unable to connect to secured install on trusty from xenial client

Bug #1625044 reported by James Page
20
This bug affects 4 people
Affects Status Importance Assigned to Milestone
rabbitmq-server (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

This was detected after we switch the hosts used to openstack charm amulet tests from trusty->xenial.

The rabbitmq-server charms exercise messaging from the test client; this includes validating SSL functionality and configuration. Prior to the switch, trusty clients (using pika) could quite happily validate SSL for all rabbitmq-server ubuntu targets (through to xenial/yakkety).

With the switch to xenial, the connections get reset when SSL is enable early in the TLS setup lifecycle; this is reproducable outside of pika using the openssl client directly:

  openssl s_client -connect 10.5.18.72:5671 -tls1 -state -debug

I also (on the advice of the security team) ran the http://testssl.sh script against RabbitMQ - with Xenial or Yakkety hosts, it all looks OK, but against a Trusty host, the SSL/TLS connections never actually establish correctly. Again from a trusty client, testssl.sh runs OK.

I suspect that this is something todo with the erlang version in trusty (16.b3) vs xenial (>= 18):

  https://www.rabbitmq.com/which-erlang.html

The RabbitMQ website indicates that 17.0 is requires to use TLS/SSL reliably (smells like a root cause to me).

ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: rabbitmq-server 3.2.4-1
ProcVersionSignature: Ubuntu 4.4.0-9136.55-generic 4.4.16
Uname: Linux 4.4.0-9136-generic x86_64
ApportVersion: 2.14.1-0ubuntu3.21
Architecture: amd64
Date: Mon Sep 19 08:12:27 2016
PackageArchitecture: all
SourcePackage: rabbitmq-server
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.default.rabbitmq.server:
 # Generated by juju
 # bump ulimit so rabbit can support lots of connections
 ulimit -n 65536
mtime.conffile..etc.default.rabbitmq.server: 2016-09-17T09:03:36.894989

Revision history for this message
James Page (james-page) wrote :
Revision history for this message
James Page (james-page) wrote :

To be clear:

  trusty client -> [trusty|xenial|yakkety] host : OK
  xenial client -> trusty host: FAIL
  xenial client -> [xenial|yakkety] host : OK

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in rabbitmq-server (Ubuntu):
status: New → Confirmed
Revision history for this message
Sorcerer10 (sorcerer10) wrote :

confirmed.
Same thing for me.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.