I am developing a java client to consume from rabbitmq (using amqp-client lib). All works fine until I start using ssl protocol. In java log I see
java.net.SocketException: Connection reset
And in rabbitmq logs there is only
SSL: certify: ssl_handshake.erl:1490:Fatal error: unknown ca
I have checked ceriticates, all seem fine. Then I enabled ssl debug in java. Looking at ssl logs it seems that actually server and client are interacting fine. I see that trusted certificate is found, clienthello and serverhello finish correctly, but at certificate verification step the connection is reset:
*** CertificateVerify
Signature Algorithm SHA512withRSA
[write] MD5 and SHA1 hashes: len = 264
0000: 0F 00 01 04 06 01 01 00 60 E9 E3 AE 11 C5 34 76 ........`.....4v
...
0100: A2 41 B2 48 5D DA BE 27 .A.H]..'
Thread-0, WRITE: TLSv1.2 Handshake, length = 264
Thread-0, waiting for close_notify or alert: state 1
Thread-0, Exception while waiting for close java.net.SocketException: Connection reset
Thread-0, handling exception: java.net.SocketException: Connection reset
%% Invalidated: [Session-1, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256]
Thread-0, SEND TLSv1.2 ALERT: fatal, description = unexpected_message
Thread-0, WRITE: TLSv1.2 Alert, length = 2
Thread-0, Exception sending alert: java.net.SocketException: Connection reset by peer: socket write error
Thread-0, called closeSocket()
Thread-0, called close()
Thread-0, called closeInternal(true)
java.net.SocketException: Connection reset
I am not even sure how to interpret this, out of my depth here. The guides on debugging ssl/tls connections I've found are not covering this part.
-----------UPDATE-----------
A bit more staring in logs, I noticed that in certificate chains of both server and client Signature Algorithm is SHA256withRSA, while for CertificateVerify message Signature Algorithm is SHA512withRSA. Can it be the reason?
unknown ca
means that RabbitMQ/Erlang does not have the expected CA certificate available.
Please ensure that the CA that signed your client certificate is availabe to RabbitMQ and that RabbitMQ is configured to use it.
https://www.rabbitmq.com/ssl.html#enabling-tls
https://www.rabbitmq.com/troubleshooting-ssl.html
the RabbitMQ team monitors the rabbitmq-users
mailing list and only sometimes answers questions on StackOverflow. RabbitMQ 团队负责监控rabbitmq-users
邮件列表,有时只在 StackOverflow 上回答问题。
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.