stackoom
  简体   繁体   中英

Connection reset during TLS certificate verify (java + rabbit mq)

 原文  2022-11-29 08:55:50       java/ ssl/ rabbitmq/ tls1.2

Question

I am developing a java client to consume from rabbitmq (using amqp-client lib). All works fine until I start using ssl protocol. In java log I see

java.net.SocketException: Connection reset

And in rabbitmq logs there is only

SSL: certify: ssl_handshake.erl:1490:Fatal error: unknown ca

I have checked ceriticates, all seem fine. Then I enabled ssl debug in java. Looking at ssl logs it seems that actually server and client are interacting fine. I see that trusted certificate is found, clienthello and serverhello finish correctly, but at certificate verification step the connection is reset:

*** CertificateVerify
Signature Algorithm SHA512withRSA
[write] MD5 and SHA1 hashes:  len = 264
0000: 0F 00 01 04 06 01 01 00   60 E9 E3 AE 11 C5 34 76  ........`.....4v
...
0100: A2 41 B2 48 5D DA BE 27                            .A.H]..'
Thread-0, WRITE: TLSv1.2 Handshake, length = 264
Thread-0, waiting for close_notify or alert: state 1
Thread-0, Exception while waiting for close java.net.SocketException: Connection reset
Thread-0, handling exception: java.net.SocketException: Connection reset
%% Invalidated:  [Session-1, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256]
Thread-0, SEND TLSv1.2 ALERT:  fatal, description = unexpected_message
Thread-0, WRITE: TLSv1.2 Alert, length = 2
Thread-0, Exception sending alert: java.net.SocketException: Connection reset by peer: socket write error
Thread-0, called closeSocket()
Thread-0, called close()
Thread-0, called closeInternal(true)
java.net.SocketException: Connection reset

I am not even sure how to interpret this, out of my depth here. The guides on debugging ssl/tls connections I've found are not covering this part.

-----------UPDATE-----------

A bit more staring in logs, I noticed that in certificate chains of both server and client Signature Algorithm is SHA256withRSA, while for CertificateVerify message Signature Algorithm is SHA512withRSA. Can it be the reason?

1 answers

solution1
 0  2022-11-29 16:45:48

unknown ca means that RabbitMQ/Erlang does not have the expected CA certificate available.

Please ensure that the CA that signed your client certificate is availabe to RabbitMQ and that RabbitMQ is configured to use it.

https://www.rabbitmq.com/ssl.html#enabling-tls

https://www.rabbitmq.com/troubleshooting-ssl.html

the RabbitMQ team monitors the rabbitmq-users mailing list and only sometimes answers questions on StackOverflow. RabbitMQ 团队负责监控rabbitmq-users邮件列表,有时只在 StackOverflow 上回答问题。

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Rabbit MQ connection limit? Issue in establishing connection with Rabbit MQ Java TLS Connection Reset using some JDKs Rabbit MQ Advice Architecture Multithreading JAVA Rabbit MQ heartbeat configuration not reflected using java JAVA MQ SSL\TLS connection with IBM MQ V8 jars not working Rabbit Mq java client parallel consumption server certificate change is restricted during renegotiation for TLS_1.2 with Java 8 Java TLS Socket Write Fails to Detect Connection Reset SSL/TLS Connection reset - how to force Java client to use SNI?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM