[erlang-questions] ssl_upgrade_failure with particular SSL certificate
Scott Baldwin
arrogantparagon@REDACTED
Fri Mar 29 16:56:43 CET 2013
I am trying to configure SSL for connections to my RabbitMQ broker. I
realize that this is not the RabbitMQ mailing list, but I think that my
problem is related specifically to Erlang's SSL implementation. I was able
to get it working with a certificate/key pair created directly with
OpenSSL; however, when I converted a certificate made with makecert.exe to
PEM format and try to use that, the client fails to connect and the server
logs an ssl_upgrade_failure. It seems that there is something about my
certificate that Erlang doesn't like.
I am using Erlang R16B.
Here is my certificate:
-----BEGIN CERTIFICATE-----
MIIDTzCCAjugAwIBAgIQYuux7Ob2BL5PUnDLgT/igTAJBgUrDgMCHQUAMCgxJjAk
BgNVBAMTHUVsbGtheSBTdGFnaW5nIFJvb3QgQXV0aG9yaXR5MB4XDTEyMDgxNTE1
MTMzN1oXDTM5MTIzMTIzNTk1OVowMzExMC8GA1UEAx4oACoALgBsAGsAYwBsAG8A
dQBkAHMAdABhAGcAaQBuAGcALgBjAG8AbTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBANhryzuSNbDOUVqD7Oby/z+JNjICGemlpP0qmcAZ8JbE7ci/l5eu
BYwIyKy/LvjYYV6Z8ZlMKIbzmEgKxGCmSZjTcg08QXxG7CXpJfls/1ycv8Le7Tz0
ep2mzBnFhkOCNDQz2zAOiI/K6gwB0D2tv3O+j3ytnME8w+To5epzZSnfGHRIutQ4
jC7rVz8T1oLixYynQ39tG6L5ALmu5u1DZTRYmzaIbF16c6dy1m8OCqAvQ3LnykZq
rukjjaLDlJT6ZbUUXaZeGS2avf8ZM0f+HlrdDR+IFC/CxipxzHa6kStc+1dZVgqj
jT7ql9nEQ/8DaXmF4C749ELbtWOlSB/ElwUCAwEAAaNyMHAwEwYDVR0lBAwwCgYI
KwYBBQUHAwEwWQYDVR0BBFIwUIAQx8ryGLLGJ2Qr6NrWGYDWT6EqMCgxJjAkBgNV
BAMTHUVsbGtheSBTdGFnaW5nIFJvb3QgQXV0aG9yaXR5ghAu7ZXj5fLAu0CXveR3
xHi0MAkGBSsOAwIdBQADggEBACiAPScOR/DViwY4ZDVSxeGFqezh6ubWt4aqrYlt
h6ODWF1T0uUjf/VKksPtXlAxAz1F7IHmf80VAGPY18ZmH9JvnVz67PdGcKi6RMHY
vpBT79vbv0/+9TXxdIl2+qafuVb5ckmSlq1pIslnlZszt32pwrSYDvLihfRLStvV
MzKtUGRsug/eUeuCQBAalAHmuNh77bC6Bnp2ZMg/7HEb0bqXQS1mOupiN3Ylpe/y
r3pT7+xLzyzX4NY7GyYVO2VPnz2kvNbrTsTPWO7y1NQc3tDbRIwQeCqpYditByVN
cS/zgODqcpH1NipIfL/JTMFvA5O0jlgpSQDbRxiQELjJ9ms=
-----END CERTIFICATE-----
Here is the relevant part of the log from RabbitMQ:
=INFO REPORT==== 28-Mar-2013::20:46:52 ===
accepting AMQP connection <0.301.0> (192.168.51.234:50804 ->
192.168.51.153:5671)
=ERROR REPORT==== 28-Mar-2013::20:46:52 ===
** State machine <0.302.0> terminating
** Last message in was {tcp,#Port<0.15153>,
<<22,3,0,0,53,1,0,0,49,3,0,81,84,228,150,220,41,
203,120,104,165,175,147,215,108,167,136,54,238,
178,50,70,122,181,212,166,114,251,121,27,202,52,
143,0,0,10,0,5,0,10,0,19,0,4,0,255,1,0>>}
** When State == hello
** Data == {state,server,
{#Ref<0.0.0.1972>,<0.301.0>},
gen_tcp,tcp,tcp_closed,tcp_error,"localhost",5671,
#Port<0.15153>,
{ssl_options,[],verify_none,
{#Fun<ssl.1.131723950>,[]},
false,false,undefined,1,
<<"C:/Users/ScottB/AppData/Roaming/RabbitMQ/lkcloudstaging_cer.pem">>,
undefined,
<<"C:/Users/ScottB/AppData/Roaming/RabbitMQ/server/key.pem">>,
undefined,undefined,undefined,<<>>,undefined,
undefined,
[<<0,107>>,
<<0,106>>,
<<0,61>>,
<<0,103>>,
<<0,64>>,
<<0,60>>,
<<0,57>>,
<<0,56>>,
<<0,53>>,
<<0,22>>,
<<0,19>>,
<<0,10>>,
<<0,51>>,
<<0,50>>,
<<0,47>>,
<<0,5>>,
<<0,4>>,
<<0,21>>,
<<0,9>>],
#Fun<ssl.0.131723950>,true,268435456,false,undefined,
undefined,false,undefined,undefined},
{socket_options,binary,0,0,0,false},
{connection_states,
{connection_state,
{security_parameters,
<<0,0>>,
0,0,0,0,0,0,0,0,0,0,0,undefined,undefined,
undefined,undefined},
undefined,undefined,undefined,0,undefined,
undefined,undefined},
{connection_state,
{security_parameters,undefined,0,undefined,
undefined,undefined,undefined,undefined,
undefined,undefined,undefined,undefined,
undefined,undefined,undefined,
<<81,84,228,124,31,218,166,3,48,108,125,182,
121,180,129,153,59,55,16,200,98,117,189,183,
170,169,208,189,111,61,67,162>>,
undefined},
undefined,undefined,undefined,undefined,
undefined,undefined,undefined},
{connection_state,
{security_parameters,
<<0,0>>,
0,0,0,0,0,0,0,0,0,0,0,undefined,undefined,
undefined,undefined},
undefined,undefined,undefined,0,undefined,
undefined,undefined},
{connection_state,
{security_parameters,undefined,0,undefined,
undefined,undefined,undefined,undefined,
undefined,undefined,undefined,undefined,
undefined,undefined,undefined,
<<81,84,228,124,31,218,166,3,48,108,125,182,
121,180,129,153,59,55,16,200,98,117,189,183,
170,169,208,189,111,61,67,162>>,
undefined},
undefined,undefined,undefined,undefined,
undefined,undefined,undefined}},
[],<<>>,<<>>,
{[],[]},
[],311374,
{session,undefined,undefined,
<<48,130,3,79,48,130,2,59,160,3,2,1,2,2,16,98,235,177,
236,230,246,4,190,79,82,112,203,129,63,226,129,48,9,
6,5,43,14,3,2,29,5,0,48,40,49,38,48,36,6,3,85,4,3,
19,29,69,108,108,107,97,121,32,83,116,97,103,105,
110,103,32,82,111,111,116,32,65,117,116,104,111,114,
105,116,121,48,30,23,13,49,50,48,56,49,53,49,53,49,
51,51,55,90,23,13,51,57,49,50,51,49,50,51,53,57,53,
57,90,48,51,49,49,48,47,6,3,85,4,3,30,40,0,42,0,46,
0,108,0,107,0,99,0,108,0,111,0,117,0,100,0,115,0,
116,0,97,0,103,0,105,0,110,0,103,0,46,0,99,0,111,0,
109,48,130,1,34,48,13,6,9,42,134,72,134,247,13,1,1,
1,5,0,3,130,1,15,0,48,130,1,10,2,130,1,1,0,216,107,
203,59,146,53,176,206,81,90,131,236,230,242,255,63,
137,54,50,2,25,233,165,164,253,42,153,192,25,240,
150,196,237,200,191,151,151,174,5,140,8,200,172,191,
46,248,216,97,94,153,241,153,76,40,134,243,152,72,
10,196,96,166,73,152,211,114,13,60,65,124,70,236,37,
233,37,249,108,255,92,156,191,194,222,237,60,244,
122,157,166,204,25,197,134,67,130,52,52,51,219,48,
14,136,143,202,234,12,1,208,61,173,191,115,190,143,
124,173,156,193,60,195,228,232,229,234,115,101,41,
223,24,116,72,186,212,56,140,46,235,87,63,19,214,
130,226,197,140,167,67,127,109,27,162,249,0,185,174,
230,237,67,101,52,88,155,54,136,108,93,122,115,167,
114,214,111,14,10,160,47,67,114,231,202,70,106,174,
233,35,141,162,195,148,148,250,101,181,20,93,166,94,
25,45,154,189,255,25,51,71,254,30,90,221,13,31,136,
20,47,194,198,42,113,204,118,186,145,43,92,251,87,
89,86,10,163,141,62,234,151,217,196,67,255,3,105,
121,133,224,46,248,244,66,219,181,99,165,72,31,196,
151,5,2,3,1,0,1,163,114,48,112,48,19,6,3,85,29,37,4,
12,48,10,6,8,43,6,1,5,5,7,3,1,48,89,6,3,85,29,1,4,
82,48,80,128,16,199,202,242,24,178,198,39,100,43,
232,218,214,25,128,214,79,161,42,48,40,49,38,48,36,
6,3,85,4,3,19,29,69,108,108,107,97,121,32,83,116,97,
103,105,110,103,32,82,111,111,116,32,65,117,116,104,
111,114,105,116,121,130,16,46,237,149,227,229,242,
192,187,64,151,189,228,119,196,120,180,48,9,6,5,43,
14,3,2,29,5,0,3,130,1,1,0,40,128,61,39,14,71,240,
213,139,6,56,100,53,82,197,225,133,169,236,225,234,
230,214,183,134,170,173,137,109,135,163,131,88,93,
83,210,229,35,127,245,74,146,195,237,94,80,49,3,61,
69,236,129,230,127,205,21,0,99,216,215,198,102,31,
210,111,157,92,250,236,247,70,112,168,186,68,193,
216,190,144,83,239,219,219,191,79,254,245,53,241,
116,137,118,250,166,159,185,86,249,114,73,146,150,
173,105,34,201,103,149,155,51,183,125,169,194,180,
152,14,242,226,133,244,75,74,219,213,51,50,173,80,
100,108,186,15,222,81,235,130,64,16,26,148,1,230,
184,216,123,237,176,186,6,122,118,100,200,63,236,
113,27,209,186,151,65,45,102,58,234,98,55,118,37,
165,239,242,175,122,83,239,236,75,207,44,215,224,
214,59,27,38,21,59,101,79,159,61,164,188,214,235,78,
196,207,88,238,242,212,212,28,222,208,219,68,140,16,
120,42,169,97,216,173,7,37,77,113,47,243,128,224,
234,114,145,245,54,42,72,124,191,201,76,193,111,3,
147,180,142,88,41,73,0,219,71,24,144,16,184,201,246,
107>>,
undefined,undefined,undefined,new,63531722812},
323665,ssl_session_cache,undefined,undefined,false,
undefined,undefined,undefined,
{'RSAPrivateKey','two-prime',
25091000490399564416382733665912293706281236323287507449391018333858706088067104372951637210440828548699801793107621328582247328739957168356535343760898421117596223923057958675108280840952652110424468556362893842108742460936250265912296002218912760264533284800177616747391132407486580757942725318853670784742540298023139943942002078742079335138046822007139070167779479715409389988021492873379536675527198388004784204705449619014967663111341423672277165259908002197645143645833929707716094821495848245665580802072300300901995696081299311434728567907957618159230597695337971845318310069905698028328520007565703331606819,
65537,
12532291835951284642352753464759952731760837234028003552929880741268762456120795803045590924921343389430997938501684187097537025786559622030041471881063352256944852432936802405831735737793065202597533511207149656340503466992496089298764016305810310122514496309703131156584850210212028846765905833153120519214366483351036620512028360903366902227866159233021509892771286294064778569099266243884082209785268720465970929381008430443130075496396131177443808450873061131440124680376808011317874020764946935204300278562787258089499308485762628408971801392792765876969493808892573747399158232707154902628249712310347508330481,
164613524625768478096728511491146234379950805547018160443402940694931123301226530314268605486708880647658162742710176890755691202467149416112553065729831746391569481381229328262217225008710581122456985360175690217141752754366597025760074826970126144030433840076718674219450293036228318089528491377991378917023,
152423687831490839453627602007609954938806264385151113997291723876694061058672531571680491904693205860873313947735180318401018227463103944680073963443527347105243646402511993135691316201430837009543216841366727950952917475175355759283610454988240555587842851002909990207473661609226206434152468235025307200253,
103984547751379971996375538203182369609466154978729646218112491292391375460388439026510307132524542623745369476562226118076733144497574174552444945117251391868174999766567175194585209852993108440859312097378784492720927449807326399887717438420071901928924585277569562140638458907286206884483421800776127924467,
39507777060187907438527428403852332339678380351718296130002815409515266417499584872791499702229633458331247753638059539934359165508273901891762155988452310073344428665326017782260225343145179490686339388197454990354108505894437772295812911773276810317388444847741459078907412450309375905167279214922484907925,
140777917719684893441642072243040594921813463059778562021367548768326948139714681618402000290527139618053328133891840461484222782830228667641262369743730585486629970714763524415800836168519782394433537656246543908266747427470739521793087643652694808980372432733634387874662999415574210646072641560865328049441,
asn1_NOVALUE},
{'DHParameter',
179769313486231590770839156793787453197860296048756011706444423684197180216158519368947833795864925541502180565485980503646440548199239100050792877003355816639229553136239076508735759914822574862575007425302077447712589550957937778424442426617334727629299387668709205606050270810842907692932019128194467627007,
2,asn1_NOVALUE},
undefined,undefined,315471,#Ref<0.0.0.1974>,undefined,
<<>>,true,
{false,first},
{<0.301.0>,#Ref<0.0.0.1971>},
#Ref<0.0.0.1980>,
{[],[]},
false,true,false,undefined}
** Reason for termination =
** {{badmatch,
{error,
{asn1,
{'Type not compatible with table constraint',
{{component,'Type'},
{value,{5,<<>>}},
{unique_name_and_value,id,{1,3,14,3,2,29}}}}}}},
[{public_key,pkix_decode_cert,2,[{file,"public_key.erl"},{line,218}]},
{ssl_cipher,filter,2,[{file,"ssl_cipher.erl"},{line,484}]},
{ssl_handshake,select_session,8,[{file,"ssl_handshake.erl"},{line,654}]},
{ssl_handshake,hello,4,[{file,"ssl_handshake.erl"},{line,178}]},
{ssl_connection,hello,2,[{file,"ssl_connection.erl"},{line,413}]},
{ssl_connection,next_state,4,[{file,"ssl_connection.erl"},{line,2001}]},
{gen_fsm,handle_msg,7,[{file,"gen_fsm.erl"},{line,494}]},
{proc_lib,init_p_do_apply,3,[{file,"proc_lib.erl"},{line,239}]}]}
=ERROR REPORT==== 28-Mar-2013::20:46:52 ===
error on AMQP connection <0.301.0>: {ssl_upgrade_failure,
{{{badmatch,
{error,
{asn1,
{'Type not compatible with table
constraint',
{{component,'Type'},
{value,{5,<<>>}},
{unique_name_and_value,id,
{1,3,14,3,2,29}}}}}}},
[{public_key,pkix_decode_cert,2,
[{file,"public_key.erl"},{line,218}]},
{ssl_cipher,filter,2,
[{file,"ssl_cipher.erl"},{line,484}]},
{ssl_handshake,select_session,8,
[{file,"ssl_handshake.erl"},
{line,654}]},
{ssl_handshake,hello,4,
[{file,"ssl_handshake.erl"},
{line,178}]},
{ssl_connection,hello,2,
[{file,"ssl_connection.erl"},
{line,413}]},
{ssl_connection,next_state,4,
[{file,"ssl_connection.erl"},
{line,2001}]},
{gen_fsm,handle_msg,7,
[{file,"gen_fsm.erl"},{line,494}]},
{proc_lib,init_p_do_apply,3,
[{file,"proc_lib.erl"},{line,239}]}]},
{gen_fsm,sync_send_all_state_event,
[<0.302.0>,{start,5000},infinity]}}}
Note that this certificate/key pair was created for testing purposes only,
but I am concerned that our production certificate/key pair will fail in
similar fashion.
Thanks,
Scott
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20130329/f93ba677/attachment.htm>
More information about the erlang-questions
mailing list