github is a mirror) but this has been integrated and undergoing QA.

[jar349]

This is great news for us! Is it intended for the next release (3.2.5)?

[michaelklishin]

For 3.3.0 (there likely won't be 3.2.5).

[michaelklishin]

QA is done, main commit is https://github.com/rabbitmq/rabbitmq-web-stomp/commit/0d6cc8126e04652feedd5af897d973cca7cb8a49.