On Thursday, February 19, 2015 19:10 CET, "Sebastian Reitenbach" <sebas...@l00-bugdead-prods.de> wrote: > > On Thursday, February 19, 2015 17:13 CET, David Coppa <dco...@gmail.com> > wrote: > > > On Thu, Feb 19, 2015 at 4:49 PM, David Coppa <dco...@gmail.com> wrote: > > > On Wed, Feb 18, 2015 at 11:14 PM, Sebastian Reitenbach > > > <sebas...@l00-bugdead-prods.de> wrote: > > >> Hi, > > >> > > >> spent the whole evening trying to wrap my head around erlang. At least > > >> made a bit of progress. > > >> As the subject says, SSL is not totally broken. The (broken) SSLv3 > > >> works, but not > > >> TLS. At least, I was up to now not able to get TLS to work. > > > > > > Very strange! Because it seems that, as of RabbitMQ>=3.4.0, SSLv3 is > > > disabled automatically to prevent the POODLE attack [1]. > > > > > > One has to explicitly set the "ssl_allow_poodle_attack" rabbit config > > > item to true, to make SSLv3 work... > > I only tried to access the management port for now, and that worked without > that parameter. > > > > > > > > [1] https://www.rabbitmq.com/ssl.html > > > > > > Ciao > > > David > > > > It seems there are a lot of SSL-related bugfixes between Erlang 16 and 17: > > > > https://github.com/erlang/otp/blob/maint/lib/ssl/doc/src/notes.xml > > > > (R16B03-1 has SSL library version 5.3.3, while they're at SSL 5.3.8 now) > > > > So maybe SSL is broken with R16... I don't know... > > I'm going to downgrade my erlang to R16B03 (without the -1) > because from that changelog, there also were some "fixes" with regard to > SSL application. Hope that may work. If so, it should make it easier > to hopefully spot what's causing my trouble.
downgrade didn't helped, exactly same error. Then I tried an upgrade to erlang-17.4, still no luck, but different error: curl -k --noproxy localhost --retry 30 --retry-delay 6 -f -L -o /var/rabbitmq/rabbitmqadmin https://guest:guest@localhost:15671/cli/rabbitmqadmin ** Reason for termination = ** {function_clause,[{ssl_cipher,hash_algorithm,"�", [{file,"ssl_cipher.erl"},{line,1196}]}, {ssl_handshake,'-dec_hello_extensions/2-lc$^0/1-1-',1, [{file,"ssl_handshake.erl"},{line,1706}]}, {ssl_handshake,'-dec_hello_extensions/2-lc$^0/1-1-',1, [{file,"ssl_handshake.erl"},{line,1707}]}, {ssl_handshake,dec_hello_extensions,2, [{file,"ssl_handshake.erl"},{line,1706}]}, {tls_handshake,decode_handshake,3, [{file,"tls_handshake.erl"},{line,184}]}, {tls_handshake,get_tls_handshake_aux,3, [{file,"tls_handshake.erl"},{line,155}]}, {tls_connection,next_state,4, [{file,"tls_connection.erl"},{line,433}]}, {gen_fsm,handle_msg,7, [{file,"gen_fsm.erl"},{line,503}]}]} maybe its a libressl/openssl problem? Weren't there other port(s) that were switched to use openssl because something didn't worked with libressl? On the other hand I've seen, rabbitmq 3.4.4 is available, ours is 3.4.2. I'll also try upgrading that one. But that's all for tomorrow or the weekend. Sebastian > > cheers, > Sebastian > > > > > Ciao! > > David > > -- > > "If you try a few times and give up, you'll never get there. But if > > you keep at it... There's a lot of problems in the world which can > > really be solved by applying two or three times the persistence that > > other people will." > > -- Stewart Nelson > > > > > > >
