Discussion:
[rabbitmq-users] How can I get my shovel client to verify the server's certificate?
Greg Warner
2015-07-30 18:59:03 UTC
Permalink
How can I get my shovel client to verify the server's certificate?

I've successfully got a shovel working from rabbit1 to rabbit2, two
rabbitmq hosts, with SSL/TLS. rabbit2 is using a certificate signed by a
CA. I'm trying to get rabbit1, the shovel client, to produce an error by
intentionally giving it the wrong CA certificate (a CA certificate that has
nothing to do with the CA that signed rabbit2's certificate).

Here is my shovel destination URI:

amqps://user:***@rabbit2?cacertfile=/var/rmq/badcacert.pem&verify=verify_peer



Rabbit2's rabbitmq.config (rabbit2 doesn't need to verify connecting
clients):

[
{rabbit, ...
{ssl_options, [{cacertfile,"/var/rmq/cacert.pem"},
{certfile,"/var/rmq/servercert.pem"},
{keyfile,"/var/rmq/serverkey.pem"},
{verify,verify_none},
{fail_if_no_peer_cert,false}]}
]}
].


I would expect to see an error on the Shovel Status page, but instead I see
the green box and messages are happily being shoveled.

I seem to be experiencing the opposite problem of this user who couldn't
get the shovel plugin to _not_ verify the peer cert:
https://groups.google.com/d/msg/rabbitmq-users/nsj8qr3daGQ/H3NmzjGVjMQJ
--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+***@googlegroups.com.
To post to this group, send an email to rabbitmq-***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Greg Warner
2015-07-30 19:01:19 UTC
Permalink
If it matters:

rmq 3.5.3
erlang 18.0.2
Post by Greg Warner
How can I get my shovel client to verify the server's certificate?
I've successfully got a shovel working from rabbit1 to rabbit2, two
rabbitmq hosts, with SSL/TLS. rabbit2 is using a certificate signed by a
CA. I'm trying to get rabbit1, the shovel client, to produce an error by
intentionally giving it the wrong CA certificate (a CA certificate that has
nothing to do with the CA that signed rabbit2's certificate).
Rabbit2's rabbitmq.config (rabbit2 doesn't need to verify connecting
[
{rabbit, ...
{ssl_options, [{cacertfile,"/var/rmq/cacert.pem"},
{certfile,"/var/rmq/servercert.pem"},
{keyfile,"/var/rmq/serverkey.pem"},
{verify,verify_none},
{fail_if_no_peer_cert,false}]}
]}
].
I would expect to see an error on the Shovel Status page, but instead I
see the green box and messages are happily being shoveled.
I seem to be experiencing the opposite problem of this user who couldn't
https://groups.google.com/d/msg/rabbitmq-users/nsj8qr3daGQ/H3NmzjGVjMQJ
--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+***@googlegroups.com.
To post to this group, send an email to rabbitmq-***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Michael Klishin
2015-07-30 19:06:51 UTC
Permalink
Post by Greg Warner
How can I get my shovel client to verify the server's certificate?
Shovel uses RabbitMQ Erlang client under the hood. So you need to configure
amqp_client.ssl_options much like you do with rabbit.ssl_options.

amqp_client and rabbit should be siblings (not nested of one into the other)
in the config file.

Then just don’t forget to set `verify` to `verify_peer` ;) 
--
MK

Staff Software Engineer, Pivotal/RabbitMQ
--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+***@googlegroups.com.
To post to this group, send an email to rabbitmq-***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Michael Klishin
2015-07-30 19:43:23 UTC
Permalink
Post by Michael Klishin
Shovel uses RabbitMQ Erlang client under the hood. So you need
to configure
amqp_client.ssl_options much like you do with rabbit.ssl_options.
amqp_client and rabbit should be siblings (not nested of one
into the other)
in the config file.
Then just don’t forget to set `verify` to `verify_peer` ;)
Filed an issue because our docs in that area are lacking:
https://github.com/rabbitmq/rabbitmq-website/issues/42
--
MK

Staff Software Engineer, Pivotal/RabbitMQ
--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+***@googlegroups.com.
To post to this group, send an email to rabbitmq-***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Greg Warner
2015-07-30 20:31:01 UTC
Permalink
Post by Michael Klishin
Post by Michael Klishin
Shovel uses RabbitMQ Erlang client under the hood. So you need to configure
amqp_client.ssl_options much like you do with rabbit.ssl_options.
amqp_client and rabbit should be siblings (not nested of one
into the other)
in the config file.
Then just don’t forget to set `verify` to `verify_peer` ;)
https://github.com/rabbitmq/rabbitmq-website/issues/42
--
MK
Staff Software Engineer, Pivotal/RabbitMQ
This is the rabbitmq.config that I was using on rabbit1:

[
{amqp_client, [
{ssl_config, [{cacertfile,"/var/rmq/cacert2.pem"},
{verify,verify_peer},
{fail_if_no_peer_cert,true}]}

]},
{rabbit, [...]}
].


Interesting that you suggest 'ssl_options'. I've used 'ssl_config' instead
due to what I see on https://www.rabbitmq.com/uri-query-parameters.html.
--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+***@googlegroups.com.
To post to this group, send an email to rabbitmq-***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Greg Warner
2015-07-30 20:39:55 UTC
Permalink
Post by Greg Warner
Post by Michael Klishin
Post by Michael Klishin
Shovel uses RabbitMQ Erlang client under the hood. So you need to configure
amqp_client.ssl_options much like you do with rabbit.ssl_options.
amqp_client and rabbit should be siblings (not nested of one into the other)
in the config file.
Then just don’t forget to set `verify` to `verify_peer` ;)
https://github.com/rabbitmq/rabbitmq-website/issues/42
--
MK
Staff Software Engineer, Pivotal/RabbitMQ
[
{amqp_client, [
{ssl_config, [{cacertfile,"/var/rmq/cacert2.pem"},
{verify,verify_peer},
{fail_if_no_peer_cert,true}]}
]},
{rabbit, [...]}
].
Interesting that you suggest 'ssl_options'. I've used 'ssl_config'
instead due to what I see on
https://www.rabbitmq.com/uri-query-parameters.html.
Changing ssl_config to ssl_options gives me the error I'm looking for.
Thanks for the pointer!

Now, should putting the options are url parameters have been enough?
--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+***@googlegroups.com.
To post to this group, send an email to rabbitmq-***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Michael Klishin
2015-07-30 22:22:57 UTC
Permalink
Post by Greg Warner
Now, should putting the options are url parameters have been
enough?
Do you mean query parameters?

http://www.rabbitmq.com/uri-query-parameters.html

Note that they will be merged with the values in the config. 
--
MK

Staff Software Engineer, Pivotal/RabbitMQ
--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+***@googlegroups.com.
To post to this group, send an email to rabbitmq-***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Greg Warner
2015-07-30 22:31:18 UTC
Permalink
Post by Michael Klishin
Post by Greg Warner
Now, should putting the options are url parameters have been
enough?
Do you mean query parameters?
http://www.rabbitmq.com/uri-query-parameters.html
Note that they will be merged with the values in the config.
--
MK
Staff Software Engineer, Pivotal/RabbitMQ
Yes. I should've said 'query parameters'. Per my original email, I think
the query parameters I was specifying should've caused it to verify the
peer cert and throw an error when it found the certs didn't match. Unless
I did something wrong (which is highly likely), I'd suggest that there is a
bug. For reference, here was my original uri:

amqps://user:***@rabbit2?cacertfile=/var/rmq/badcacert.
pem&verify=verify_peer
--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+***@googlegroups.com.
To post to this group, send an email to rabbitmq-***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Michael Klishin
2015-07-30 23:42:04 UTC
Permalink
Yes. I should've said 'query parameters'. Per my original email,
I think the query parameters I was specifying should've caused
it to verify the peer cert and throw an error when it found the certs
didn't match. Unless I did something wrong (which is highly likely),
I'd suggest that there is a bug. For reference, here was my original
My guess that it’s a matter of priorities (what overrides what). Need to check the implementation. 
--
MK

Staff Software Engineer, Pivotal/RabbitMQ
--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+***@googlegroups.com.
To post to this group, send an email to rabbitmq-***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Loading...