.NET 客户端无法通过端口 5671 上的 TLS 连接到 AMQP Windows Server 2019 标准版本 1809

问题描述 投票:0回答:3

我使用的是 Windows Server 2019 标准版本 1809 内部版本 17763.2803

我首先安装了 Erlang 26.0 (

otp_win64_26.0.exe
)。我已将 
Handle.exe
添加到 PATH 中。我还添加了
ERLANG_HOME
(值
C:\Program Files\Erlang OTP

然后我已经安装了 RabbitMQ 3.12.1 (

rabbitmq-server-3.12.1.exe
)。我已使用 NuGet RabbitMQ.Client 6.2.1 成功使用 .NET 客户端连接到端口 5672

然后我使用 tls-gen 创建服务器证书:

make PASSWORD=12345678 CN=machine.domain.local DAYS_OF_VALIDITY=3650 NUMBER_OF_PRIVATE_KEY_BITS=2048 CLIENT_ALT_NAME=machine.domain.local

我正在从 

cacert.cer
 安装
tls-gen\basic\testca

然后我从 

tls-gen\basic\result
获取服务器证书、密钥和 ca_certificate.pem 并配置它们。我尝试添加密码并删除它,无论如何,但例如:

[{rabbit,
    [
        {log_levels, [{connection, debug}, {queue, debug}]},
        {log,
            [
                {file, 
                    [
                        {level, debug}
                    ]
                },
                {categories,
                    [
                        {connection,[{level, debug}]},
                        {queue, [{level, debug}]},
                        {console, [{enabled, true},{level, debug}]}
                    ]
                }
            ]
        },
        {ssl_listeners, [5671]},
        {ssl_options, 
            [
               {cacertfile, "C:\\Program Files\\RabbitMQ Server\\rabbitmq_server-3.12.1\\certs\\ca_certificate.pem"},
               {certfile,   "C:\\Program Files\\RabbitMQ Server\\rabbitmq_server-3.12.1\\certs\\server_certificate.pem"},
               {keyfile,    "C:\\Program Files\\RabbitMQ Server\\rabbitmq_server-3.12.1\\certs\\server_key.pem"},
               {password, "12345678"}
            ]
        }        
    ]
}].

客户端无法通过 TLS 连接到 RabbitMQ。它抛出异常:

RabbitMQ.Client.Exceptions.BrokerUnreachableException: None of the specified endpoints were reachable
 ---> System.AggregateException: One or more errors occurred. (Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host..)
 ---> System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host..
 ---> System.Net.Sockets.SocketException (10054): An existing connection was forcibly closed by the remote host.

我可以看到rabbitmq正在监听该端口,但是我无法连接到它:

2023-06-30 18:47:28.888000+03:00 [info] <0.692.0> started TLS (SSL) listener on [::]:5671
2023-06-30 18:47:28.888000+03:00 [info] <0.712.0> started TLS (SSL) listener on 0.0.0.0:5671
2023-06-30 18:47:28.935000+03:00 [debug] <0.543.0> Plugins discovery: ignoring getopt, not a RabbitMQ plugin
2023-06-30 18:47:28.935000+03:00 [debug] <0.543.0> Plugins discovery: ignoring quantile_estimator, not a RabbitMQ plugin
2023-06-30 18:47:28.997000+03:00 [debug] <0.543.0> Plugins discovery: ignoring getopt, not a RabbitMQ plugin
2023-06-30 18:47:28.997000+03:00 [debug] <0.543.0> Plugins discovery: ignoring quantile_estimator, not a RabbitMQ plugin
2023-06-30 18:47:29.029000+03:00 [info] <0.543.0> Server startup complete; 3 plugins started.
2023-06-30 18:47:29.029000+03:00 [info] <0.543.0>  * rabbitmq_management
2023-06-30 18:47:29.029000+03:00 [info] <0.543.0>  * rabbitmq_web_dispatch
2023-06-30 18:47:29.029000+03:00 [info] <0.543.0>  * rabbitmq_management_agent
2023-06-30 18:47:29.029000+03:00 [debug] <0.543.0> Marking RabbitMQ as running
2023-06-30 18:47:29.029000+03:00 [debug] <0.543.0> Change boot state to `ready`
2023-06-30 18:47:29.029000+03:00 [debug] <0.148.0> Boot state/systemd: notifying of state `ready`
2023-06-30 18:47:29.232000+03:00 [debug] <0.9.0> Time to start RabbitMQ: 5793485 us
2023-06-30 18:47:35.164000+03:00 [debug] <0.719.0> Plugins discovery: ignoring getopt, not a RabbitMQ plugin
2023-06-30 18:47:35.164000+03:00 [debug] <0.719.0> Plugins discovery: ignoring quantile_estimator, not a RabbitMQ plugin
2023-06-30 18:48:13.260000+03:00 [notice] <0.724.0> TLS server: In state hello at tls_handshake.erl:354 generated SERVER ALERT: Fatal - Insufficient Security
2023-06-30 18:48:13.260000+03:00 [notice] <0.724.0>  - no_suitable_ciphers

在服务器上我已禁止所有旧的 TLS 版本。仅 TLSv1.2 处于活动状态,目前我无法支持 TLSv1.3。我已允许所有可能的密码套件使用 IISCrypto。我不确定问题是否出在 TLS 握手中,因为客户端和服务器试图协商他们无法协商的内容,或者证书无效(tls-gen 说它是有效的)。我已经在 Windows Server 2012 上执行过几次此操作,没有出现任何问题。我什至尝试从另一台机器复制工作正常的证书,但我不断收到错误。

c# ssl rabbitmq
3个回答
2
投票

我发现问题实际上出在 RabbitMQ + Erlang + OpenSSL 向客户端提供 TLSv1.3 时,主机不支持该版本(Windows Server 2019 标准版本 1809 Build 17763.2803)。我已将队列配置为仅适用于 TLSv1.2,问题已解决。

我已将配置更改为如下所示:

[{rabbit,
    [
        {log_levels, [{connection, debug}, {queue, debug}]},
        {log,
            [
                {file, 
                    [
                        {level, debug}
                    ]
                },
                {categories,
                    [
                        {connection,[{level, debug}]},
                        {queue, [{level, debug}]},
                        {console, [{enabled, true},{level, debug}]}
                    ]
                }
            ]
        },
        {ssl_listeners, [5671]},
        {ssl_options, 
            [
               {cacertfile, "C:\\Program Files\\RabbitMQ Server\\rabbitmq_server-3.12.1\\certs\\ca_certificate.pem"},
               {certfile,   "C:\\Program Files\\RabbitMQ Server\\rabbitmq_server-3.12.1\\certs\\server_certificate.pem"},
               {keyfile,    "C:\\Program Files\\RabbitMQ Server\\rabbitmq_server-3.12.1\\certs\\server_key.pem"},
               {password, "12345678"},
               {versions, ['tlsv1.2']}
            ]
        }        
    ]
}].
0
投票

请在这里继续讨论这个问题:

https://groups.google.com/g/rabbitmq-users/c/aLYbNC8t-g0

注意: RabbitMQ 团队监控 

rabbitmq-users
邮件列表,并且有时只回答 StackOverflow 上的问题。

0
投票

我的 Linux/Red Hat Enterprise 和 Windows Server 2019 组合出现了此问题。

在 Linux 服务器上,我将以下行添加到 

/etc/rabbit/rabbitmq.conf

ssl_options.versions.1 = tlsv1.2
最新问题
© www.soinside.com 2019 - 2024. All rights reserved.