我正在尝试使用SSL连接rabbitmq,端口61613上的加密连接效果很好,但我无法使用Let's Encrypt连接到加密端口61614。
我只需使用以下代码连接到TLS 61614 rabbitmq-stemp:
hostname='rabbitmq.DOMAIN.NAME'
context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH)
with socket.create_connection((hostname, 61614 )) as sock:
with context.wrap_socket(sock, server_hostname=hostname) as ssock:
print(ssock.version())
结果:
SSLError: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1108)
使用openssl:进行测试
openssl s_client -connect rabbitmq.DOMAIN.NAME:61614
结果是:
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = rabbitmq.DOMAIN.NAME
verify return:1
140003270226176:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1544:SSL alert number 40
---
Certificate chain
0 s:CN = rabbitmq.DOMAIN.NAME
i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFXzCCBEegAwIBAgISBNLfEcyZu5MmKWiRqiljwOY5MA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDA4MDcwOTA3MTZaFw0y
MDExMDUwOTA3MTZaMB8xHTAbBgNVBAMTFHJhYmJpdG1xLmxhbm9zLmNsb3VkMIIB
.....
GhqnyShKe63Uf/Buxy1gqOpBXRO+Sd8L8ww0IUciamomYoKGkwGkcT6Y+SB+IxCg
pA+3qsUUKjxE2kJ2S+lwsiHxpsHEMyoSXxFnmoELKF3FQEk=
-----END CERTIFICATE-----
subject=CN = rabbitmq.DOMAIN.NAME
issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
---
Acceptable client certificate CA names
C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
CN = ************************
Client Certificate Types: ECDSA sign, RSA sign, DSA sign
Requested Signature Algorithms: ECDSA+SHA512:RSA+SHA512:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA256:RSA+SHA256:ECDSA+SHA224:RSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
Shared Requested Signature Algorithms: ECDSA+SHA512:RSA+SHA512:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA256:RSA+SHA256:ECDSA+SHA224:RSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3169 bytes and written 460 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: CF1*********************************7415F1B61
Session-ID-ctx:
Master-Key: 051*********************************B4
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1597525241
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---
有什么建议可以解决吗?
openssl s_client的输出显示的错误与Python:的输出基本相同
.. ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1544:SSL alert number 40
但它也表明TLS握手的主要部分有效,即它获得了证书、密码等。它还表明服务器似乎要求客户端证书:
Acceptable client certificate CA names
C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
CN = ************************
Client Certificate Types: ECDSA sign, RSA sign, DSA sign
但是openssl s_client和Python代码都不提供任何客户端证书。这个丢失的客户端证书很可能是服务器最终放弃TLS握手的原因,这导致了握手失败。
因此,您需要更改服务器配置,即不请求客户端证书,或者您需要通过提供预期的客户端证书来匹配服务器对客户端证书的要求-无论这是什么(请检查您的服务器(。
我刚刚忘记在rabbitmq.conf中添加以下行:
ssl_options.depth = 2
现在一切都正常了。
谢谢你的帮助。