Centos

RabbitMQ SSL 連接適用於 Ubuntu14.04 機器,但不適用於 CentOS 6 機器

  • November 1, 2018

根據此處的文件,我已經在遠端伺服器上設置了 rabbitmq ssl 連接:https ://www.rabbitmq.com/ssl.html

我正在使用 java rabbitmqclient 連接到遠端伺服器並將 hello 消息發送到 rabbitmq-server 上的隊列,連接在我的本地 ubuntu 14.04 機器上工作正常,但在 centOS 6 機器上不能工作。

使用的打開 SSL s_client 命令:

openssl s_client -connect rabbitserver:5671 -cert cert.pem -key key.pem -CAfile cacert.pem

在 ubuntu 上打開 SSL 輸出:

CONNECTED(00000003)
depth=1 CN = MyTestCA
verify return:1
depth=0 CN = LAP0078, O = server
verify return:1
---
Certificate chain
0 s:/CN=LAP0078/O=server
  i:/CN=MyTestCA
1 s:/CN=MyTestCA
  i:/CN=MyTestCA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC4DCCAcigAwIBAgIBATANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDEwhNeVRl
c3RDQTAeFw0xODAyMTUwODAwMTRaFw0yODAyMTMwODAwMTRaMCMxEDAOBgNVBAMM
B0xBUDAwNzgxDzANBgNVBAoMBnNlcnZlcjCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAMQmDjoWiZYSugEHGGBBV1eEhJiyGHxgACtQ5al6SVPnPM3PYGOH
N5nkPJIl/khymJWAav6B0zF4u46W01MZ90OzwvBvwWHJOBZCjrYCwclFhEW00Wte
QB7thTfo8kO9LnDQ//gAOx/3oxZUsyv85snlA3IiZDiOBNTNi7i4rmEF1X6St9cy
Bhm13k13MSMPGvg5cwt0DPax78PiJuDJmcLv6jV0dtyuOOaVRKN2XQsw4nJ7mPDh
rymnaWo2XL663vwDDkG306jpYR0BpeYBjcxM9BDDQLxydGj1DQPuG4yS1BLsfPCT
HyBklwW7tsYMH4NLejWYOkpBUA0F9rN318cCAwEAAaMvMC0wCQYDVR0TBAIwADAL
BgNVHQ8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQAD
ggEBAD3UFwHy1cYMI7PemLzRGrIK8fuuScRr1XHqZ6Jm8IY15l4DKaOP2bfa8l8f
2gvrDlQRe+wAA4rzHVfHar8Y5EwVklf8y9xb2+5kDrG10dfD97EQpGC2mihdOB7Z
BfUlreIsazsZS4n/pGVvdMLPKAxIv8r8Gc9GMYRmLPn9mnx3k3u7AHLMKrbF7Dr4
KLyV09CtfiYz/Cp7A2/QHY+bR4J9kJKlzBQTtp1o+A+ek598AUTUF1SDlhNf4o17
K6FzDyABWLcJdzqJPmgR9RDRYO8+B2ej8nmqV8xoqSSsM5NCpn8XTGICVDXVjWhu
mjPA+HtO4q1d8ig4ErkfygEzhDE=
-----END CERTIFICATE-----
subject=/CN=LAP0078/O=server
issuer=/CN=MyTestCA
---
Acceptable client certificate CA names
/CN=MyTestCA
---
SSL handshake has read 2160 bytes and written 2298 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
   Protocol  : TLSv1.2
   Cipher    : ECDHE-RSA-AES256-SHA384
   Session-ID: 3DFE01EE903538C9084A8B9E7FDD68021106C1992DC35B313A7C86A3D4CE5579
   Session-ID-ctx: 
   Master-Key: D64753633EC177935CB2E19A630DD6C8285779D02D52D480B9CE2265658D92F5F827C62E5BE3B816CF3A2E14BFEB547B
   Key-Arg   : None
   PSK identity: None
   PSK identity hint: None
   SRP username: None
   Start Time: 1519115155
   Timeout   : 300 (sec)
   Verify return code: 0 (ok)
---
closed

CentOS 上的 Openssl 輸出:

CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 0x8256ab0 [0x82573f0] (247 bytes => -1 (0xFFFFFFFF))
SSL_connect:error in SSLv2/v3 write client hello B
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

java程序的SSL輸出:

Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384                                              
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA                                                     
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384                                              
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA                                              
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384                                          
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256                                                  
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA                                                 
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384                                           
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384                                             
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_GCM_SHA384                                                  
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384                                           
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384                                            
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA                                                
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384                                             
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384                                          
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256                                              
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA                                             
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256                                              
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA                                                 
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA                                               
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384                                            
Allow unsafe renegotiation: false                                                                                   
Allow legacy hello messages: true                                                                                   
Is initial handshake: true                                                                                          
Is secure renegotiation: false                                                                                      
pool-2-thread-1, setSoTimeout(10000) called 
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1                                
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1                                  
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1                                        
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1                                 
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1                                   
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1                                    
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1                                    
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1                              
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1                                
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1                                      
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1                               
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1                                 
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1                                  
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1.1                                  
%% No cached client session                                                                                         
*** ClientHello, TLSv1.2                                                                                            
RandomCookie:  GMT: 1502197153 bytes = { 240, 9, 18, 141, 86, 242, 197, 223, 248, 4, 162, 202, 246, 53, 139, 10, 48, 117, 190, 160, 172, 78, 177, 16, 228, 123, 156, 90 }                                                               
Session ID:  {}                                                                                                     
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]                   
Compression Methods:  { 0 }                                                                                         
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}                                 
Extension ec_point_formats, formats: [uncompressed]                                                                 
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA                                                                                                                   
***                                                                                                                 
pool-2-thread-1, WRITE: TLSv1.2 Handshake, length = 207                                                             
pool-2-thread-1, waiting for close_notify or alert: state 1                                                         
pool-2-thread-1, Exception while waiting for close java.net.SocketException: Connection reset                       
pool-2-thread-1, handling exception: java.net.SocketException: Connection reset                                     
pool-2-thread-1, SEND TLSv1.2 ALERT:  fatal, description = unexpected_message                                       
pool-2-thread-1, WRITE: TLSv1.2 Alert, length = 2                                                                   
pool-2-thread-1, Exception sending alert: java.net.SocketException: Broken pipe                                     
pool-2-thread-1, called closeSocket()                                                                               
pool-2-thread-1, called close()                                                                                     
pool-2-thread-1, called closeInternal(true)  

罐子/包裝版本:

  1. rabbitmqclient:3.3.1
  2. 駱駝:2.18.1
  3. 兔子MQ:3.6.15
  4. 二郎:19.3.6
  5. 爪哇:8

如何從我的 centOS 機器建立連接?

我相信您的問題與 Java 有關,您需要安裝 Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files,因為預設情況下,安裝的 java 僅啟用了有限的強度(顯然是為了允許全球分發 - 特殊的當地法律要求)

https://www.oracle.com/technetwork/java/javase/documentation/jceunlimitedstrghpolicyfilereadme-2864390.html

由於某些國家/地區的進口管制限制,捆綁在 Java Runtime Environment 或 JRE(TM)、8 環境中的 JCE 策略文件版本允許使用“強”但有限的密碼學。此下載包(包含此 README 文件的包)提供“無限強度”策略文件,其中不包含對加密強度的限制。

這個想法來自2次連接嘗試的比較,成功的一個狀態:

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384

雖然失敗的一個狀態(其中包括):

Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 

引用自:https://serverfault.com/questions/897995