java - RabbitMQ 3.6.1 / Erlang 18.3 TLS insufficient security failures -

-

i running rabbitmq 3.6.1/erlang 18.3, , find unable establish tlsv1 or tlsv1.1 session broker using spring amqp 1.5.4.release java client. am, however, able establish tlsv1.2 session broker. rabbitmq broker configured support 3 of tlsv1, tlsv1.1, , tlsv1.2. using java 1.8.0_77-b03 on os x.

here rabbitmq configuration:

https://gist.github.com/ae6rt/de06d1efecf62fbe8cef31774d9be3d7

erlang on broker reports ssl versions

# erl                                                                                                                                                                                  eshell v7.3  (abort ^g) 1> ssl:versions(). [{ssl_app,"7.3"},  {supported,['tlsv1.2','tlsv1.1',tlsv1]},  {available,['tlsv1.2','tlsv1.1',tlsv1,sslv3]}]

this error rabbitmq logs upon failure:

=error report==== 22-apr-2016::03:19:02 === ssl: hello: tls_handshake.erl:167:fatal error: insufficient security

i used tcpdump sniff traffic on secure port 5671 during tls setup. here tshark's formatting of data:

frame 4: 210 bytes on wire (1680 bits), 210 bytes captured (1680 bits)     encapsulation type: ethernet (1)     arrival time: apr 21, 2016 20:09:38.053439000 pdt     [time shift packet: 0.000000000 seconds]     epoch time: 1461294578.053439000 seconds     [time delta previous captured frame: 0.013675000 seconds]     [time delta previous displayed frame: 0.000000000 seconds]     [time since reference or first frame: 0.013840000 seconds]     frame number: 4     frame length: 210 bytes (1680 bits)     capture length: 210 bytes (1680 bits)     [frame marked: false]     [frame ignored: false]     [protocols in frame: eth:ethertype:ip:tcp:ssl] ethernet ii, src: 02:42:f5:68:bc:7c (02:42:f5:68:bc:7c), dst: 02:42:ac:11:00:02 (02:42:ac:11:00:02)     destination: 02:42:ac:11:00:02 (02:42:ac:11:00:02)         address: 02:42:ac:11:00:02 (02:42:ac:11:00:02)         .... ..1. .... .... .... .... = lg bit: locally administered address (this not factory default)         .... ...0 .... .... .... .... = ig bit: individual address (unicast)     source: 02:42:f5:68:bc:7c (02:42:f5:68:bc:7c)         address: 02:42:f5:68:bc:7c (02:42:f5:68:bc:7c)         .... ..1. .... .... .... .... = lg bit: locally administered address (this not factory default)         .... ...0 .... .... .... .... = ig bit: individual address (unicast)     type: ipv4 (0x0800) internet protocol version 4, src: 10.0.2.2, dst: 172.17.0.2     0100 .... = version: 4     .... 0101 = header length: 20 bytes     differentiated services field: 0x00 (dscp: cs0, ecn: not-ect)         0000 00.. = differentiated services codepoint: default (0)         .... ..00 = explicit congestion notification: not ecn-capable transport (0)     total length: 196     identification: 0x0a1e (2590)     flags: 0x00         0... .... = reserved bit: not set         .0.. .... = don't fragment: not set         ..0. .... = more fragments: not set     fragment offset: 0     time live: 63     protocol: tcp (6)     header checksum: 0xb901 [validation disabled]         [good: false]         [bad: false]     source: 10.0.2.2     destination: 172.17.0.2     [source geoip: unknown]     [destination geoip: unknown] transmission control protocol, src port: 39141 (39141), dst port: 5671 (5671), seq: 1, ack: 1, len: 156     source port: 39141     destination port: 5671     [stream index: 0]     [tcp segment len: 156]     sequence number: 1    (relative sequence number)     [next sequence number: 157    (relative sequence number)]     acknowledgment number: 1    (relative ack number)     header length: 20 bytes     flags: 0x018 (psh, ack)         000. .... .... = reserved: not set         ...0 .... .... = nonce: not set         .... 0... .... = congestion window reduced (cwr): not set         .... .0.. .... = ecn-echo: not set         .... ..0. .... = urgent: not set         .... ...1 .... = acknowledgment: set         .... .... 1... = push: set         .... .... .0.. = reset: not set         .... .... ..0. = syn: not set         .... .... ...0 = fin: not set         [tcp flags: *******ap***]     window size value: 65535     [calculated window size: 65535]     [window size scaling factor: -2 (no window scaling used)]     checksum: 0x6ef9 [validation disabled]         [good checksum: false]         [bad checksum: false]     urgent pointer: 0     [seq/ack analysis]         [irtt: 0.000165000 seconds]         [bytes in flight: 156] secure sockets layer     ssl record layer: handshake protocol: client hello         content type: handshake (22)         version: tls 1.0 (0x0301)         length: 151         handshake protocol: client hello             handshake type: client hello (1)             length: 147             version: tls 1.0 (0x0301)             random                 gmt unix time: apr 21, 2016 20:09:38.000000000 pdt                 random bytes: 742380f15c78a0409bd2817911699637f5c7879f27bf6dc1...             session id length: 0             cipher suites length: 44             cipher suites (22 suites)                 cipher suite: tls_ecdhe_ecdsa_with_aes_256_cbc_sha (0xc00a)                 cipher suite: tls_ecdhe_rsa_with_aes_256_cbc_sha (0xc014)                 cipher suite: tls_rsa_with_aes_256_cbc_sha (0x0035)                 cipher suite: tls_ecdh_ecdsa_with_aes_256_cbc_sha (0xc005)                 cipher suite: tls_ecdh_rsa_with_aes_256_cbc_sha (0xc00f)                 cipher suite: tls_dhe_rsa_with_aes_256_cbc_sha (0x0039)                 cipher suite: tls_dhe_dss_with_aes_256_cbc_sha (0x0038)                 cipher suite: tls_ecdhe_ecdsa_with_aes_128_cbc_sha (0xc009)                 cipher suite: tls_ecdhe_rsa_with_aes_128_cbc_sha (0xc013)                 cipher suite: tls_rsa_with_aes_128_cbc_sha (0x002f)                 cipher suite: tls_ecdh_ecdsa_with_aes_128_cbc_sha (0xc004)                 cipher suite: tls_ecdh_rsa_with_aes_128_cbc_sha (0xc00e)                 cipher suite: tls_dhe_rsa_with_aes_128_cbc_sha (0x0033)                 cipher suite: tls_dhe_dss_with_aes_128_cbc_sha (0x0032)                 cipher suite: tls_ecdhe_ecdsa_with_3des_ede_cbc_sha (0xc008)                 cipher suite: tls_ecdhe_rsa_with_3des_ede_cbc_sha (0xc012)                 cipher suite: tls_rsa_with_3des_ede_cbc_sha (0x000a)                 cipher suite: tls_ecdh_ecdsa_with_3des_ede_cbc_sha (0xc003)                 cipher suite: tls_ecdh_rsa_with_3des_ede_cbc_sha (0xc00d)                 cipher suite: tls_dhe_rsa_with_3des_ede_cbc_sha (0x0016)                 cipher suite: tls_dhe_dss_with_3des_ede_cbc_sha (0x0013)                 cipher suite: tls_empty_renegotiation_info_scsv (0x00ff)             compression methods length: 1             compression methods (1 method)                 compression method: null (0)             extensions length: 62             extension: elliptic_curves                 type: elliptic_curves (0x000a)                 length: 52                 elliptic curves length: 50                 elliptic curves (25 curves)                     elliptic curve: secp256r1 (0x0017)                     elliptic curve: sect163k1 (0x0001)                     elliptic curve: sect163r2 (0x0003)                     elliptic curve: secp192r1 (0x0013)                     elliptic curve: secp224r1 (0x0015)                     elliptic curve: sect233k1 (0x0006)                     elliptic curve: sect233r1 (0x0007)                     elliptic curve: sect283k1 (0x0009)                     elliptic curve: sect283r1 (0x000a)                     elliptic curve: secp384r1 (0x0018)                     elliptic curve: sect409k1 (0x000b)                     elliptic curve: sect409r1 (0x000c)                     elliptic curve: secp521r1 (0x0019)                     elliptic curve: sect571k1 (0x000d)                     elliptic curve: sect571r1 (0x000e)                     elliptic curve: secp160k1 (0x000f)                     elliptic curve: secp160r1 (0x0010)                     elliptic curve: secp160r2 (0x0011)                     elliptic curve: sect163r1 (0x0002)                     elliptic curve: secp192k1 (0x0012)                     elliptic curve: sect193r1 (0x0004)                     elliptic curve: sect193r2 (0x0005)                     elliptic curve: secp224k1 (0x0014)                     elliptic curve: sect239k1 (0x0008)                     elliptic curve: secp256k1 (0x0016)             extension: ec_point_formats                 type: ec_point_formats (0x000b)                 length: 2                 ec point formats length: 1                 elliptic curves point formats (1)                     ec point format: uncompressed (0)  frame 6: 61 bytes on wire (488 bits), 61 bytes captured (488 bits)     encapsulation type: ethernet (1)     arrival time: apr 21, 2016 20:09:38.053842000 pdt     [time shift packet: 0.000000000 seconds]     epoch time: 1461294578.053842000 seconds     [time delta previous captured frame: 0.000377000 seconds]     [time delta previous displayed frame: 0.000403000 seconds]     [time since reference or first frame: 0.014243000 seconds]     frame number: 6     frame length: 61 bytes (488 bits)     capture length: 61 bytes (488 bits)     [frame marked: false]     [frame ignored: false]     [protocols in frame: eth:ethertype:ip:tcp:ssl] ethernet ii, src: 02:42:ac:11:00:02 (02:42:ac:11:00:02), dst: 02:42:f5:68:bc:7c (02:42:f5:68:bc:7c)     destination: 02:42:f5:68:bc:7c (02:42:f5:68:bc:7c)         address: 02:42:f5:68:bc:7c (02:42:f5:68:bc:7c)         .... ..1. .... .... .... .... = lg bit: locally administered address (this not factory default)         .... ...0 .... .... .... .... = ig bit: individual address (unicast)     source: 02:42:ac:11:00:02 (02:42:ac:11:00:02)         address: 02:42:ac:11:00:02 (02:42:ac:11:00:02)         .... ..1. .... .... .... .... = lg bit: locally administered address (this not factory default)         .... ...0 .... .... .... .... = ig bit: individual address (unicast)     type: ipv4 (0x0800) internet protocol version 4, src: 172.17.0.2, dst: 10.0.2.2     0100 .... = version: 4     .... 0101 = header length: 20 bytes     differentiated services field: 0x00 (dscp: cs0, ecn: not-ect)         0000 00.. = differentiated services codepoint: default (0)         .... ..00 = explicit congestion notification: not ecn-capable transport (0)     total length: 47     identification: 0x3fb8 (16312)     flags: 0x02 (don't fragment)         0... .... = reserved bit: not set         .1.. .... = don't fragment: set         ..0. .... = more fragments: not set     fragment offset: 0     time live: 64     protocol: tcp (6)     header checksum: 0x42fc [validation disabled]         [good: false]         [bad: false]     source: 172.17.0.2     destination: 10.0.2.2     [source geoip: unknown]     [destination geoip: unknown] transmission control protocol, src port: 5671 (5671), dst port: 39141 (39141), seq: 1, ack: 157, len: 7     source port: 5671     destination port: 39141     [stream index: 0]     [tcp segment len: 7]     sequence number: 1    (relative sequence number)     [next sequence number: 8    (relative sequence number)]     acknowledgment number: 157    (relative ack number)     header length: 20 bytes     flags: 0x018 (psh, ack)         000. .... .... = reserved: not set         ...0 .... .... = nonce: not set         .... 0... .... = congestion window reduced (cwr): not set         .... .0.. .... = ecn-echo: not set         .... ..0. .... = urgent: not set         .... ...1 .... = acknowledgment: set         .... .... 1... = push: set         .... .... .0.. = reset: not set         .... .... ..0. = syn: not set         .... .... ...0 = fin: not set         [tcp flags: *******ap***]     window size value: 30016     [calculated window size: 30016]     [window size scaling factor: -2 (no window scaling used)]     checksum: 0xb836 [validation disabled]         [good checksum: false]         [bad checksum: false]     urgent pointer: 0     [seq/ack analysis]         [irtt: 0.000165000 seconds]         [bytes in flight: 7] secure sockets layer     tlsv1 record layer: alert (level: fatal, description: insufficient security)         content type: alert (21)         version: tls 1.0 (0x0301)         length: 2         alert message             level: fatal (2)             description: insufficient security (71)

here spring connection failure:

org.springframework.amqp.amqpioexception: javax.net.ssl.sslhandshakeexception: received fatal alert: insufficient_security     @ sun.security.ssl.alerts.getsslexception(alerts.java:192)     @ sun.security.ssl.alerts.getsslexception(alerts.java:154)     @ sun.security.ssl.sslsocketimpl.recvalert(sslsocketimpl.java:2023)     @ sun.security.ssl.sslsocketimpl.readrecord(sslsocketimpl.java:1125)     @ sun.security.ssl.sslsocketimpl.performinitialhandshake(sslsocketimpl.java:1375)     @ sun.security.ssl.sslsocketimpl.writerecord(sslsocketimpl.java:747)     @ sun.security.ssl.appoutputstream.write(appoutputstream.java:123)     @ java.io.bufferedoutputstream.flushbuffer(bufferedoutputstream.java:82)     @ java.io.bufferedoutputstream.flush(bufferedoutputstream.java:140)     @ java.io.dataoutputstream.flush(dataoutputstream.java:123)     @ com.rabbitmq.client.impl.socketframehandler.sendheader(socketframehandler.java:129)     @ com.rabbitmq.client.impl.socketframehandler.sendheader(socketframehandler.java:134)     @ com.rabbitmq.client.impl.amqconnection.start(amqconnection.java:277)     @ com.rabbitmq.client.connectionfactory.newconnection(connectionfactory.java:647)     @ org.springframework.amqp.rabbit.connection.abstractconnectionfactory.createbareconnection(abstractconnectionfactory.java:273)     @ org.springframework.amqp.rabbit.connection.cachingconnectionfactory.createconnection(cachingconnectionfactory.java:510)     @ com.xoom.inf.amqp.tlstest.contactbrokerovertls(tlstest.java:42)

my rabbitmq broker configured negotiate tlsv1, tlsv1.1, , tlsv1.2. why tls setup fail tlsv1 , tlsv1.1 when broker should support that? same java client negotiate tlsv1 rabbitmq 3.3.1/erlang r16b02 broker.

thank you.

there regressions in erlang ssl application in 18.3.x series. 1 of them caused seeing: clients rejected during handshake, insufficient security logged on server-side. if remember correctly, appeared in patch 18.3.3 , fixed in 18.3.4. not problem client.

there regression in 18.3.2, fixed in 18.3.3, prevented rabbitmq starting @ (due change in representation of cipher suites).

thus recommended stay on 18.3 (the initial release) or update 19.x.


Comments

Post a Comment

Popular posts from this blog

html - Styling progress bar with inline style -

-
i trying set progress bar color red using inline style. need in way because have access <body> part of document. style need apply: progress { color: red } progress::-moz-progress-bar { background: red;} progress::-webkit-progress-value { background: red; } progress[aria-valuenow]:before { background: red; } i tried <progress style="background: red;"> incorrect effect, progress bar color turns blue red background. guide right direction desired style? thank in advance. here live example: https://jsfiddle.net/z36d3f6l/
Read more

java - Oracle Sql developer error: could not install some modules -

-
i have downloaded fresh copy of sqldeveloper ( sqldeveloper-4.1.3.20.78-no-jre ) oracle website. when unzip , lauch gui, keep getting following error message: warning - not install modules: dynamic module config - no module providing capability org.netbeans.netbinox found. my system: windows 7 32 bit hp probook. jdk 1.6 , 1.7, 1.8 available in java/jdk subdirectory. netbeans 8.0.2 installed finally got way out after dirty hours. extracted sqldeveloper zip in nested directory. i.e: e://a/b/c/sqldeveloper. starting sqldeveloper gui above directory threw erros. solution: go in c:\users**username**\appdata\roaming : delete sql developer , sqldeveloper folders extract sql developer zip in new non nested directory. i.e: e:// start , should work now reference: https://community.oracle.com/thread/3870680?start=0&tstart=0
Read more

How to use autoclose brackets in Jupyter notebook? -

-
this may sound silly question, how make use of autoclose brackets in jupyter notebook? example, when type print( jupyter notebook auto-closes brakets print() and places cursor inside. type argument, say print(1 + 1) now cursor between second 1 , right bracket ) . key navigate right of ) ? of course can press end or → or ) achieve this, not seem save time, purpose of brackets autoclose suppose? thanks in advance.
Read more