RabbitMQ SSL connection works from an Ubuntu14.04 machine but not from a CentOS 6 machine

0

I have setup a rabbitmq ssl connection on my remote server as per the docs here: https://www.rabbitmq.com/ssl.html

I am using java rabbitmqclient to connect to the remote server and sending a hello message to a queue on rabbitmq-server, the connection works fine from my local ubuntu 14.04 machine but does not work from a centOS 6 machine.

Open SSL s_client command used:

openssl s_client -connect rabbitserver:5671 -cert cert.pem -key key.pem -CAfile cacert.pem

Open SSL output on ubuntu:

CONNECTED(00000003)
depth=1 CN = MyTestCA
verify return:1
depth=0 CN = LAP0078, O = server
verify return:1
---
Certificate chain
 0 s:/CN=LAP0078/O=server
   i:/CN=MyTestCA
 1 s:/CN=MyTestCA
   i:/CN=MyTestCA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC4DCCAcigAwIBAgIBATANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDEwhNeVRl
c3RDQTAeFw0xODAyMTUwODAwMTRaFw0yODAyMTMwODAwMTRaMCMxEDAOBgNVBAMM
B0xBUDAwNzgxDzANBgNVBAoMBnNlcnZlcjCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAMQmDjoWiZYSugEHGGBBV1eEhJiyGHxgACtQ5al6SVPnPM3PYGOH
N5nkPJIl/khymJWAav6B0zF4u46W01MZ90OzwvBvwWHJOBZCjrYCwclFhEW00Wte
QB7thTfo8kO9LnDQ//gAOx/3oxZUsyv85snlA3IiZDiOBNTNi7i4rmEF1X6St9cy
Bhm13k13MSMPGvg5cwt0DPax78PiJuDJmcLv6jV0dtyuOOaVRKN2XQsw4nJ7mPDh
rymnaWo2XL663vwDDkG306jpYR0BpeYBjcxM9BDDQLxydGj1DQPuG4yS1BLsfPCT
HyBklwW7tsYMH4NLejWYOkpBUA0F9rN318cCAwEAAaMvMC0wCQYDVR0TBAIwADAL
BgNVHQ8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQAD
ggEBAD3UFwHy1cYMI7PemLzRGrIK8fuuScRr1XHqZ6Jm8IY15l4DKaOP2bfa8l8f
2gvrDlQRe+wAA4rzHVfHar8Y5EwVklf8y9xb2+5kDrG10dfD97EQpGC2mihdOB7Z
BfUlreIsazsZS4n/pGVvdMLPKAxIv8r8Gc9GMYRmLPn9mnx3k3u7AHLMKrbF7Dr4
KLyV09CtfiYz/Cp7A2/QHY+bR4J9kJKlzBQTtp1o+A+ek598AUTUF1SDlhNf4o17
K6FzDyABWLcJdzqJPmgR9RDRYO8+B2ej8nmqV8xoqSSsM5NCpn8XTGICVDXVjWhu
mjPA+HtO4q1d8ig4ErkfygEzhDE=
-----END CERTIFICATE-----
subject=/CN=LAP0078/O=server
issuer=/CN=MyTestCA
---
Acceptable client certificate CA names
/CN=MyTestCA
---
SSL handshake has read 2160 bytes and written 2298 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-SHA384
    Session-ID: 3DFE01EE903538C9084A8B9E7FDD68021106C1992DC35B313A7C86A3D4CE5579
    Session-ID-ctx: 
    Master-Key: D64753633EC177935CB2E19A630DD6C8285779D02D52D480B9CE2265658D92F5F827C62E5BE3B816CF3A2E14BFEB547B
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1519115155
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
closed

Openssl output on CentOS:

CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 0x8256ab0 [0x82573f0] (247 bytes => -1 (0xFFFFFFFF))
SSL_connect:error in SSLv2/v3 write client hello B
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

SSL Output of java process:

Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384                                              
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA                                                     
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384                                              
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA                                              
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384                                          
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256                                                  
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA                                                 
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384                                           
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384                                             
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_GCM_SHA384                                                  
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384                                           
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384                                            
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA                                                
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384                                             
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384                                          
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256                                              
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA                                             
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256                                              
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA                                                 
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA                                               
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384                                            
Allow unsafe renegotiation: false                                                                                   
Allow legacy hello messages: true                                                                                   
Is initial handshake: true                                                                                          
Is secure renegotiation: false                                                                                      
pool-2-thread-1, setSoTimeout(10000) called 
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1                                
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1                                  
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1                                        
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1                                 
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1                                   
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1                                    
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1                                    
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1                              
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1                                
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1                                      
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1                               
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1                                 
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1                                  
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1.1                                  
%% No cached client session                                                                                         
*** ClientHello, TLSv1.2                                                                                            
RandomCookie:  GMT: 1502197153 bytes = { 240, 9, 18, 141, 86, 242, 197, 223, 248, 4, 162, 202, 246, 53, 139, 10, 48, 117, 190, 160, 172, 78, 177, 16, 228, 123, 156, 90 }                                                               
Session ID:  {}                                                                                                     
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]                   
Compression Methods:  { 0 }                                                                                         
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}                                 
Extension ec_point_formats, formats: [uncompressed]                                                                 
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA                                                                                                                   
***                                                                                                                 
pool-2-thread-1, WRITE: TLSv1.2 Handshake, length = 207                                                             
pool-2-thread-1, waiting for close_notify or alert: state 1                                                         
pool-2-thread-1, Exception while waiting for close java.net.SocketException: Connection reset                       
pool-2-thread-1, handling exception: java.net.SocketException: Connection reset                                     
pool-2-thread-1, SEND TLSv1.2 ALERT:  fatal, description = unexpected_message                                       
pool-2-thread-1, WRITE: TLSv1.2 Alert, length = 2                                                                   
pool-2-thread-1, Exception sending alert: java.net.SocketException: Broken pipe                                     
pool-2-thread-1, called closeSocket()                                                                               
pool-2-thread-1, called close()                                                                                     
pool-2-thread-1, called closeInternal(true)  

Jar/Package versions:

  1. rabbitmqclient: 3.3.1
  2. camel: 2.18.1
  3. rabbitmq: 3.6.15
  4. erlang: 19.3.6
  5. java: 8

How can I establish the connection from my centOS machine?

centos
ssl
java
openssl
rabbitmq
asked on Server Fault Feb 20, 2018 by gresdiplitude

1 Answer

0

I believe your issue is with Java, you need to install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files, as by default the java installed has only limited strength enabled (apparently to allow for worldwide distribution - special local legal requirements)

https://www.oracle.com/technetwork/java/javase/documentation/jceunlimitedstrghpolicyfilereadme-2864390.html

Due to import control restrictions of some countries, the version of the JCE policy files that are bundled in the Java Runtime Environment, or JRE(TM), 8 environment allow "strong" but limited cryptography to be used. This download bundle (the one including this README file) provides "unlimited strength" policy files which contain no restrictions on cryptographic strengths.

This thought comes from the comparison of the 2 connection attempts, the successful one states:

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384

While the failing one states (amongst others):

Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 
answered on Server Fault Nov 1, 2018 by Olivier

User contributions licensed under CC BY-SA 3.0