RabbitMQ SSL 连接在 Ubuntu14.04 机器上有效,但在 CentOS 6 机器上无效

RabbitMQ SSL 连接在 Ubuntu14.04 机器上有效,但在 CentOS 6 机器上无效

我已根据此处的文档在远程服务器上设置了 rabbitmq ssl 连接:https://www.rabbitmq.com/ssl.html

我正在使用 java rabbitmqclient 连接到远程服务器并向 rabbitmq-server 上的队列发送 hello 消息,该连接在我的本地 ubuntu 14.04 机器上运行良好,但在 centOS 6 机器上运行不正常。

打开SSL使用的s_client命令:

openssl s_client -connect rabbitserver:5671 -cert cert.pem -key key.pem -CAfile cacert.pem

在 ubuntu 上打开 SSL 输出:

CONNECTED(00000003)
depth=1 CN = MyTestCA
verify return:1
depth=0 CN = LAP0078, O = server
verify return:1
---
Certificate chain
 0 s:/CN=LAP0078/O=server
   i:/CN=MyTestCA
 1 s:/CN=MyTestCA
   i:/CN=MyTestCA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC4DCCAcigAwIBAgIBATANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDEwhNeVRl
c3RDQTAeFw0xODAyMTUwODAwMTRaFw0yODAyMTMwODAwMTRaMCMxEDAOBgNVBAMM
B0xBUDAwNzgxDzANBgNVBAoMBnNlcnZlcjCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAMQmDjoWiZYSugEHGGBBV1eEhJiyGHxgACtQ5al6SVPnPM3PYGOH
N5nkPJIl/khymJWAav6B0zF4u46W01MZ90OzwvBvwWHJOBZCjrYCwclFhEW00Wte
QB7thTfo8kO9LnDQ//gAOx/3oxZUsyv85snlA3IiZDiOBNTNi7i4rmEF1X6St9cy
Bhm13k13MSMPGvg5cwt0DPax78PiJuDJmcLv6jV0dtyuOOaVRKN2XQsw4nJ7mPDh
rymnaWo2XL663vwDDkG306jpYR0BpeYBjcxM9BDDQLxydGj1DQPuG4yS1BLsfPCT
HyBklwW7tsYMH4NLejWYOkpBUA0F9rN318cCAwEAAaMvMC0wCQYDVR0TBAIwADAL
BgNVHQ8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQAD
ggEBAD3UFwHy1cYMI7PemLzRGrIK8fuuScRr1XHqZ6Jm8IY15l4DKaOP2bfa8l8f
2gvrDlQRe+wAA4rzHVfHar8Y5EwVklf8y9xb2+5kDrG10dfD97EQpGC2mihdOB7Z
BfUlreIsazsZS4n/pGVvdMLPKAxIv8r8Gc9GMYRmLPn9mnx3k3u7AHLMKrbF7Dr4
KLyV09CtfiYz/Cp7A2/QHY+bR4J9kJKlzBQTtp1o+A+ek598AUTUF1SDlhNf4o17
K6FzDyABWLcJdzqJPmgR9RDRYO8+B2ej8nmqV8xoqSSsM5NCpn8XTGICVDXVjWhu
mjPA+HtO4q1d8ig4ErkfygEzhDE=
-----END CERTIFICATE-----
subject=/CN=LAP0078/O=server
issuer=/CN=MyTestCA
---
Acceptable client certificate CA names
/CN=MyTestCA
---
SSL handshake has read 2160 bytes and written 2298 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-SHA384
    Session-ID: 3DFE01EE903538C9084A8B9E7FDD68021106C1992DC35B313A7C86A3D4CE5579
    Session-ID-ctx: 
    Master-Key: D64753633EC177935CB2E19A630DD6C8285779D02D52D480B9CE2265658D92F5F827C62E5BE3B816CF3A2E14BFEB547B
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1519115155
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
closed

CentOS 上的 Openssl 输出:

CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 0x8256ab0 [0x82573f0] (247 bytes => -1 (0xFFFFFFFF))
SSL_connect:error in SSLv2/v3 write client hello B
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

java 进程的 SSL 输出:

Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384                                              
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA                                                     
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384                                              
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA                                              
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384                                          
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256                                                  
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA                                                 
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384                                           
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384                                             
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_GCM_SHA384                                                  
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384                                           
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384                                            
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA                                                
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384                                             
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384                                          
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256                                              
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA                                             
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256                                              
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA                                                 
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA                                               
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384                                            
Allow unsafe renegotiation: false                                                                                   
Allow legacy hello messages: true                                                                                   
Is initial handshake: true                                                                                          
Is secure renegotiation: false                                                                                      
pool-2-thread-1, setSoTimeout(10000) called 
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1                                
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1                                  
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1                                        
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1                                 
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1                                   
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1                                    
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1                                    
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1                              
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1                                
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1                                      
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1                               
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1                                 
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1                                  
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1.1                                  
%% No cached client session                                                                                         
*** ClientHello, TLSv1.2                                                                                            
RandomCookie:  GMT: 1502197153 bytes = { 240, 9, 18, 141, 86, 242, 197, 223, 248, 4, 162, 202, 246, 53, 139, 10, 48, 117, 190, 160, 172, 78, 177, 16, 228, 123, 156, 90 }                                                               
Session ID:  {}                                                                                                     
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]                   
Compression Methods:  { 0 }                                                                                         
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}                                 
Extension ec_point_formats, formats: [uncompressed]                                                                 
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA                                                                                                                   
***                                                                                                                 
pool-2-thread-1, WRITE: TLSv1.2 Handshake, length = 207                                                             
pool-2-thread-1, waiting for close_notify or alert: state 1                                                         
pool-2-thread-1, Exception while waiting for close java.net.SocketException: Connection reset                       
pool-2-thread-1, handling exception: java.net.SocketException: Connection reset                                     
pool-2-thread-1, SEND TLSv1.2 ALERT:  fatal, description = unexpected_message                                       
pool-2-thread-1, WRITE: TLSv1.2 Alert, length = 2                                                                   
pool-2-thread-1, Exception sending alert: java.net.SocketException: Broken pipe                                     
pool-2-thread-1, called closeSocket()                                                                               
pool-2-thread-1, called close()                                                                                     
pool-2-thread-1, called closeInternal(true)  

Jar/软件包版本:

  1. rabbitmqclient: 3.3.1
  2. 骆驼:2.18.1
  3. rabbitmq: 3.6.15
  4. 二郎山: 19.3.6
  5. Java:8

我如何从我的 centOS 机器建立连接?

答案1

我认为您的问题出在 Java 上,您需要安装 Java 加密扩展 (JCE) 无限强度管辖策略文件,因为默认情况下安装的 Java 仅启用了有限强度(显然是为了允许全球分发 - 特殊的当地法律要求)

https://www.oracle.com/technetwork/java/javase/documentation/jceunlimitedstrghpolicyfilereadme-2864390.html

由于某些国家/地区的进口管制限制,Java 运行时环境 (JRE(TM)) 8 环境中捆绑的 JCE 策略文件版本允许使用“强”但有限的加密技术。此下载包(包括此 README 文件的包)提供“无限强度”策略文件,其中不包含对加密强度的限制。

这个想法来自于对两次连接尝试的比较,成功的一次连接尝试如下:

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384

而失败者则表示(其中包括):

Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 

相关内容