Skip to content

Unable to configure TLS 1.3 for the management UI #6164

New issue
New issue
Closed
Closed
Unable to configure TLS 1.3 for the management UI#6164
@kubapet

Description

@kubapet
kubapet
opened on Oct 18, 2022

I have problems with configuration of the TLS 1.3 for the management UI:

I tried to use the following docker images:

  • 3.10.9-management-alpine
  • 3.11.1-management-alpine
  • 3.11.1-management

my configuration:

listeners.ssl.default  = 5671
ssl_options.cacertfile = /etc/rabbitmq/ca-cert.pem
ssl_options.certfile   = /etc/rabbitmq/server-cert.pem
ssl_options.keyfile    = /etc/rabbitmq/server-key.pem
ssl_options.verify     = verify_peer
ssl_options.fail_if_no_peer_cert = false

management.ssl.port       = 15671
management.ssl.cacertfile = /etc/rabbitmq/ca-cert.pem
management.ssl.certfile   = /etc/rabbitmq/server-cert.pem
management.ssl.keyfile    = /etc/rabbitmq/server-key.pem
management.ssl.versions.1 = tlsv1.3

management.ssl.ciphers.1  = TLS_AES_256_GCM_SHA384
management.ssl.ciphers.2  = TLS_AES_128_GCM_SHA256
management.ssl.ciphers.3  = TLS_CHACHA20_POLY1305_SHA256
management.ssl.ciphers.4  = TLS_AES_128_CCM_SHA256
management.ssl.ciphers.5  = TLS_AES_128_CCM_8_SHA256

management.ssl.honor_cipher_order   = true
management.ssl.honor_ecc_order      = true

And it works fine with curl:

[root@ip-172-31-25-200 ~]# curl -kv https://localhost:15671/
* Rebuilt URL to: https://localhost:15671/
*   Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 15671 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, [no content] (0):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=dossier.no; OU=Development; O=Dossier; C=NO
*  start date: Jan  3 13:26:45 2022 GMT
*  expire date: May  6 13:26:45 3021 GMT
*  issuer: CN=dossier.no; OU=Development; O=Dossier; C=NO
*  SSL certificate verify result: self signed certificate (18), continuing anyway.
* TLSv1.3 (OUT), TLS app data, [no content] (0):
> GET / HTTP/1.1
> Host: localhost:15671
> User-Agent: curl/7.61.1
> Accept: */*
> 
* TLSv1.3 (IN), TLS app data, [no content] (0):
< HTTP/1.1 200 OK
< content-length: 2782
< content-security-policy: script-src 'self' 'unsafe-eval' 'unsafe-inline'; object-src 'self'
< content-type: text/html
< date: Tue, 18 Oct 2022 17:01:02 GMT
< etag: "2255757079"
< last-modified: Thu, 13 Oct 2022 10:25:10 GMT
< server: Cowboy
< vary: origin
< 
* TLSv1.3 (IN), TLS app data, [no content] (0):
<!DOCTYPE html>
<html>
  <head>
    <meta http-equiv="X-UA-Compatible" content="IE=edge" />
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <title>RabbitMQ Management</title>
    <script src="js/ejs-1.0.min.js" type="text/javascript"></script>
    <script src="js/jquery-3.5.1.min.js"></script>
    <script src="js/jquery.flot-0.8.1.min.js" type="text/javascript"></script>
    <script src="js/jquery.flot-0.8.1.time.min.js" type="text/javascript"></script>
    <script src="js/sammy-0.7.6.min.js" type="text/javascript"></script>
    <script src="js/json2-2016.10.28.js" type="text/javascript"></script>
    <script src="js/base64.js" type="text/javascript"></script>
    <script src="js/global.js" type="text/javascript"></script>
    <script src="js/main.js" type="text/javascript"></script>
    <script src="js/prefs.js" type="text/javascript"></script>
    <script src="js/formatters.js" type="text/javascript"></script>
    <script src="js/charts.js" type="text/javascript"></script>
    <script src="js/oidc-oauth/oidc-client-ts.js" type="text/javascript"></script>
    <script src="js/oidc-oauth/helper.js"></script>

    <link href="css/main.css" rel="stylesheet" type="text/css"/>
    <link href="favicon.ico" rel="shortcut icon" type="image/x-icon"/>

    <script type="application/javascript">
      var oauth = oauth_initialize_if_required();

      if (oauth.enabled) {
        oauth_is_logged_in().then( status => {
          if (status.loggedIn && !has_auth_cookie_value()) {
            oauth.logged_in = false;
            oauth_initiateLogout();
          }else {
            if (!status.loggedIn) {
              replace_content('outer', format('login_oauth', {}));
            }  else {
              oauth.logged_in = true
              oauth.access_token = status.user.access_token
              oauth.expiryDate = new Date(status.user.expires_at * 1000)  // it is epoch in seconds
              let current = new Date();
              _management_logger.debug("token expires in ",(oauth.expiryDate-current)/1000 ,
                "secs at : ", oauth.expiryDate );
              oauth.user_name = status.user.profile["user_name"]
              if (!oauth.user_name || oauth.user_name == "") oauth.user_name = status.user.profile["sub"]
              oauth.scopes = status.user.scope
            }
          }
        });
      }else {
        replace_content('outer', format('login', {}));
        start_app_login();
      }

    </script>

<!--[if lte IE 8]>
    <script src="js/excanvas.min.js" type="text/javascript"></script>
    <link href="css/evil.css" rel="stylesheet" type="text/css"/>
<![endif]-->
  </head>

  <body>
    <div id="outer"></div>
    <div id="debug"></div>
    <div id="scratch"></div>
  </body>
</html>

but it cannot be access from any browser (tried latest chrome, brave and firefox) and it says:
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
and the server log shows:

2022-10-18 17:22:49.434251+00:00 [notice] <0.744.0> TLS server: In state start at tls_handshake_1_3.erl:2316 generated SERVER ALERT: Fatal - Insufficient Security
2022-10-18 17:22:49.434251+00:00 [notice] <0.744.0>  - no_suitable_signature_algorithm

also tried using wget which complains about ivalidated session "for some reason"
and the server log shows:

2022-10-18 16:54:50.659815+00:00 [notice] <0.947.0> TLS server: In state wait_finished at ssl_gen_statem.erl:740 generated SERVER ALERT: Fatal - Unexpected Message
2022-10-18 16:54:50.659815+00:00 [notice] <0.947.0>  - {unexpected_msg,{internal,{change_cipher_spec,<<1>>}}}

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions