On Thursday, February 19, 2015 20:22 CET, "Sebastian Reitenbach" <[email protected]> wrote: > > On Thursday, February 19, 2015 20:20 CET, "Sebastian Reitenbach" > <[email protected]> wrote: > > > > > On Thursday, February 19, 2015 19:10 CET, "Sebastian Reitenbach" > > <[email protected]> wrote: > > > > > > > > On Thursday, February 19, 2015 17:13 CET, David Coppa <[email protected]> > > > wrote: > > > > > > > On Thu, Feb 19, 2015 at 4:49 PM, David Coppa <[email protected]> wrote: > > > > > On Wed, Feb 18, 2015 at 11:14 PM, Sebastian Reitenbach > > > > > <[email protected]> wrote: > > > > >> Hi, > > > > >> > > > > >> spent the whole evening trying to wrap my head around erlang. At > > > > >> least made a bit of progress. > > > > >> As the subject says, SSL is not totally broken. The (broken) SSLv3 > > > > >> works, but not > > > > >> TLS. At least, I was up to now not able to get TLS to work. > > > > > > > > > > Very strange! Because it seems that, as of RabbitMQ>=3.4.0, SSLv3 is > > > > > disabled automatically to prevent the POODLE attack [1]. > > > > > > > > > > One has to explicitly set the "ssl_allow_poodle_attack" rabbit config > > > > > item to true, to make SSLv3 work... > > > > > > I only tried to access the management port for now, and that worked > > > without > > > that parameter. > > > > > > > > > > > > > > > > [1] https://www.rabbitmq.com/ssl.html > > > > > > > > > > Ciao > > > > > David > > > > > > > > It seems there are a lot of SSL-related bugfixes between Erlang 16 and > > > > 17: > > > > > > > > https://github.com/erlang/otp/blob/maint/lib/ssl/doc/src/notes.xml> > > > > > (R16B03-1 has SSL library version 5.3.3, while they're at SSL 5.3.8 now) > > > > > > > > So maybe SSL is broken with R16... I don't know... > > > > > > I'm going to downgrade my erlang to R16B03 (without the -1) > > > because from that changelog, there also were some "fixes" with regard to > > > SSL application. Hope that may work. If so, it should make it easier> to > > > hopefully spot what's causing my trouble. > > > > downgrade didn't helped, exactly same error. > > Then I tried an upgrade to erlang-17.4, still no luck, but different error: > > > > curl -k --noproxy localhost --retry 30 --retry-delay 6 -f -L -o > > /var/rabbitmq/rabbitmqadmin > > https://guest:guest@localhost:15671/cli/rabbitmqadmin > > > > ** Reason for termination = > > ** {function_clause,[{ssl_cipher,hash_algorithm,"�", > > [{file,"ssl_cipher.erl"},{line,1196}]}, > > {ssl_handshake,'-dec_hello_extensions/2-lc$^0/1-1-',1, > > > > [{file,"ssl_handshake.erl"},{line,1706}]}, > > {ssl_handshake,'-dec_hello_extensions/2-lc$^0/1-1-',1, > > > > [{file,"ssl_handshake.erl"},{line,1707}]}, > > {ssl_handshake,dec_hello_extensions,2, > > > > [{file,"ssl_handshake.erl"},{line,1706}]}, > > {tls_handshake,decode_handshake,3, > > > > [{file,"tls_handshake.erl"},{line,184}]}, > > {tls_handshake,get_tls_handshake_aux,3, > > > > [{file,"tls_handshake.erl"},{line,155}]}, > > {tls_connection,next_state,4, > > > > [{file,"tls_connection.erl"},{line,433}]}, > > {gen_fsm,handle_msg,7, > > [{file,"gen_fsm.erl"},{line,503}]}]} > > > > forgot, this is the ssl_cipher.erl around the line it fails: > > 1192 ?MD5SHA; > 1193 prf_algorithm(Algo, _) -> > 1194 hash_algorithm(Algo). > 1195 > 1196 hash_algorithm(null) -> ?NULL; > 1197 hash_algorithm(md5) -> ?MD5; > 1198 hash_algorithm(sha) -> ?SHA; %% Only sha always refers to "SHA-1" > 1199 hash_algorithm(sha224) -> ?SHA224; > 1200 hash_algorithm(sha256) -> ?SHA256; > > and this hash algorithm printed in the error message, seems to be odd indeed.
so even with upgraded erlang to 17.4, and with upgraded rabbitmq to 3.4.4, and linking against openssl from ports, I get the same error as above. For the time being, I'll resort back, and do run rabbitmq without SSL, but behind SSL terminating relayd. Sebastian > > > > > maybe its a libressl/openssl problem? Weren't there other port(s) > > that were switched to use openssl because something didn't > > worked with libressl? > > > > On the other hand I've seen, rabbitmq 3.4.4 is available, > > ours is 3.4.2. I'll also try upgrading that one. > > But that's all for tomorrow or the weekend. > > > > Sebastian > > > > > > > > cheers, > > > Sebastian > > > > > > > > > > > Ciao! > > > > David > > > > -- > > > > "If you try a few times and give up, you'll never get there. But if> > > > > > you keep at it... There's a lot of problems in the world which can> > > > > > really be solved by applying two or three times the persistence that > > > > other people will." > > > > -- Stewart Nelson > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >
