Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

HTTPS endpoint support #3

Closed
wants to merge 3 commits into from

Conversation

Projects
None yet
@jshiell
Copy link

commented Jan 21, 2013

This is a simple change to allow for a WSS endpoint, primarily as IE doesn't seem to allow connecting from a HTTPS website to WS endpoint.

Apologies for any mess, my knowledge of Erlang is pretty minimal.

James Shiell added some commits Jan 17, 2013

James Shiell
Added [optional] HTTPS endpoint support.
This is primarily for browsers which don't like connecting to HTTP
endpoints when on a HTTP client, i.e. MSIE.
@rclayton-the-terrible

This comment has been minimized.

Copy link

commented Apr 27, 2013

Any action on this? This is a killer feature and I think it would be awesome if it made it into the plugin?

@hyperthunk

This comment has been minimized.

Copy link
Contributor

commented May 3, 2013

We're reviewing at the moment and we'll let you know as soon as possible!

@rclayton-the-terrible

This comment has been minimized.

Copy link

commented May 3, 2013

@hyperthunk - I've compiled and deployed @jshiell's implementation and verified that it works. The implementation could be a little more robust (I wish I knew enough Erlang to do it myself).

@hyperthunk

This comment has been minimized.

Copy link
Contributor

commented May 3, 2013

@berico-rclayton thanks for that. We're in the process of planning the RabbitMQ 3.2.0 release and web-stomp bugs/features are under discussion. I'll let you know the outcome and status asap.

@jar349

This comment has been minimized.

Copy link

commented Jul 11, 2013

Any updates on this in the past 60 days?

@hyperthunk

This comment has been minimized.

Copy link
Contributor

commented Aug 1, 2013

Sorry guys, there have been a lot more pressing bugs that have taken up our time and attention. We haven't forgotten about it though.

@ppetermann

This comment has been minimized.

Copy link

commented Nov 17, 2013

and there we are.. 4 month later, no update?

@emile

This comment has been minimized.

Copy link
Contributor

commented Dec 9, 2013

Development of this feature is taking place on the branch named 'bug25913' in http://hg.rabbitmq.com/rabbitmq-web-stomp . Unfortunately the pull request also includes changes that do not relate to SSL so this cannot be pulled directly.

@emile

This comment has been minimized.

Copy link
Contributor

commented Dec 12, 2013

Are there any volunteers that would like to help test the SSL websocket support on this branch? This implementation is slightly different from the pull request: http://hg.rabbitmq.com/rabbitmq-web-stomp/rev/7c7c60d6ab05

Here's a sample config:

    [
      {rabbitmq_web_stomp,
          [{ssl_config, [{port,       15671},
                         {backlog,    1024},
                         {certfile,   "path/to/certs/client/cert.pem"},
                         {keyfile,    "path/to/certs/client/key.pem"},
                         {cacertfile, "path/to/certs/testca/cacert.pem"},
                         {password,   "changeme"}]}]}
    ].

The cowboy code comments describe the options:
https://github.com/rabbitmq/cowboy/blob/4b93c2d19a10e5d9cee207038103bb83f1ab9436/src/cowboy_ssl_transport.erl#L40

@jar349

This comment has been minimized.

Copy link

commented Dec 12, 2013

Ya, we'll give this a spin in the next week or so and let you know how it goes.

@berico-rclayton @dretay @tenaciousjzh

@dretay

This comment has been minimized.

Copy link

commented Jan 9, 2014

Is there a particular version of rabbitmq this was supposed to target?

I built this branch and activated the plugins into a rabbitmq 3.2.2 UNIX install:

 ./sbin/rabbitmq-server

              RabbitMQ 3.2.2. Copyright (C) 2007-2013 GoPivotal, Inc.

I'm using erlang R16B03:
erl -v
Erlang R16B03 (erts-5.10.4) [source] [64-bit] [smp:8:8] [async-threads:10] [hipe] [kernel-poll:false]

I'm compiled with openssl 1.0.1f:
openssl version
OpenSSL 1.0.1f 6 Jan 2014

Here's my list of activated plugins: 

 62$ ./sbin/rabbitmq-plugins list
[e] amqp_client        0.0.0
[e] cowboy             0.5.0-rmq0.0.0-git4b93c2d
[ ] rabbit_common      0.0.0
[E] rabbitmq_stomp     0.0.0
[E] rabbitmq_web_stomp 0.0.0
[e] sockjs             0.3.4-rmq0.0.0-git3132eb9

I used the following configuration:

  {rabbitmq_web_stomp,
          [{ssl_config, [{port,       15680},
                         {backlog,    1024},
                         {certfile,   "/etc/pki/rabbitmq/rabbit.pem"},
                         {keyfile,    "/etc/pki/rabbitmq/certs/rabbit-key.pem"},
                         {cacertfile, "/etc/pki/rabbitmq/cacert.pem"},
                         {password,   "#######"}
                ]}
        ]}, 

But it appears that the server is not properly presenting certs: 
 openssl s_client -connect rabbit:15680 
CONNECTED(00000003)
140735205688160:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:787:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 320 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

These certificates worked correctly with the original SSL patch to stomp

@kekekeks

This comment has been minimized.

Copy link

commented Feb 9, 2014

@dretay
It's a bug in Erlang. I had a similar issue and downgrade to Erlang 1.15 solved it.

@michaelklishin

This comment has been minimized.

Copy link
Member

commented Feb 9, 2014

@kekekeks 1.15 is not an Erlang or erts version. Do you mean one of the R15* releases? If so, which one exactly?

@kekekeks

This comment has been minimized.

Copy link

commented Feb 9, 2014

http://packages.ubuntu.com/raring/erlang-nox - that one ( 1:15.b.1-dfsg-4ubuntu1 )

@carlhoerberg

This comment has been minimized.

Copy link

commented Feb 11, 2014

Would be even better if the mgmt interface and web stomp could share the same port, so both could receive traffic at 443. saw somewhere something like a mochiweb on cowboy adapter..

@kekekeks you probably want to tweak the accepted key xchange algos and chipers, as erlang 16 supports edhce etc.. also, i think r16b03-1 (latest update) fixes a tls thing which cause problems for some tls clients..

@michaelklishin

This comment has been minimized.

Copy link
Member

commented Mar 17, 2014

@dretay can you provide a way to reproduce the error you are seeing on rabbitmq-discuss?

We are ready to merge this but need to verify that there are no regressions.

@michaelklishin

This comment has been minimized.

Copy link
Member

commented Mar 26, 2014

I'm going to close this as RabbitMQ does not use github PRs (github is a mirror) but this has been integrated and undergoing QA.

@jar349

This comment has been minimized.

Copy link

commented Mar 26, 2014

This is great news for us! Is it intended for the next release (3.2.5)?

@michaelklishin

This comment has been minimized.

Copy link
Member

commented Mar 26, 2014

For 3.3.0 (there likely won't be 3.2.5).

@michaelklishin

This comment has been minimized.

Copy link
Member

commented Mar 27, 2014

QA is done, main commit is 0d6cc81.

@dumbbell dumbbell modified the milestone: n/a Mar 24, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.