On Thursday, February 19, 2015 20:20 CET, "Sebastian Reitenbach" <sebas...@l00-bugdead-prods.de> wrote: > > On Thursday, February 19, 2015 19:10 CET, "Sebastian Reitenbach" > <sebas...@l00-bugdead-prods.de> wrote: > > > > > On Thursday, February 19, 2015 17:13 CET, David Coppa <dco...@gmail.com> > > wrote: > > > > > On Thu, Feb 19, 2015 at 4:49 PM, David Coppa <dco...@gmail.com> wrote: > > > > On Wed, Feb 18, 2015 at 11:14 PM, Sebastian Reitenbach > > > > <sebas...@l00-bugdead-prods.de> wrote: > > > >> Hi, > > > >> > > > >> spent the whole evening trying to wrap my head around erlang. At least > > > >> made a bit of progress. > > > >> As the subject says, SSL is not totally broken. The (broken) SSLv3 > > > >> works, but not > > > >> TLS. At least, I was up to now not able to get TLS to work. > > > > > > > > Very strange! Because it seems that, as of RabbitMQ>=3.4.0, SSLv3 is > > > > disabled automatically to prevent the POODLE attack [1]. > > > > > > > > One has to explicitly set the "ssl_allow_poodle_attack" rabbit config > > > > item to true, to make SSLv3 work... > > > > I only tried to access the management port for now, and that worked without > > that parameter. > > > > > > > > > > > > [1] https://www.rabbitmq.com/ssl.html > > > > > > > > Ciao > > > > David > > > > > > It seems there are a lot of SSL-related bugfixes between Erlang 16 and 17: > > > > > > https://github.com/erlang/otp/blob/maint/lib/ssl/doc/src/notes.xml> > > > > (R16B03-1 has SSL library version 5.3.3, while they're at SSL 5.3.8 now) > > > > > > So maybe SSL is broken with R16... I don't know... > > > > I'm going to downgrade my erlang to R16B03 (without the -1) > > because from that changelog, there also were some "fixes" with regard to > > SSL application. Hope that may work. If so, it should make it easier> to > > hopefully spot what's causing my trouble. > > downgrade didn't helped, exactly same error. > Then I tried an upgrade to erlang-17.4, still no luck, but different error: > > curl -k --noproxy localhost --retry 30 --retry-delay 6 -f -L -o > /var/rabbitmq/rabbitmqadmin > https://guest:guest@localhost:15671/cli/rabbitmqadmin > > ** Reason for termination = > ** {function_clause,[{ssl_cipher,hash_algorithm,"�", > [{file,"ssl_cipher.erl"},{line,1196}]}, > {ssl_handshake,'-dec_hello_extensions/2-lc$^0/1-1-',1, > [{file,"ssl_handshake.erl"},{line,1706}]}, > {ssl_handshake,'-dec_hello_extensions/2-lc$^0/1-1-',1, > [{file,"ssl_handshake.erl"},{line,1707}]}, > {ssl_handshake,dec_hello_extensions,2, > [{file,"ssl_handshake.erl"},{line,1706}]}, > {tls_handshake,decode_handshake,3, > [{file,"tls_handshake.erl"},{line,184}]}, > {tls_handshake,get_tls_handshake_aux,3, > [{file,"tls_handshake.erl"},{line,155}]}, > {tls_connection,next_state,4, > > [{file,"tls_connection.erl"},{line,433}]}, > {gen_fsm,handle_msg,7, > [{file,"gen_fsm.erl"},{line,503}]}]} >
forgot, this is the ssl_cipher.erl around the line it fails: 1192 ?MD5SHA; 1193 prf_algorithm(Algo, _) -> 1194 hash_algorithm(Algo). 1195 1196 hash_algorithm(null) -> ?NULL; 1197 hash_algorithm(md5) -> ?MD5; 1198 hash_algorithm(sha) -> ?SHA; %% Only sha always refers to "SHA-1" 1199 hash_algorithm(sha224) -> ?SHA224; 1200 hash_algorithm(sha256) -> ?SHA256; and this hash algorithm printed in the error message, seems to be odd indeed. > > maybe its a libressl/openssl problem? Weren't there other port(s) > that were switched to use openssl because something didn't > worked with libressl? > > On the other hand I've seen, rabbitmq 3.4.4 is available, > ours is 3.4.2. I'll also try upgrading that one. > But that's all for tomorrow or the weekend. > > Sebastian > > > > > cheers, > > Sebastian > > > > > > > > Ciao! > > > David > > > -- > > > "If you try a few times and give up, you'll never get there. But if> > > > > you keep at it... There's a lot of problems in the world which can> > > > > really be solved by applying two or three times the persistence that > > > other people will." > > > -- Stewart Nelson > > > > > > > > > > > > > > > > > > >
