Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[HELP needed] [RabbitMQ 3.13.2, Erlang 26.2.4, opensslv3] STOMP, rabbit_auth_backend_http plugins are failing #8595

Closed
ssm6498 opened this issue Jun 19, 2024 · 35 comments
Closed

[HELP needed] [RabbitMQ 3.13.2, Erlang 26.2.4, opensslv3] STOMP, rabbit_auth_backend_http plugins are failing #8595

ssm6498 opened this issue Jun 19, 2024 · 35 comments
Assignees
@IngelaAndin
Labels
question team:PS Assigned to OTP team PS

Comments

@ssm6498
Copy link

ssm6498 commented Jun 19, 2024

Can any one please help, guid eme whats going wrong and how can i fix it.

I am using rabbitmq 3.13.2 and erlang 26.2.4 built with opensslv3.

I am getting below erros for connections and STOMP, rabbit_auth_backend_http plugins are logging failures:

2024-06-19 15:52:59.707901+05:30 [info] <0.695.0> accepting STOMP connection <0.695.0> (127.0.0.1:47302 -> 127.0.0.1:13777)
2024-06-19 15:52:59.708686+05:30 [warning] <0.695.0> AMQP 0-9-1 client call timeout was 70000 ms, is updated to a safe effective value of 130000 ms
2024-06-19 15:52:59.730803+05:30 [warning] <0.704.0> Description: "Failed to assert middlebox server message"
2024-06-19 15:52:59.730803+05:30 [warning] <0.704.0> Reason: [{missing,{change_cipher_spec,1}}]
2024-06-19 15:52:59.730803+05:30 [warning] <0.704.0>
2024-06-19 15:52:59.731075+05:30 [notice] <0.704.0> TLS client: In state hello_retry_middlebox_assert at ssl_gen_statem.erl:803 generated CLIENT ALERT: Fatal - Unexpected Message
2024-06-19 15:52:59.731075+05:30 [notice] <0.704.0> - {unexpected_msg,
2024-06-19 15:52:59.731075+05:30 [notice] <0.704.0> {internal,
2024-06-19 15:52:59.731075+05:30 [notice] <0.704.0> {server_hello,
2024-06-19 15:52:59.731075+05:30 [notice] <0.704.0> {3,3},
2024-06-19 15:52:59.731075+05:30 [notice] <0.704.0> <<189,34,79,32,65,39,124,139,5,165,81,231,179,101,60,216,220,
2024-06-19 15:52:59.731075+05:30 [notice] <0.704.0> 215,126,39,13,114,71,249,107,213,112,93,205,18,117,138>>,
2024-06-19 15:52:59.731075+05:30 [notice] <0.704.0> <<144,69,111,100,76,49,215,152,245,7,220,118,145,182,84,110,175,
2024-06-19 15:52:59.731075+05:30 [notice] <0.704.0> 51,233,92,173,248,136,61,106,199,176,87,93,191,170,38>>,
2024-06-19 15:52:59.731075+05:30 [notice] <0.704.0> <<19,1>>,
2024-06-19 15:52:59.731075+05:30 [notice] <0.704.0> 0,
2024-06-19 15:52:59.731075+05:30 [notice] <0.704.0> #{server_hello_selected_version =>
2024-06-19 15:52:59.731075+05:30 [notice] <0.704.0> {server_hello_selected_version,{3,4}},
2024-06-19 15:52:59.731075+05:30 [notice] <0.704.0> key_share =>
2024-06-19 15:52:59.731075+05:30 [notice] <0.704.0> {key_share_server_hello,
2024-06-19 15:52:59.731075+05:30 [notice] <0.704.0> {key_share_entry,secp256r1,
2024-06-19 15:52:59.731075+05:30 [notice] <0.704.0> <<4,52,84,3,100,51,88,0,55,31,87,65,78,113,59,
2024-06-19 15:52:59.731075+05:30 [notice] <0.704.0> 209,49,77,40,185,155,136,184,41,0,224,149,92,
2024-06-19 15:52:59.731075+05:30 [notice] <0.704.0> 136,75,17,175,24,70,120,19,74,12,161,247,119,
2024-06-19 15:52:59.731075+05:30 [notice] <0.704.0> 112,232,136,212,6,139,134,183,34,10,103,134,
2024-06-19 15:52:59.731075+05:30 [notice] <0.704.0> 57,115,255,11,81,55,111,193,47,69,132,113>>}},
2024-06-19 15:52:59.731075+05:30 [notice] <0.704.0> pre_shared_key => undefined}}}}
2024-06-19 15:52:59.748803+05:30 [warning] <0.709.0> Description: "Failed to assert middlebox server message"
2024-06-19 15:52:59.748803+05:30 [warning] <0.709.0> Reason: [{missing,{change_cipher_spec,1}}]
2024-06-19 15:52:59.748803+05:30 [warning] <0.709.0>
2024-06-19 15:52:59.749016+05:30 [notice] <0.709.0> TLS client: In state hello_retry_middlebox_assert at ssl_gen_statem.erl:803 generated CLIENT ALERT: Fatal - Unexpected Message
2024-06-19 15:52:59.749016+05:30 [notice] <0.709.0> - {unexpected_msg,
2024-06-19 15:52:59.749016+05:30 [notice] <0.709.0> {internal,
2024-06-19 15:52:59.749016+05:30 [notice] <0.709.0> {server_hello,
2024-06-19 15:52:59.749016+05:30 [notice] <0.709.0> {3,3},
2024-06-19 15:52:59.749016+05:30 [notice] <0.709.0> <<19,62,218,113,80,213,15,162,166,215,3,38,165,189,51,63,251,25,
2024-06-19 15:52:59.749016+05:30 [notice] <0.709.0> 132,4,109,106,174,250,203,21,128,19,87,144,5,128>>,
2024-06-19 15:52:59.749016+05:30 [notice] <0.709.0> <<76,134,214,137,45,161,80,61,56,48,233,177,162,41,247,215,4,97,
2024-06-19 15:52:59.749016+05:30 [notice] <0.709.0> 50,176,255,52,229,57,202,132,243,42,162,56,146,99>>,
2024-06-19 15:52:59.749016+05:30 [notice] <0.709.0> <<19,1>>,
2024-06-19 15:52:59.749016+05:30 [notice] <0.709.0> 0,
2024-06-19 15:52:59.749016+05:30 [notice] <0.709.0> #{server_hello_selected_version =>
2024-06-19 15:52:59.749016+05:30 [notice] <0.709.0> {server_hello_selected_version,{3,4}},
2024-06-19 15:52:59.749016+05:30 [notice] <0.709.0> key_share =>
2024-06-19 15:52:59.749016+05:30 [notice] <0.709.0> {key_share_server_hello,
2024-06-19 15:52:59.749016+05:30 [notice] <0.709.0> {key_share_entry,secp256r1,
2024-06-19 15:52:59.749016+05:30 [notice] <0.709.0> <<4,99,24,144,166,30,91,151,247,108,208,40,128,
2024-06-19 15:52:59.749016+05:30 [notice] <0.709.0> 214,165,132,163,115,81,56,192,127,176,133,250,
2024-06-19 15:52:59.749016+05:30 [notice] <0.709.0> 160,123,57,81,147,69,170,251,62,118,213,154,
2024-06-19 15:52:59.749016+05:30 [notice] <0.709.0> 73,186,18,21,200,222,88,70,101,47,239,154,17,
2024-06-19 15:52:59.749016+05:30 [notice] <0.709.0> 98,193,200,4,236,91,233,91,150,146,107,162,
2024-06-19 15:52:59.749016+05:30 [notice] <0.709.0> 222,64,157>>}},
2024-06-19 15:52:59.749016+05:30 [notice] <0.709.0> pre_shared_key => undefined}}}}
2024-06-19 15:52:59.750155+05:30 [warning] <0.695.0> STOMP login failed for user 'user': authentication failed
2024-06-19 15:52:59.750225+05:30 [error] <0.695.0> STOMP error frame sent:
2024-06-19 15:52:59.750225+05:30 [error] <0.695.0> Message: "Bad CONNECT"
2024-06-19 15:52:59.750225+05:30 [error] <0.695.0> Detail: "Access refused for user 'user'"
2024-06-19 15:52:59.750225+05:30 [error] <0.695.0> Server private detail: none
...
024-06-19 15:53:02.221607+05:30 [notice] <0.720.0> TLS client: In state hello_retry_middlebox_assert at ssl_gen_statem.erl:803 generated CLIENT ALERT: Fatal - Unexpected Message
2024-06-19 15:53:02.221607+05:30 [notice] <0.720.0> - {unexpected_msg,
2024-06-19 15:53:02.221607+05:30 [notice] <0.720.0> {internal,
2024-06-19 15:53:02.221607+05:30 [notice] <0.720.0> {server_hello,
2024-06-19 15:53:02.221607+05:30 [notice] <0.720.0> {3,3},
2024-06-19 15:53:02.221607+05:30 [notice] <0.720.0> <<18,46,179,140,86,49,79,60,199,127,85,75,217,17,198,115,210,60,
2024-06-19 15:53:02.221607+05:30 [notice] <0.720.0> 203,240,173,116,36,132,170,40,214,56,147,130,58,235>>,
2024-06-19 15:53:02.221607+05:30 [notice] <0.720.0> <<237,107,64,165,251,152,203,57,233,250,6,239,185,115,32,22,131,
2024-06-19 15:53:02.221607+05:30 [notice] <0.720.0> 30,46,79,23,248,38,123,155,120,154,19,197,3,246,162>>,
2024-06-19 15:53:02.221607+05:30 [notice] <0.720.0> <<19,1>>,
2024-06-19 15:53:02.221607+05:30 [notice] <0.720.0> 0,
2024-06-19 15:53:02.221607+05:30 [notice] <0.720.0> #{server_hello_selected_version =>
2024-06-19 15:53:02.221607+05:30 [notice] <0.720.0> {server_hello_selected_version,{3,4}},
2024-06-19 15:53:02.221607+05:30 [notice] <0.720.0> key_share =>
2024-06-19 15:53:02.221607+05:30 [notice] <0.720.0> {key_share_server_hello,
2024-06-19 15:53:02.221607+05:30 [notice] <0.720.0> {key_share_entry,secp256r1,
2024-06-19 15:53:02.221607+05:30 [notice] <0.720.0> <<4,108,49,1,8,238,21,193,244,212,252,195,195,
2024-06-19 15:53:02.221607+05:30 [notice] <0.720.0> 127,66,186,130,190,14,226,52,171,238,83,84,
2024-06-19 15:53:02.221607+05:30 [notice] <0.720.0> 211,214,131,247,84,33,215,186,147,143,161,89,
2024-06-19 15:53:02.221607+05:30 [notice] <0.720.0> 160,147,74,164,234,219,34,117,24,225,224,239,
2024-06-19 15:53:02.221607+05:30 [notice] <0.720.0> 10,230,125,176,110,147,243,178,194,180,203,
2024-06-19 15:53:02.221607+05:30 [notice] <0.720.0> 121,84,54,98,162>>}},
2024-06-19 15:53:02.221607+05:30 [notice] <0.720.0> pre_shared_key => undefined}}}}
2024-06-19 15:53:02.248266+05:30 [warning] <0.725.0> Description: "Failed to assert middlebox server message"
2024-06-19 15:53:02.248266+05:30 [warning] <0.725.0> Reason: [{missing,{change_cipher_spec,1}}]
2024-06-19 15:53:02.248266+05:30 [warning] <0.725.0>
2024-06-19 15:53:02.248876+05:30 [notice] <0.725.0> TLS client: In state hello_retry_middlebox_assert at ssl_gen_statem.erl:803 generated CLIENT ALERT: Fatal - Unexpected Message
2024-06-19 15:53:02.248876+05:30 [notice] <0.725.0> - {unexpected_msg,
2024-06-19 15:53:02.248876+05:30 [notice] <0.725.0> {internal,
2024-06-19 15:53:02.248876+05:30 [notice] <0.725.0> {server_hello,
2024-06-19 15:53:02.248876+05:30 [notice] <0.725.0> {3,3},
2024-06-19 15:53:02.248876+05:30 [notice] <0.725.0> <<253,1,67,246,248,124,110,44,60,149,189,219,103,19,20,7,105,
2024-06-19 15:53:02.248876+05:30 [notice] <0.725.0> 165,90,203,74,220,22,13,6,249,251,11,161,162,55,134>>,
2024-06-19 15:53:02.248876+05:30 [notice] <0.725.0> <<201,36,234,29,154,249,39,172,216,54,65,13,57,219,155,37,71,
2024-06-19 15:53:02.248876+05:30 [notice] <0.725.0> 255,137,142,55,100,65,15,108,110,163,113,28,228,233,32>>,
2024-06-19 15:53:02.248876+05:30 [notice] <0.725.0> <<19,1>>,
2024-06-19 15:53:02.248876+05:30 [notice] <0.725.0> 0,
2024-06-19 15:53:02.248876+05:30 [notice] <0.725.0> #{server_hello_selected_version =>
2024-06-19 15:53:02.248876+05:30 [notice] <0.725.0> {server_hello_selected_version,{3,4}},
2024-06-19 15:53:02.248876+05:30 [notice] <0.725.0> key_share =>
2024-06-19 15:53:02.248876+05:30 [notice] <0.725.0> {key_share_server_hello,
2024-06-19 15:53:02.248876+05:30 [notice] <0.725.0> {key_share_entry,secp256r1,
2024-06-19 15:53:02.248876+05:30 [notice] <0.725.0> <<4,78,203,135,153,247,150,225,13,48,32,190,128,
2024-06-19 15:53:02.248876+05:30 [notice] <0.725.0> 253,252,140,222,232,111,209,193,115,94,40,197,
2024-06-19 15:53:02.248876+05:30 [notice] <0.725.0> 131,76,159,41,202,18,253,75,219,36,158,245,
2024-06-19 15:53:02.248876+05:30 [notice] <0.725.0> 144,37,8,111,211,26,17,27,177,246,151,11,79,
2024-06-19 15:53:02.248876+05:30 [notice] <0.725.0> 242,119,12,46,172,194,174,187,105,60,112,92,
2024-06-19 15:53:02.248876+05:30 [notice] <0.725.0> 87,84,217>>}},
2024-06-19 15:53:02.248876+05:30 [notice] <0.725.0> pre_shared_key => undefined}}}}
2024-06-19 15:53:02.252532+05:30 [error] <0.715.0> Error on AMQP connection <0.715.0> (:49959 -> :13781, state: starting):
2024-06-19 15:53:02.252532+05:30 [error] <0.715.0> PLAIN login refused: rabbit_auth_backend_http failed authenticating 1718869588636_5dc46b3b-2e4d-44e4-a05f-2516466b5aff: {failed_connect,
2024-06-19 15:53:02.252532+05:30 [error] <0.715.0> [{to_address,
2024-06-19 15:53:02.252532+05:30 [error] <0.715.0> {"",
2024-06-19 15:53:02.252532+05:30 [error] <0.715.0> 1556}},
2024-06-19 15:53:02.252532+05:30 [error] <0.715.0> {inet,
2024-06-19 15:53:02.252532+05:30 [error] <0.715.0> [inet],
2024-06-19 15:53:02.252532+05:30 [error] <0.715.0> {tls_alert,
2024-06-19 15:53:02.252532+05:30 [error] <0.715.0> {unexpected_message,
2024-06-19 15:53:02.252532+05:30 [error] <0.715.0> "TLS client: In state hello_retry_middlebox_assert at ssl_gen_statem.erl:803 generated CLIENT ALERT: Fatal - Unexpected Message\n {unexpected_msg,\n {internal,\n {server_hello,\n {3,3},\n <<253,1,67,246,248,124,110,44,60,149,189,219,...>>,\n <<201,36,234,29,154,249,39,172,216,54,65,...>>,\n <<19,1>>,\n 0,\n #{server_hello_selected_version =>\n {server_hello_selected_version,{3,4}},\n key_share =>\n {key_share_server_hello,\n {key_share_entry,secp256r1,<<4,78,...>>}},\n pre_shared_key => undefined}}}}"}}}]}
2024-06-19 15:53:02.253549+05:30 [info] <0.715.0> closing AMQP connection <0.715.0> (:49959 -> :13781)
@IngelaAndin
Copy link
Contributor

Well the problem is that the server you are connecting to is not adhering to the spec on how middlebox mode should behave.
Probably the easiest fix is to disable middle-box mode as you probably do not need it anyway. You can do this by
giving the option {middlebox_comp_mode, false} . The intent with it being on by default was to allow more out of the box compatibility but in reality I think that there are more flaky TLS-1.3 implementations then middleboxes causing problems. We are considering some kind of relaxed middle-box mode but we do feel that we want to adhere to the specification by default.

@IngelaAndin IngelaAndin self-assigned this Jun 19, 2024
@IngelaAndin IngelaAndin added the team:PS Assigned to OTP team PS label Jun 19, 2024
@ssm6498
Copy link
Author

ssm6498 commented Jun 20, 2024

Well the problem is that the server you are connecting to is not adhering to the spec on how middlebox mode should behave. Probably the easiest fix is to disable middle-box mode as you probably do not need it anyway. You can do this by giving the option {middlebox_comp_mode, false} . The intent with it being on by default was to allow more out of the box compatibility but in reality I think that there are more flaky TLS-1.3 implementations then middleboxes causing problems. We are considering some kind of relaxed middle-box mode but we do feel that we want to adhere to the specification by default.

Thanks,
I am checking that, And am I suppose to add option under any specific section?

@ssm6498
Copy link
Author

ssm6498 commented Jun 20, 2024

Can you please share the exact location, I have added it in
{rabbitmq_auth_backend_http,
[{http_method, post},
{user_path, "some value"},
{vhost_path, "some value"},
{resource_path, "some value"},
{topic_path, "some value"},
{ssl_options, [{cacertfile, "some value"},
{verify, verify_peer},
%%{server_name_indication, "some value"},
{depth, 5},
{middlebox_comp_mode, false}]},
{middlebox_comp_mode, false}
]},

But its still giving me errors for both the plugins

@IngelaAndin
Copy link
Contributor

It is a ssl_option to be set on the client.

@ssm6498
Copy link
Author

ssm6498 commented Jun 21, 2024

It is a ssl_option to be set on the client.

okay, i tried to give it in each existing sections' ssl_option, but didnt work, trying again. Thanks, I will kepe you updated with result

@IngelaAndin
Copy link
Contributor

You could try verifying your options in an erlang shell calling ssl:connect/3 first and then supply them via appropriate Rabbit configuration.

@ssm6498
Copy link
Author

ssm6498 commented Jun 21, 2024
edited
Loading

Just to make a note, this issue arising only if I am disbaling FIPS. If I am enabling FIPS. This issue is not getting reproduced.

@ssm6498
Copy link
Author

ssm6498 commented Jun 21, 2024

You could try verifying your options in an erlang shell calling ssl:connect/3 first and then supply them via appropriate Rabbit configuration.

May be its working, I will try more do more testing and will update this ticket

@ssm6498
Copy link
Author

ssm6498 commented Jun 27, 2024

The issue is fixed.
Thanks IngelaAndin for providing the solution.

@ssm6498 ssm6498 closed this as completed Jun 27, 2024
@ssm6498
Copy link
Author

ssm6498 commented Jul 1, 2024

With fips enbaled its not working, may be I have not done proper testing earlier.

@ssm6498 ssm6498 reopened this Jul 1, 2024
@ssm6498
Copy link
Author

ssm6498 commented Jul 2, 2024
edited
Loading

How to and where to set middlebox_comp_mode option as false (at a client ) its not working for me in FIPS enabled mode

@ssm6498
Copy link
Author

ssm6498 commented Jul 3, 2024

Hi @IngelaAndin

as I am not able to set middlebox_comp_mode as false i tried to move to tls1.3 only. BUt still getting erros as insuffisient_crypto
ive value of 130000 ms
2024-07-03 12:52:06.345470+05:30 [warning] <0.729.0> STOMP login failed for user 'nbadmin': authentication failed
2024-07-03 12:52:06.345554+05:30 [error] <0.729.0> STOMP error frame sent:
2024-07-03 12:52:06.345554+05:30 [error] <0.729.0> Message: "Bad CONNECT"
2024-07-03 12:52:06.345554+05:30 [error] <0.729.0> Detail: "Access refused for user 'nbadmin'"
2024-07-03 12:52:06.345554+05:30 [error] <0.729.0> Server private detail: none
2024-07-03 12:52:11.356145+05:30 [warning] <0.740.0> HTTP access denied: rabbit_auth_backend_http failed authenticating nbadmin: {failed_connect,
2024-07-03 12:52:11.356145+05:30 [warning] <0.740.0> [{to_address,
2024-07-03 12:52:11.356145+05:30 [warning] <0.740.0> {"<>",
2024-07-03 12:52:11.356145+05:30 [warning] <0.740.0> 1556}},
2024-07-03 12:52:11.356145+05:30 [warning] <0.740.0> {inet,
2024-07-03 12:52:11.356145+05:30 [warning] <0.740.0> [inet],
2024-07-03 12:52:11.356145+05:30 [warning] <0.740.0> {options,
2024-07-03 12:52:11.356145+05:30 [warning] <0.740.0> {insufficient_crypto_support,
2024-07-03 12:52:11.356145+05:30 [warning] <0.740.0> {'tlsv1.3',
2024-07-03 12:52:11.356145+05:30 [warning] <0.740.0> {versions,
2024-07-03 12:52:11.356145+05:30 [warning] <0.740.0> ['tlsv1.3']}}}}}]}
2024-07-03 12:52:16.304237+05:30 [warning] <0.729.0> STOMP connection 127.0.0.1:55602 -> 127.0.0.1:13777 terminated with reason {shutdown,
2024-07-03 12:52:16.304237+05:30 [warning] <0.729.0> login_timeout}, closing it

@ssm6498
Copy link
Author

ssm6498 commented Jul 3, 2024

@IngelaAndin output of crypto:supports(). :
3> crypto:supports().
[{hashs,[blake2s,blake2b,shake256,shake128,sha3_512,
sha3_384,sha3_256,sha3_224,sha512,sha384,sha256,sha224,sha,
ripemd160,md5]},
{ciphers,[chacha20,aes_256_ofb,aes_192_ofb,aes_128_ofb,
des_ede3_cfb,aes_128_cbc,aes_192_cbc,aes_256_cbc,
aes_128_cfb128,aes_192_cfb128,aes_256_cfb128,aes_128_cfb8,
aes_192_cfb8,aes_256_cfb8,aes_128_ecb,aes_192_ecb,
aes_256_ecb,chacha20_poly1305,aes_256_gcm,aes_256_ccm,
aes_192_gcm,aes_192_ccm,aes_128_gcm,aes_128_ccm,
aes_256_ctr|...]},
{public_keys,[rsa,dss,dh,ec_gf2m,ecdsa,ecdh,eddsa,eddh,srp]},
{macs,[cmac,hmac,poly1305]},
{curves,[secp160k1,secp160r1,secp160r2,secp192k1,secp224k1,
secp224r1,secp256k1,secp384r1,secp521r1,secp192r1,
prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,
prime239v3,secp256r1,prime256v1,wtls7,wtls9,wtls12,
brainpoolP160r1|...]},
{rsa_opts,[rsa_pkcs1_pss_padding,rsa_pss_saltlen,
rsa_mgf1_md,rsa_pkcs1_oaep_padding,rsa_oaep_label,
rsa_oaep_md,signature_md,rsa_pkcs1_padding,rsa_x931_padding,
rsa_no_padding]}]

@ssm6498
Copy link
Author

ssm6498 commented Jul 3, 2024
edited
Loading

@IngelaAndin Can you please help, as i can all ciphers, hashes, curves, rsa_opts required by tls1.3 are listed in supports() ouput.
From where insufficient_crypto_support error is getting thrown and why?
What should I check?

@IngelaAndin
Copy link
Contributor

It is probably not working with FIPS, as FIPS does not allow an algorithm that is checked for when checking for TLS-1.3 support. I have made a change for that to only check the minimum requirement for TLS-1.3 and then it should work also with FIPS. This fix is only present on maint and master as it is vacation time and the patch has not been built yet. And actually you only got this answer now as it is raining.

@ssm6498
Copy link
Author

ssm6498 commented Jul 4, 2024
edited
Loading

middlebox_comp_mode
@IngelaAndin
As the fix is not yet released, can you guide on disabling middlebox_comp_mode
Sorry but i didnt get where to ste this, as its not working for me when i set this in confg file in ssl_options section.
Can you please share input on this also?

@ssm6498
Copy link
Author

ssm6498 commented Jul 5, 2024

@IngelaAndin
i wnat to add more points:
Issues faced when FIPS is disabled:
with a regular configuration it gives error for middle box
attaching log file, summary:
2024-07-05 16:10:29.018761+05:30 [notice] <0.146243.0> TLS client: In state hello_retry_middlebox_assert at ssl_gen_statem.erl:803 generated CLIENT ALERT: Fatal - Unexpected Message
...
2024-07-05 16:10:29.018552+05:30 [warning] <0.146243.0> Description: "Failed to assert middlebox server message"
2024-07-05 16:10:29.018552+05:30 [warning] <0.146243.0> Reason: [{missing,{change_cipher_spec,1}}]

solution applied now : set {middlebox_comp_mode, false} for http auth plugin and stomp plugin and eerything worked fine.

Hence please note setting {middlebox_comp_mode, false} is worked when fips is disabled.

Issues faced when FIPS is Enabled:
rabbit_auth_backend_http and STOMP are failing with error even if middlebox_comp_mode, false} is set (carried previous settings):

2024-07-05 16:50:48.880197+05:30 [error]<0.734.0> {inet,
2024-07-05 16:50:48.880197+05:30 [error]<0.734.0> [inet],
2024-07-05 16:50:48.880197+05:30 [error]<0.734.0> {options,
2024-07-05 16:50:48.880197+05:30 [error]<0.734.0> incompatible,
2024-07-05 16:50:48.880197+05:30 [error] <0.734.0>[middlebox_comp_mode,
2024-07-05 16:50:48.880197+05:30 [error] <0.734.0> {versions,
2024-07-05 16:50:48.880197+05:30 [error] <0.734.0> ['tlsv1.2']}]}}]}

if we explicitly make it as tls1.3 then we are getting error as :
[inet],
2024-07-05 17:02:31.795051+05:30 [error] <0.730.0> {options,
2024-07-05 17:02:31.795051+05:30 [error] <0.730.0> {insufficient_crypto_support,
2024-07-05 17:02:31.795051+05:30 [error] <0.730.0> {'tlsv1.3',
2024-07-05 17:02:31.795051+05:30 [error] <0.730.0> {versions,
2024-07-05 17:02:31.795051+05:30 [error] <0.730.0> ['tlsv1.3']}}}}}]}
on which we already hd discussion (your previous reply)

But with fips enabled if we dont set {middlebox_comp_mode, false} everything is working fine

@ssm6498
Copy link
Author

ssm6498 commented Jul 5, 2024
edited
Loading

To summaries
With FIPS disbaled i.e. {crypto, [{fips_mode, false}]}:
we are getting issues of middlebox
2024-07-05 16:10:29.018761+05:30 [notice] <0.146243.0> TLS client: In state hello_retry_middlebox_assert at ssl_gen_statem.erl:803 generated CLIENT ALERT: Fatal - Unexpected Message
...
2024-07-05 16:10:29.018552+05:30 [warning] <0.146243.0> Description: "Failed to assert middlebox server message"
2024-07-05 16:10:29.018552+05:30 [warning] <0.146243.0> Reason: [{missing,{change_cipher_spec,1}}]
...

if we disable middlebox with it starts working

=========================

with FIPS enabled i.e. {crypto, [{fips_mode, true}]}
its working fine if we dont dsable middlebox, its giving issue when we disable thr middlebox

@IngelaAndin any other solution for fips disabled mode?

@ssm6498
Copy link
Author

ssm6498 commented Jul 19, 2024

@IngelaAndin
wanted to chcek whether this is the same error with tlsv1.3:

2024-07-19 15:35:27.469785+05:30 [error] <0.653.0> crasher:
2024-07-19 15:35:27.469785+05:30 [error] <0.653.0> initial call: supervisor:ranch_acceptors_sup/1
2024-07-19 15:35:27.469785+05:30 [error] <0.653.0> pid: <0.653.0>
2024-07-19 15:35:27.469785+05:30 [error] <0.653.0> registered_name: []
2024-07-19 15:35:27.469785+05:30 [error] <0.653.0> exception error: bad argument
2024-07-19 15:35:27.469785+05:30 [error] <0.653.0> in function atom_to_binary/1
2024-07-19 15:35:27.469785+05:30 [error] <0.653.0> called as atom_to_binary({options,
2024-07-19 15:35:27.469785+05:30 [error] <0.653.0> {insufficient_crypto_support,
2024-07-19 15:35:27.469785+05:30 [error] <0.653.0> {'tlsv1.3',{versions,['tlsv1.3']}}}})
2024-07-19 15:35:27.469785+05:30 [error] <0.653.0> *** argument 1: not an atom
2024-07-19 15:35:27.469785+05:30 [error] <0.653.0> in call from erl_posix_msg:message_1/1 (erl_posix_msg.erl, line 175)
2024-07-19 15:35:27.469785+05:30 [error] <0.653.0> in call from erl_posix_msg:message/1 (erl_posix_msg.erl, line 29)
2024-07-19 15:35:27.469785+05:30 [error] <0.653.0> in call from ranch_acceptors_sup:listen_error/5 (src/ranch_acceptors_sup.erl, line 95)
2024-07-19 15:35:27.469785+05:30 [error] <0.653.0> in call from ranch_acceptors_sup:start_listen_sockets/5 (src/ranch_acceptors_sup.erl, line 54)
2024-07-19 15:35:27.469785+05:30 [error] <0.653.0> in call from ranch_acceptors_sup:init/1 (src/ranch_acceptors_sup.erl, line 34)
2024-07-19 15:35:27.469785+05:30 [error] <0.653.0> in call from supervisor:init/1 (supervisor.erl, line 330)
2024-07-19 15:35:27.469785+05:30 [error] <0.653.0> in call from gen_server:init_it/2 (gen_server.erl, line 980)
2024-07-19 15:35:27.469785+05:30 [error] <0.653.0> ancestors: [<0.641.0>,<0.639.0>,rabbit_web_dispatch_sup,<0.581.0>]
...

2024-07-19 15:35:27.469785+05:30 [error] <0.653.0> neighbours:
2024-07-19 15:35:27.469785+05:30 [error] <0.653.0>
2024-07-19 15:35:27.470753+05:30 [error] <0.641.0> supervisor: {<0.641.0>,ranch_listener_sup}
2024-07-19 15:35:27.470753+05:30 [error] <0.641.0> errorContext: start_error
2024-07-19 15:35:27.470753+05:30 [error] <0.641.0> reason: {badarg,
2024-07-19 15:35:27.470753+05:30 [error] <0.641.0> [{erlang,atom_to_binary,
2024-07-19 15:35:27.470753+05:30 [error] <0.641.0> [{options,
2024-07-19 15:35:27.470753+05:30 [error] <0.641.0> {insufficient_crypto_support,
2024-07-19 15:35:27.470753+05:30 [error] <0.641.0> {'tlsv1.3',{versions,['tlsv1.3']}}}}],
2024-07-19 15:35:27.470753+05:30 [error] <0.641.0> [{error_info,#{module => erl_erts_errors}}]},
2024-07-19 15:35:27.470753+05:30 [error] <0.641.0> {erl_posix_msg,message_1,1,
2024-07-19 15:35:27.470753+05:30 [error] <0.641.0> [{file,"erl_posix_msg.erl"},{line,175}]},
2024-07-19 15:35:27.470753+05:30 [error] <0.641.0> {erl_posix_msg,message,1,
2024-07-19 15:35:27.470753+05:30 [error] <0.641.0> [{file,"erl_posix_msg.erl"},{line,29}]},
2024-07-19 15:35:27.470753+05:30 [error] <0.641.0> {ranch_acceptors_sup,listen_error,5,
2024-07-19 15:35:27.470753+05:30 [error] <0.641.0> [{file,"src/ranch_acceptors_sup.erl"},{line,95}]},
2024-07-19 15:35:27.470753+05:30 [error] <0.641.0> {ranch_acceptors_sup,start_listen_sockets,5,
2024-07-19 15:35:27.470753+05:30 [error] <0.641.0> [{file,"src/ranch_acceptors_sup.erl"},{line,54}]},
2024-07-19 15:35:27.470753+05:30 [error] <0.641.0> {ranch_acceptors_sup,init,1,
2024-07-19 15:35:27.470753+05:30 [error] <0.641.0> [{file,"src/ranch_acceptors_sup.erl"},{line,34}]},
2024-07-19 15:35:27.470753+05:30 [error] <0.641.0> {supervisor,init,1,[{file,"supervisor.erl"},{line,330}]},
2024-07-19 15:35:27.470753+05:30 [error] <0.641.0> {gen_server,init_it,2,[{file,"gen_server.erl"},{line,980}]}]}

@ssm6498
Copy link
Author

ssm6498 commented Jul 19, 2024

more on that:

2024-07-19 15:35:27.471383+05:30 [error] <0.639.0> errorContext: start_error
2024-07-19 15:35:27.471383+05:30 [error] <0.639.0> reason: {shutdown,
2024-07-19 15:35:27.471383+05:30 [error] <0.639.0> {failed_to_start_child,ranch_acceptors_sup,
2024-07-19 15:35:27.471383+05:30 [error] <0.639.0> {badarg,
2024-07-19 15:35:27.471383+05:30 [error] <0.639.0> [{erlang,atom_to_binary,
2024-07-19 15:35:27.471383+05:30 [error] <0.639.0> [{options,
2024-07-19 15:35:27.471383+05:30 [error] <0.639.0> {insufficient_crypto_support,
2024-07-19 15:35:27.471383+05:30 [error] <0.639.0> {'tlsv1.3',{versions,['tlsv1.3']}}}}],
2024-07-19 15:35:27.471383+05:30 [error] <0.639.0> [{error_info,#{module => erl_erts_errors}}]},
2024-07-19 15:35:27.471383+05:30 [error] <0.639.0> {erl_posix_msg,message_1,1,
2024-07-19 15:35:27.471383+05:30 [error] <0.639.0> [{file,"erl_posix_msg.erl"},{line,175}]},
2024-07-19 15:35:27.471383+05:30 [error] <0.639.0> {erl_posix_msg,message,1,
2024-07-19 15:35:27.471383+05:30 [error] <0.639.0> [{file,"erl_posix_msg.erl"},{line,29}]},
2024-07-19 15:35:27.471383+05:30 [error] <0.639.0> {ranch_acceptors_sup,listen_error,5,
2024-07-19 15:35:27.471383+05:30 [error] <0.639.0> [{file,"src/ranch_acceptors_sup.erl"},{line,95}]},
2024-07-19 15:35:27.471383+05:30 [error] <0.639.0> {ranch_acceptors_sup,start_listen_sockets,5,
2024-07-19 15:35:27.471383+05:30 [error] <0.639.0> [{file,"src/ranch_acceptors_sup.erl"},{line,54}]},
2024-07-19 15:35:27.471383+05:30 [error] <0.639.0> {ranch_acceptors_sup,init,1,
2024-07-19 15:35:27.471383+05:30 [error] <0.639.0> [{file,"src/ranch_acceptors_sup.erl"},{line,34}]},
2024-07-19 15:35:27.471383+05:30 [error] <0.639.0> {supervisor,init,1,
2024-07-19 15:35:27.471383+05:30 [error] <0.639.0> [{file,"supervisor.erl"},{line,330}]},
2024-07-19 15:35:27.471383+05:30 [error] <0.639.0> {gen_server,init_it,2,
2024-07-19 15:35:27.471383+05:30 [error] <0.639.0> [{file,"gen_server.erl"},{line,980}]}]}}}

@ssm6498
Copy link
Author

ssm6498 commented Jul 19, 2024

Is it same error for tls1.3 or its something different? do we have any solution for this?

@IngelaAndin
Copy link
Contributor

The crypto support check looks the same and should be fixed in 27.0.1

@ssm6498
Copy link
Author

ssm6498 commented Jul 19, 2024 via email

@IngelaAndin
Copy link
Contributor

IngelaAndin commented Aug 5, 2024
edited
Loading

@ssm6498 The OTP team does not support rabbitmq, that you will have to take up with them.
FYI the crypto support minimum check was also releases in OTP-26.2.5.1

The middlebox_comp_mode option is a TLS-1.3 option only, so you can not set it on a connection explicitly configured to not be able to run TLS-1.3.

@ssm6498
Copy link
Author

ssm6498 commented Aug 6, 2024
edited
Loading

Thanks @IngelaAndin . And please forgive me for iterating it again and againa nd kindly ignore my lack of communication.

But I wantto be sure about the current status.
Can you please confirm this:
Currently I am using OTP-26.2.5 and rabbitm 3.13.2
With this combination I am not able to use tls1.3.
If I set configuration to use tls1.3 explicitly its giving me error as :
2024-07-05 17:02:31.795051+05:30 [error] <0.730.0> {options,
2024-07-05 17:02:31.795051+05:30 [error] <0.730.0> {insufficient_crypto_support,
2024-07-05 17:02:31.795051+05:30 [error] <0.730.0> {'tlsv1.3',
2024-07-05 17:02:31.795051+05:30 [error] <0.730.0> {versions,
2024-07-05 17:02:31.795051+05:30 [error] <0.730.0> ['tlsv1.3']}}}}}]}

where as I have all support for tls1.3 in my crypto library.

With reference to you reply #8595 (comment)
To use tls1.3 (ofcourse with FIPS) what is your suggestion? In which OTP version above issue will get fix? what configuration change is required and what build is needed.
@IngelaAndin appologies for reiterating the same question, but I think I am getting lost somewhere in communication.

@IngelaAndin
Copy link
Contributor

In OTP-26.2.5.1 you should be able to run TLS-1.3 with FIPS, the reason you can not pre that version is that the crypto support check for TLS-1.3 incorrectly checked for an TLS-1.3 supported algorithm that is not supported by FIPS, but is be part of standard OpenSSL cryptolib. The algorithm is not part of the minimum requirement to be able to run TLS-1.3 although it is quit commonly supported by TLS-1.3. So you need to upgrade you OTP version to OTP-26.2.5.1 if you need to run FIPS.

@ssm6498
Copy link
Author

ssm6498 commented Aug 6, 2024

Also
for FIPS disabled communication I am setting {middlebox_comp_mode, false}
And when FIPS is enabled I am not setting anything explicitly for middlebox_comp_mode
Currently not enforcing specific tls version for communication just making sure its using tls version greater than equal to tlsv1.2

@ssm6498
Copy link
Author

ssm6498 commented Aug 6, 2024

In OTP-26.2.5.1 you should be able to run TLS-1.3 with FIPS, the reason you can not pre that version is that the crypto support check for TLS-1.3 incorrectly checked for an TLS-1.3 supported algorithm that is not supported by FIPS, but is be part of standard OpenSSL cryptolib. The algorithm is not part of the minimum requirement to be able to run TLS-1.3 although it is quit commonly supported by TLS-1.3. So you need to upgrade you OTP version to OTP-26.2.5.1 if you need to run FIPS.

I will try this

@ssm6498
Copy link
Author

ssm6498 commented Aug 6, 2024

Also for FIPS disabled communication I am setting {middlebox_comp_mode, false} And when FIPS is enabled I am not setting anything explicitly for middlebox_comp_mode Currently not enforcing specific tls version for communication just making sure its using tls version greater than equal to tlsv1.2

@IngelaAndin Am I doing it in correctway with version 26.2.5?

@ssm6498
Copy link
Author

ssm6498 commented Aug 6, 2024
edited
Loading

Also for FIPS disabled communication I am setting {middlebox_comp_mode, false} And when FIPS is enabled I am not setting anything explicitly for middlebox_comp_mode Currently not enforcing specific tls version for communication just making sure its using tls version greater than equal to tlsv1.2

will it be possible to share the commit for this? As I am not able to find this

@IngelaAndin
Copy link
Contributor

3feda33 fixes the crypto support check.

@IngelaAndin
Copy link
Contributor

I do not think middlebox_comp_mode problems are actually related to FIPS. You might just have got different symptoms because of different code paths.

Using TLS-1.2 or grater is default.

{middlebox_comp_mode, false} gets rid of the problem:

2024-06-19 15:52:59.748803+05:30 [warning] <0.709.0> Description: "Failed to assert middlebox server message"
2024-06-19 15:52:59.748803+05:30 [warning] <0.709.0> Reason: [{missing,{change_cipher_spec,1}}]

@ssm6498
Copy link
Author

ssm6498 commented Aug 6, 2024 via email

@IngelaAndin
Copy link
Contributor

OTP-26.2.5 with enabled FIPS will not work with TLS-1.3 (which is not the same as it will not work with TLS-1.3).
When a bug is fixed the version number will always be bumped, so you need to upgrade to OTP-26.2.5.1 to run with FIPS and TLS-1.3. I think we sorted your questions out now.

@ssm6498
Copy link
Author

ssm6498 commented Aug 6, 2024 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@IngelaAndin IngelaAndin

Labels
question team:PS Assigned to OTP team PS
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@IngelaAndin @ssm6498