Connect failed with MQTT over TLS-PSK in (RabbitMQ 3.12.2 + Erlang 26.0.2)

[tungyi]

Hi everyone,

I have a RabbitMQ server. It's version 3.12.2 + erlang 26.0.2.

Another I have program named agent using mosquitto lib (Protocol: mqtt over TLS-PSK ) to try to connect to this RabbitMQ server. But agent never connects to the server. So I checked the RabbitMQ logs found that it keeps showing "Insufficient Security" related errors as shown below.

2023-07-31 05:26:28.039000+00:00 [notice] <0.1272.0> TLS server: In state hello at tls_handshake.erl:354 generated SERVER ALERT: Fatal - Insufficient Security
2023-07-31 05:26:28.039000+00:00 [notice] <0.1272.0> - no_suitable_ciphers

So I did two experiments.
Case 1. Downgrade erlang to 25.2. And keep agent unchanged.

• Result: The agent can connect RabbitMQ server with mqtt over TLS-PSK normally.

Case 2. Change the connection protocol of agent to (mqtt over TLS 1.3) without PSK. And RabbitMQ server keep using elrang 26.0.2.

• Result: The agent can connect RabbitMQ server normally.

Is it possible to modify the rabbitmq config file so that the agent (mqtt over TLS-PSK) can connect to the rabbitmq server (3.12.2 + erlang 26.0.2).
Here is the config file of RabbitMQ rabbitmq.zip

The content of rabbitmq.conf:
listeners.ssl.default = 5671
loopback_users.guest = true
ssl_options.verify = verify_peer
ssl_options.fail_if_no_peer_cert = false
ssl_options.cacertfile = C:/Program Files/XXXXX/RabbitMQConfig/ssl/ca/ca_certificate.pem
ssl_options.certfile = C:/Program Files/XXXXX/RabbitMQConfig/ssl/server/server_certificate.pem
ssl_options.keyfile = C:/Program Files/XXXXX/RabbitMQConfig/ssl/server/private_key.pem
mqtt.listeners.tcp.default = 1883
mqtt.listeners.ssl.default = 8883
mqtt.mailbox_soft_limit = 0
mqtt.default_user = guest
mqtt.default_pass = guest
mqtt.allow_anonymous = true
mqtt.exchange = amq.topic
log.file.level = info
log.file.rotation.size = 20480000
log.file.rotation.count = 7
classic_queue.default_version = 2

[lukebakken]

Please provide a client application that can be run to reproduce this error, via a git repository we can clone, compile, and run. We just don't have time to guess how you are connecting to RabbitMQ. Thanks.

[tungyi]

Hi lukebakken,

Thanks for your response.
I just tried to assign the ca files to the agent and let it connect to the RabbitMQ server (erlang 26.0.2). I found that it still fails to connect. This incident shows that the connection failure has nothing to do with PSK.

Then I looked more closely at the differences, and realized that I was using different libs.

I think it's related to the openssl library. When the agent uses openssl library version 1.0.2o to connect to RabbitMQ server, it will show me "Insufficient Security" error message. When I change the openssl library to version 3.0.9, it works fine.

[lukebakken]

When the agent uses openssl library version 1.0.2o to connect to RabbitMQ server, it will show me "Insufficient Security" error message. When I change the openssl library to version 3.0.9, it works fine

Well done. OpenSSL 1.0.2 is long out of support.