tls: handshake failure when enabling tls for RabbitMQ with streadway/amqp

Question

I'm attempting to connect to RabbitMQ with amqps:// in Go using streadway/amqp. I can connect successfully with amqp://. When enabling TLS and using amqps:// I get the following error:

panic: remote error: tls: handshake failure

RabbitMQ is running in docker with the following environment variables and settings:

environment:
    RABBITMQ_SSL_CACERTFILE: /ca_certificate.pem
    RABBITMQ_SSL_CERTFILE: /server_certificate.pem
    RABBITMQ_SSL_KEYFILE: /server_key.pem
ports:
    - 5671:5671 # Note that 5671 is for tls and 5672 is non-tls
volumes:
    - ./ca_certificate.pem:/ca_certificate.pem:ro
    - ./server_certificate.pem:/server_certificate.pem:ro
    - ./server_key.pem:/server_key.pem:ro

I've tried the following with amqp/streadway:

err := amqp.DialTLS(amqps://guest:guest@localhost:5671", nil)
if err != nil {
    panic(err)
}

I've also tried reading the cert files, creating a key pair, and appending the certificate authority to the cert pool and using it that way in a tls.Config{} with the following functions:

• tls.LoadX509KeyPair()
• x509.NewCertPool().AppendCertsFromPEM()

I generate the certs with mkcert for 127.0.0.1, localhost, rabbitmq.

---

According to some answers that aren't related to RabbitMQ, some people suggest the ciphers could be wrong. So I took a look at what ciphers rabbitmq is using:

$ openssl s_client -connect localhost:5671 -tls1

Protocol  : TLSv1
Cipher    : ECDHE-RSA-AES256-SHA
<etc etc...>
Verify return code: 0 (ok)

There are also one or two errors when I run the above command, but I'm guessing it's because I'm not providing the CA certificate in this command (I'm using MacOS). Maybe related, maybe not, as I don't have this issue with postgres, for example:

verify error:num=19:self signed certificate in certificate chain verify return:0 4644699756:error:1401E410:SSL routines:CONNECT_CR_FINISHED:sslv3 alert handshake failure:/AppleInternal/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-47.100.4/libressl-2.8/ssl/ssl_pkt.c:1200:SSL alert number 40

Then I use the following tls.Config settings in golang:

tlsConfig := &tls.Config{
    Certificates: []tls.Certificate{cert}, // from tls.LoadX509KeyPair
    RootCAs:      caCertPool,
    CipherSuites: []uint16{
        tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, // these look like they match the Cipher above
        tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
    },
    CurvePreferences:         []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256},
    PreferServerCipherSuites: true,
    InsecureSkipVerify:       true,
    MinVersion:               tls.VersionTLS10,
}

I still have the same issue. I highly doubt it's the library, it must be something I'm doing wrong, but what is it?

Answer 1

I reproduced your setup. It doesn't work because you need to configure the AMQP connection with the client certs.

Using mkcert: mkcert -client rabbitmq.test localhost 127.0.0.1 ::1 (note the -client flag).

After this, you just need to pass the client certs into your AMQP tlsConfig with tls.LoadX509KeyPair, and it should just work:

    cert, err := tls.LoadX509KeyPair("./rabbitmq.test+3-client.pem", "./rabbitmq.test+3-client-key.pem")

    // Load CA cert
    caCert, err := ioutil.ReadFile("./rootCA.pem") // The same you configured in your MQ server
    if err != nil {
        log.Fatal(err)
    }
    caCertPool := x509.NewCertPool()
    caCertPool.AppendCertsFromPEM(caCert)

    tlsConfig := &tls.Config{
        Certificates: []tls.Certificate{cert}, // from tls.LoadX509KeyPair
        RootCAs:      caCertPool,
        // ...other options are just the same as yours
    }

    conn, err := amqp.DialTLS("amqps://test:secret@127.0.0.1:5671", tlsConfig)
    if err != nil {
        panic(err) // does not panic!
    }

    // ... application code

PS: in my setup I used some different names (user/password/container) than yours, but those should be irrelevant