问题描述
我正在尝试使用SSL连接Rabbitmq,端口61613上的加密连接效果很好,但是我无法使用Let's Encrypt连接到加密端口61614。
我使用以下代码简单地连接到TLS 61614 rabbitmq踩踏:
hostname='rabbitmq.DOMAIN.NAME'
context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH)
with socket.create_connection((hostname,61614 )) as sock:
with context.wrap_socket(sock,server_hostname=hostname) as ssock:
print(ssock.version())
结果:
SSLError: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1108)
使用openssl测试:
openssl s_client -connect rabbitmq.DOMAIN.NAME:61614
具有此结果:
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co.,CN = DST Root CA X3
verify return:1
depth=1 C = US,O = Let's Encrypt,CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = rabbitmq.DOMAIN.NAME
verify return:1
140003270226176:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1544:SSL alert number 40
---
Certificate chain
0 s:CN = rabbitmq.DOMAIN.NAME
i:C = US,CN = Let's Encrypt Authority X3
1 s:C = US,CN = Let's Encrypt Authority X3
i:O = Digital Signature Trust Co.,CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFXzCCBEegAwIBAgISBNLfEcyZu5MmKWiRqiljwOY5MA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDA4MDcwOTA3MTZaFw0y
MDExMDUwOTA3MTZaMB8xHTAbBgNVBAMTFHJhYmJpdG1xLmxhbm9zLmNsb3VkMIIB
.....
GhqnyShKe63Uf/Buxy1gqOpBXRO+Sd8L8ww0IUciamomYoKGkwGkcT6Y+SB+IxCg
pA+3qsUUKjxE2kJ2S+lwsiHxpsHEMyoSXxFnmoELKF3FQEk=
-----END CERTIFICATE-----
subject=CN = rabbitmq.DOMAIN.NAME
issuer=C = US,CN = Let's Encrypt Authority X3
---
Acceptable client certificate CA names
C = US,CN = Let's Encrypt Authority X3
CN = ************************
Client Certificate Types: ECDSA sign,RSA sign,DSA sign
Requested Signature Algorithms: ECDSA+SHA512:RSA+SHA512:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA256:RSA+SHA256:ECDSA+SHA224:RSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
Shared Requested Signature Algorithms: ECDSA+SHA512:RSA+SHA512:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA256:RSA+SHA256:ECDSA+SHA224:RSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH,P-256,256 bits
---
SSL handshake has read 3169 bytes and written 460 bytes
Verification: OK
---
New,TLSv1.2,Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: CF1*********************************7415F1B61
Session-ID-ctx:
Master-Key: 051*********************************B4
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1597525241
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---
任何建议如何解决?
解决方法
openssl s_client的输出显示的错误与Python的输出基本相同:
.. ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1544:SSL alert number 40
但是它也表明TLS握手的主要部分起作用了,即它获得了证书,密码等。它还表明服务器似乎在请求客户端证书:
Acceptable client certificate CA names
C = US,O = Let's Encrypt,CN = Let's Encrypt Authority X3
CN = ************************
Client Certificate Types: ECDSA sign,RSA sign,DSA sign
但是您的openssl s_client和Python代码均未提供任何客户端证书。该丢失的客户端证书很可能是服务器最终放弃TLS握手(导致握手失败)的原因。
因此,您要么需要更改不要求客户端证书的服务器配置,要么需要通过提供期望的证书(无论是什么)来匹配客户端证书的服务器要求(检查服务器)。
,我只是忘了添加以下代码到rabbitmq.conf:
ssl_options.depth = 2
现在一切都正常了。
谢谢您的帮助。