Centos
RabbitMQ SSL 連接適用於 Ubuntu14.04 機器,但不適用於 CentOS 6 機器
根據此處的文件,我已經在遠端伺服器上設置了 rabbitmq ssl 連接:https ://www.rabbitmq.com/ssl.html
我正在使用 java rabbitmqclient 連接到遠端伺服器並將 hello 消息發送到 rabbitmq-server 上的隊列,連接在我的本地 ubuntu 14.04 機器上工作正常,但在 centOS 6 機器上不能工作。
使用的打開 SSL s_client 命令:
openssl s_client -connect rabbitserver:5671 -cert cert.pem -key key.pem -CAfile cacert.pem
在 ubuntu 上打開 SSL 輸出:
CONNECTED(00000003) depth=1 CN = MyTestCA verify return:1 depth=0 CN = LAP0078, O = server verify return:1 --- Certificate chain 0 s:/CN=LAP0078/O=server i:/CN=MyTestCA 1 s:/CN=MyTestCA i:/CN=MyTestCA --- Server certificate -----BEGIN CERTIFICATE----- MIIC4DCCAcigAwIBAgIBATANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDEwhNeVRl c3RDQTAeFw0xODAyMTUwODAwMTRaFw0yODAyMTMwODAwMTRaMCMxEDAOBgNVBAMM B0xBUDAwNzgxDzANBgNVBAoMBnNlcnZlcjCCASIwDQYJKoZIhvcNAQEBBQADggEP ADCCAQoCggEBAMQmDjoWiZYSugEHGGBBV1eEhJiyGHxgACtQ5al6SVPnPM3PYGOH N5nkPJIl/khymJWAav6B0zF4u46W01MZ90OzwvBvwWHJOBZCjrYCwclFhEW00Wte QB7thTfo8kO9LnDQ//gAOx/3oxZUsyv85snlA3IiZDiOBNTNi7i4rmEF1X6St9cy Bhm13k13MSMPGvg5cwt0DPax78PiJuDJmcLv6jV0dtyuOOaVRKN2XQsw4nJ7mPDh rymnaWo2XL663vwDDkG306jpYR0BpeYBjcxM9BDDQLxydGj1DQPuG4yS1BLsfPCT HyBklwW7tsYMH4NLejWYOkpBUA0F9rN318cCAwEAAaMvMC0wCQYDVR0TBAIwADAL BgNVHQ8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQAD ggEBAD3UFwHy1cYMI7PemLzRGrIK8fuuScRr1XHqZ6Jm8IY15l4DKaOP2bfa8l8f 2gvrDlQRe+wAA4rzHVfHar8Y5EwVklf8y9xb2+5kDrG10dfD97EQpGC2mihdOB7Z BfUlreIsazsZS4n/pGVvdMLPKAxIv8r8Gc9GMYRmLPn9mnx3k3u7AHLMKrbF7Dr4 KLyV09CtfiYz/Cp7A2/QHY+bR4J9kJKlzBQTtp1o+A+ek598AUTUF1SDlhNf4o17 K6FzDyABWLcJdzqJPmgR9RDRYO8+B2ej8nmqV8xoqSSsM5NCpn8XTGICVDXVjWhu mjPA+HtO4q1d8ig4ErkfygEzhDE= -----END CERTIFICATE----- subject=/CN=LAP0078/O=server issuer=/CN=MyTestCA --- Acceptable client certificate CA names /CN=MyTestCA --- SSL handshake has read 2160 bytes and written 2298 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-SHA384 Session-ID: 3DFE01EE903538C9084A8B9E7FDD68021106C1992DC35B313A7C86A3D4CE5579 Session-ID-ctx: Master-Key: D64753633EC177935CB2E19A630DD6C8285779D02D52D480B9CE2265658D92F5F827C62E5BE3B816CF3A2E14BFEB547B Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1519115155 Timeout : 300 (sec) Verify return code: 0 (ok) --- closed
CentOS 上的 Openssl 輸出:
CONNECTED(00000003) SSL_connect:before/connect initialization write to 0x8256ab0 [0x82573f0] (247 bytes => -1 (0xFFFFFFFF)) SSL_connect:error in SSLv2/v3 write client hello B write:errno=104 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 0 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE ---
java程序的SSL輸出:
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_GCM_SHA384 Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 Allow unsafe renegotiation: false Allow legacy hello messages: true Is initial handshake: true Is secure renegotiation: false pool-2-thread-1, setSoTimeout(10000) called Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1 Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1 Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1 Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1 Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1 Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1 Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1 Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1 Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1 Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1 Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1 Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1 Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1 Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1.1 %% No cached client session *** ClientHello, TLSv1.2 RandomCookie: GMT: 1502197153 bytes = { 240, 9, 18, 141, 86, 242, 197, 223, 248, 4, 162, 202, 246, 53, 139, 10, 48, 117, 190, 160, 172, 78, 177, 16, 228, 123, 156, 90 } Session ID: {} Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV] Compression Methods: { 0 } Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1} Extension ec_point_formats, formats: [uncompressed] Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA *** pool-2-thread-1, WRITE: TLSv1.2 Handshake, length = 207 pool-2-thread-1, waiting for close_notify or alert: state 1 pool-2-thread-1, Exception while waiting for close java.net.SocketException: Connection reset pool-2-thread-1, handling exception: java.net.SocketException: Connection reset pool-2-thread-1, SEND TLSv1.2 ALERT: fatal, description = unexpected_message pool-2-thread-1, WRITE: TLSv1.2 Alert, length = 2 pool-2-thread-1, Exception sending alert: java.net.SocketException: Broken pipe pool-2-thread-1, called closeSocket() pool-2-thread-1, called close() pool-2-thread-1, called closeInternal(true)
罐子/包裝版本:
- rabbitmqclient:3.3.1
- 駱駝:2.18.1
- 兔子MQ:3.6.15
- 二郎:19.3.6
- 爪哇:8
如何從我的 centOS 機器建立連接?
我相信您的問題與 Java 有關,您需要安裝 Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files,因為預設情況下,安裝的 java 僅啟用了有限的強度(顯然是為了允許全球分發 - 特殊的當地法律要求)
由於某些國家/地區的進口管制限制,捆綁在 Java Runtime Environment 或 JRE(TM)、8 環境中的 JCE 策略文件版本允許使用“強”但有限的密碼學。此下載包(包含此 README 文件的包)提供“無限強度”策略文件,其中不包含對加密強度的限制。
這個想法來自2次連接嘗試的比較,成功的一個狀態:
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
雖然失敗的一個狀態(其中包括):
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384