表題の通りでハマってしまった。
各ソフトウェアのバージョン
$ sudo rabbitmqctl status ... {rabbit,"RabbitMQ","3.6.6"} ...
$ cat /usr/lib/erlang/releases/18/OTP_VERSION 18.3
rabbitmq.config
{versions, ['tlsv1.2', 'tlsv1.1', tlsv1]}
接続確認
openssl s_client で接続確認してみる。
tls1.2
$ openssl s_client -connect 127.0.0.1:5671 -tls1_2 < /dev/null
これ問題なかった。
tls1 tls1.1
どっちもなぜか同じように以下のようなエラーになる。
$ openssl s_client -connect 127.0.0.1:5671 -tls1_1 < /dev/null CONNECTED(00000003) 139728874526360:error:1409442F:SSL routines:ssl3_read_bytes:tlsv1 alert insufficient security:s3_pkt.c:1472:SSL alert number 71 139728874526360:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:656: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 0 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.1 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1483074781 Timeout : 7200 (sec) Verify return code: 0 (ok) ---
解決方法
結局これは Erlang の ssl ライブラリの問題らしく、基本的には Erlang のバージョンをあげる必要があるっぽい。しかしRabbitMQ 3.6.1 / Erlang 18.3 TLS insufficient security failures からリンクがある通り以下のようにするとうまくいった。
{versions, ['tlsv1.2', 'tlsv1.1', tlsv1]}, {ciphers, ["ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-RSA-AES256-GCM-SHA384", "ECDHE-ECDSA-AES256-SHA384","ECDHE-RSA-AES256-SHA384", "ECDHE-ECDSA-DES-CBC3-SHA", "ECDH-ECDSA-AES256-GCM-SHA384","ECDH-RSA-AES256-GCM-SHA384","ECDH-ECDSA-AES256-SHA384", "ECDH-RSA-AES256-SHA384","DHE-DSS-AES256-GCM-SHA384","DHE-DSS-AES256-SHA256", "AES256-GCM-SHA384","AES256-SHA256","ECDHE-ECDSA-AES128-GCM-SHA256", "ECDHE-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES128-SHA256","ECDHE-RSA-AES128-SHA256", "ECDH-ECDSA-AES128-GCM-SHA256","ECDH-RSA-AES128-GCM-SHA256","ECDH-ECDSA-AES128-SHA256", "ECDH-RSA-AES128-SHA256","DHE-DSS-AES128-GCM-SHA256","DHE-DSS-AES128-SHA256", "AES128-GCM-SHA256","AES128-SHA256","ECDHE-ECDSA-AES256-SHA", "ECDHE-RSA-AES256-SHA","DHE-DSS-AES256-SHA","ECDH-ECDSA-AES256-SHA", "ECDH-RSA-AES256-SHA","AES256-SHA","ECDHE-ECDSA-AES128-SHA", "ECDHE-RSA-AES128-SHA","DHE-DSS-AES128-SHA","ECDH-ECDSA-AES128-SHA", "ECDH-RSA-AES128-SHA","AES128-SHA"]}, {honor_cipher_order, true},