Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TLS support #20

Closed
kendas opened this issue Jan 11, 2019 · 4 comments · Fixed by #33
Closed

TLS support #20

kendas opened this issue Jan 11, 2019 · 4 comments · Fixed by #33

Comments

@kendas
Copy link

kendas commented Jan 11, 2019

Is there any plans of adding TLS support?

If so, is there a timeline?
@achilleasa
Copy link
Owner

Hi there. I have pushed a WIP branch that implements TLS support.

To use that you need to create a SecurityContext with your TLS certs and attach it to a ConnectionSettings instance that you pass to the Client constructor. For example:

  String pathToCerts = "...";
  SecurityContext ctx = new SecurityContext()
  ..useCertificateChain(path + "client_certificate.pem")
  ..usePrivateKey(path + "client_key.pem")
  ..setClientAuthorities(path+"ca_certificate.pem");

  ConnectionSettings settings = new ConnectionSettings(tlsContext: ctx);
  Client client = new Client(settings: settings);

However, I haven't been able to get it to work with self-signed certificates (even though I explicitly provide the CA pem file to the context) without providing an accept-all callback (onBadCertificate) to SecureSocket.connect (it calls onBadCertificate for the CA pem).

Once I figure out a way to make this work properly I will open a PR.

@kendas
Copy link
Author

kendas commented Jan 24, 2019
edited
Loading

Using your example and the branch you linked, I got the following scenarios working:

  • Server-only TLS
  • Mutual TLS

What is interesting, however, is the fact that I succeeded with a certificate that was signed by my self-signed certificate, but not the self-signed cert itself.

The code I used to set up the SecurityContext was similar to this:

  String basePath = "/path/to/my/certs";
  SecurityContext ctx = SecurityContext.defaultContext
    // Client cert and private key
    ..useCertificateChain("${basePath}/test-client.crt")
    ..usePrivateKey("${basePath}/test-client.key");

Why exactly the self-signed certificate itself didn't work, is a mystery to me.

For completeness, here was my setup:

  • Let's Encrypt certificate on a server
  • RabbitMQ ssl_options.cacertfile containing the Let's Encrypt CA and my self-signed CA
  • RabbitMQ ssl_options.verify set to verify_peer
  • RabbitMQ ssl_options.fail_if_no_peer_cert set to true
  • Client certificate signed by my self-signed CA

@kendas
Copy link
Author

kendas commented Jan 25, 2019

On further inspection, the inability to connect with a self-signed certificate seems to be a problem with either RabbitMQ or my configuration of RabbitMQ. I turned the fail_if_no_peer_cert off and tried:

openssl s_client -connect server.fully.qualified.domain.name:5971

Success

openssl s_client -connect server.fully.qualified.domain.name:5971 -cert test-client.crt -key test-client.key

Success

openssl s_client -connect server.fully.qualified.domain.name:5971 -cert my-ca.crt -key my-ca.key

Failed (rabbit says 'bad certificate', openssl exits with status code 1)

@ghost
Copy link

ghost commented Oct 16, 2019
edited by ghost
Loading

Any chance this will be merged into a release soon? I'm running rabbit MQ with fail_if_no_peer_cert=false

@achilleasa achilleasa mentioned this issue Nov 4, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add support for TLS connections achilleasa/dart_amqp
2 participants
@achilleasa @kendas