Reputation: 176
connect to rabbitmq SSLError: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1108)
I'm trying to connect rabbitmq using SSL, the encrypted connection on port 61613 works great, but I can't make the connection to encrypted port 61614 using Let's Encrypt .
I tride simply connect to TLS 61614 rabbitmq stomp with this code:
hostname='rabbitmq.DOMAIN.NAME'
context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH)
with socket.create_connection((hostname, 61614 )) as sock:
with context.wrap_socket(sock, server_hostname=hostname) as ssock:
print(ssock.version())
with result:
SSLError: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1108)
Test with openssl:
openssl s_client -connect rabbitmq.DOMAIN.NAME:61614
has this result:
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = rabbitmq.DOMAIN.NAME
verify return:1
140003270226176:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1544:SSL alert number 40
---
Certificate chain
0 s:CN = rabbitmq.DOMAIN.NAME
i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFXzCCBEegAwIBAgISBNLfEcyZu5MmKWiRqiljwOY5MA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDA4MDcwOTA3MTZaFw0y
MDExMDUwOTA3MTZaMB8xHTAbBgNVBAMTFHJhYmJpdG1xLmxhbm9zLmNsb3VkMIIB
.....
GhqnyShKe63Uf/Buxy1gqOpBXRO+Sd8L8ww0IUciamomYoKGkwGkcT6Y+SB+IxCg
pA+3qsUUKjxE2kJ2S+lwsiHxpsHEMyoSXxFnmoELKF3FQEk=
-----END CERTIFICATE-----
subject=CN = rabbitmq.DOMAIN.NAME
issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
---
Acceptable client certificate CA names
C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
CN = ************************
Client Certificate Types: ECDSA sign, RSA sign, DSA sign
Requested Signature Algorithms: ECDSA+SHA512:RSA+SHA512:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA256:RSA+SHA256:ECDSA+SHA224:RSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
Shared Requested Signature Algorithms: ECDSA+SHA512:RSA+SHA512:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA256:RSA+SHA256:ECDSA+SHA224:RSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3169 bytes and written 460 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: CF1*********************************7415F1B61
Session-ID-ctx:
Master-Key: 051*********************************B4
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1597525241
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---
Any suggestion how to solve it?
Upvotes: 1
Views: 2426
Answers (2)
Reputation: 176
I just forgot to add to rabbitmq.conf this line:
ssl_options.depth = 2
Now everything forks correctly.
Thank you for help.
Upvotes: 0
Reputation: 123541
The output from openssl s_client shows basically the same error as the output from Python:
.. ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1544:SSL alert number 40
But it also shows that the main part of the TLS handshake worked, i.e. it got certificate, cipher etc. And it also shows that the server seems to ask for a client certificate:
Acceptable client certificate CA names
C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
CN = ************************
Client Certificate Types: ECDSA sign, RSA sign, DSA sign
But neither your openssl s_client nor your Python code provide any client certificate. Very likely this missing client certificate is the reason the server finally abandons the TLS handshake which results in the handshake failure.
Thus, either you need to change the server configuration that no client certificate is requested or you need to match the servers requirement for a client certificate by providing the expected one - whatever this is (check your server).
Upvotes: 1
Related Questions
- Cannot established ssl connection with rabbitmq
- RabbitMQ' pika handshaking fails when SSL is set
- Cannot connect to Rabbitmq using SSL
- RabbitMQ: handshake error when attempting to use SSL certificates
- RabbitMq and "Fatal error: handshake failure - handshake_decode_error"
- Handshake timeout ERROR with ssl connection in RabbitMQ
- SSL enabling for rabbitmq mangement. Server starts, but fails to accept requests
- RabbitMQ SSL handshake failure on any connection attempt with certificate authentication
- Can't connect to RabbitMq-c using SSL support
- Why can't I establish connection to rabbitMQ using python?