rabbitmq使用TLS支持SSL加密处理_windows rabbitmq tls-程序员宅基地

技术标签: rabbitmq  

最近在开发过程中, 有收到要求,rabbitmq 不能使用明文传输,常规想法就是TLS加密传输。看到rabbitmq 官网有提供TLS支持的说明。

Rabbitmq 加密传输由2种方式:

  1. 使用TLS加密直连
  2. 通过类似HA代理的方式从https转换成http 比如nginx, TLS_termination_proxy等都可以实现

官网也阐述了其他一些ssl支持的说明,这边就不介绍了。详细内容查阅官网

本文使用的rabbitmq 环境是,依赖docker 构建的rabbitmq 3.7.28版本的试验环境。

这边具体说一下,怎么构建TLS链接。

步骤1:使用TLS工具生成证书(开发测试环境),生产环境建议使用商业的CA机构制作的证书文件

git clone https://github.com/michaelklishin/tls-gen tls-gen
cd tls-gen/basic
# private key password
make PASSWORD=密码
make verify
make info
ls -l ./result

其中make PASSWORD=密码 这一行命名是生成证书的过程,其他几行都是校验检测,可以不执行。

make PASSWORD=rabbit
python3 profile.py regenerate --password "rabbit" \
--common-name izbp1exs0zcohfndb4w0o5z \
--client-alt-name izbp1exs0zcohfndb4w0o5z \
--server-alt-name izbp1exs0zcohfndb4w0o5z \
--days-of-validity 3650 \
--key-bits 2048
Removing /mnt/tls-gen/basic/testca
Removing /mnt/tls-gen/basic/result
Removing /mnt/tls-gen/basic/server
Removing /mnt/tls-gen/basic/client
Will generate a root CA and two certificate/key pairs (server and client)
=>	[openssl_req]
Generating a 2048 bit RSA private key
...........................................................+++
....................+++
writing new private key to '/mnt/tls-gen/basic/testca/private/cakey.pem'
-----
=>	[openssl_x509]
Will generate leaf certificate and key pair for server
Using izbp1exs0zcohfndb4w0o5z for Common Name (CN)
Using parent certificate path at /mnt/tls-gen/basic/testca/cacert.pem
Using parent key path at /mnt/tls-gen/basic/testca/private/cakey.pem
Will use RSA...
=>	[openssl_genpkey]
..........................................................+++
...........................................................+++
=>	[openssl_req]
=>	[openssl_ca]
Using configuration from /tmp/tmpaxii46i1
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'izbp1exs0zcohfndb4w0o5z'
organizationName      :ASN.1 12:'server'
localityName          :ASN.1 12:'$$$$'
Certificate is to be certified until Nov 13 15:01:00 2030 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated
=>	[openssl_pkcs12]
Will generate leaf certificate and key pair for client
Using izbp1exs0zcohfndb4w0o5z for Common Name (CN)
Using parent certificate path at /mnt/tls-gen/basic/testca/cacert.pem
Using parent key path at /mnt/tls-gen/basic/testca/private/cakey.pem
Will use RSA...
=>	[openssl_genpkey]
....................+++
.......+++
=>	[openssl_req]
=>	[openssl_ca]
Using configuration from /tmp/tmpaxii46i1
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'izbp1exs0zcohfndb4w0o5z'
organizationName      :ASN.1 12:'client'
localityName          :ASN.1 12:'$$$$'
Certificate is to be certified until Nov 13 15:01:00 2030 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated
=>	[openssl_pkcs12]
Done! Find generated certificates and private keys under ./result!
python3 profile.py verify
Will verify generated certificates against the CA...
Will verify client certificate against root CA
/mnt/tls-gen/basic/result/client_certificate.pem: OK
Will verify server certificate against root CA
/mnt/tls-gen/basic/result/server_certificate.pem: OK

上述命令会生成一些目录和证书文件

其中 result 目录,将CA buddle, server ,client 证书信息都汇集了一些,没有说明不同。

步骤2: 使用jdk的keytool 生成Java相关的配置信息, 中间过程,需要输入密码信息

keytool -import -alias server1   -file /mnt/rabbitmq/cert/server_certificate.pem  -keystore /mnt/rabbitmq/cert/rabbitstore

这个过程其实就是想rabbitmq 服务端的证书适配成符合Java规则的rabbitstore文件,注意这个是server端的certificate.

输出结果:

Enter keystore password:
Re-enter new password:
Owner: O=server, CN=izbp1exs0zcohfndb4w0o5z
Issuer: L=$$$$, CN=TLSGenSelfSignedtRootCA
Serial number: 1
Valid from: Sun Nov 15 21:54:44 CST 2020 until: Wed Nov 13 21:54:44 CST 2030
Certificate fingerprints:
	 MD5:  E0:84:44:70:74:27:5D:CE:09:CF:02:63:8E:65:01:1B
	 SHA1: F4:42:AF:0A:6E:B7:C9:D6:44:04:DB:E0:61:88:AD:BD:46:B4:3B:EE
	 SHA256: C0:C9:79:27:05:B9:09:7C:F0:8B:3A:FD:14:C0:21:16:B6:58:F9:12:89:11:5C:08:F1:EC:53:55:86:DA:6F:7D
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 3B B1 04 9E D9 66 1A 5C   7A B6 F8 38 11 79 17 A2  ;....f.\z..8.y..
0010: 7C 44 6F 9C                                        .Do.
]
]

#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:false
  PathLen: undefined
]

#3: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
]

#4: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

#5: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: izbp1exs0zcohfndb4w0o5z
  DNSName: izbp1exs0zcohfndb4w0o5z
  DNSName: localhost
]

#6: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 65 45 D5 3F C8 13 F1 C4   F8 DD A8 28 14 61 0E 7E  eE.?.......(.a..
0010: 19 54 AB AA                                        .T..
]
]

Trust this certificate? [no]:
Certificate was not added to keystore
[root@izbp1exs0zcohfndb4w0o5z cert]# keytool -import -alias server1   -file /mnt/rabbitmq/cert/server_certificate.pem  -keystore /mnt/rabbitmq/cert/rabbitstore
Enter keystore password:
Re-enter new password:
Owner: O=server, CN=izbp1exs0zcohfndb4w0o5z
Issuer: L=$$$$, CN=TLSGenSelfSignedtRootCA
Serial number: 1
Valid from: Sun Nov 15 21:54:44 CST 2020 until: Wed Nov 13 21:54:44 CST 2030
Certificate fingerprints:
	 MD5:  E0:84:44:70:74:27:5D:CE:09:CF:02:63:8E:65:01:1B
	 SHA1: F4:42:AF:0A:6E:B7:C9:D6:44:04:DB:E0:61:88:AD:BD:46:B4:3B:EE
	 SHA256: C0:C9:79:27:05:B9:09:7C:F0:8B:3A:FD:14:C0:21:16:B6:58:F9:12:89:11:5C:08:F1:EC:53:55:86:DA:6F:7D
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 3B B1 04 9E D9 66 1A 5C   7A B6 F8 38 11 79 17 A2  ;....f.\z..8.y..
0010: 7C 44 6F 9C                                        .Do.
]
]

#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:false
  PathLen: undefined
]

#3: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
]

#4: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

#5: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: izbp1exs0zcohfndb4w0o5z
  DNSName: izbp1exs0zcohfndb4w0o5z
  DNSName: localhost
]

#6: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 65 45 D5 3F C8 13 F1 C4   F8 DD A8 28 14 61 0E 7E  eE.?.......(.a..
0010: 19 54 AB AA                                        .T..
]
]

#####这边要求输入yes
Trust this certificate? [no]:  yes
Certificate was added to keystore

步骤3 配置rabbit MQ 配置文件

###授权方式, 其实就是再默认的基础上加一个EXTERNAL, 如果单独配置EXTERNAL, java 客户端会出现无法找不到auth_mechanisms的问题, 这个具体还不知道原因
auth_mechanisms.1 = PLAIN
auth_mechanisms.2 = AMQPLAIN
auth_mechanisms.3 = EXTERNAL

management_agent.disable_metrics_collector = true

ssl_options.client_renegotiation = false
ssl_options.secure_renegotiate = true


###禁止 明文tcp 连接
listeners.tcp = none

##管理端只允许本地连接
management.tcp.ip = 127.0.0.1
management.tcp.port = 15672
ssl_options.password=rabbit
###tls 端口
listeners.ssl.default = 5671
###tls工具,将需要的文件存放再result 目录中
ssl_options.cacertfile = /mnt/tls-gen/basic/result/ca_certificate.pem
ssl_options.certfile   = /mnt/tls-gen/basic/result/server_certificate.pem
ssl_options.keyfile    = /mnt/tls-gen/basic/result/server_key.pem


ssl_options.verify     = verify_peer
ssl_options.fail_if_no_peer_cert = true
ssl_cert_login_from = common_name

###支持TLS协议,
ssl_options.versions.1 = tlsv1
ssl_options.versions.2 = tlsv1.1
ssl_options.versions.3 = tlsv1.2

###TLS加密cipher 顺序
ssl_options.honor_cipher_order = true
ssl_options.honor_ecc_order    = true
###TLS加密cipher
ssl_options.ciphers.1=ECDHE-ECDSA-AES256-GCM-SHA384
ssl_options.ciphers.2=ECDHE-RSA-AES256-GCM-SHA384
ssl_options.ciphers.3=ECDH-ECDSA-AES256-GCM-SHA384
ssl_options.ciphers.4=ECDH-RSA-AES256-GCM-SHA384
ssl_options.ciphers.5=DHE-RSA-AES256-GCM-SHA384
ssl_options.ciphers.6=DHE-DSS-AES256-GCM-SHA384
ssl_options.ciphers.7=ECDHE-ECDSA-AES128-GCM-SHA256
ssl_options.ciphers.8=ECDHE-RSA-AES128-GCM-SHA256
ssl_options.ciphers.9=ECDH-ECDSA-AES128-GCM-SHA256
ssl_options.ciphers.10=ECDH-RSA-AES128-GCM-SHA256
ssl_options.ciphers.11=DHE-RSA-AES128-GCM-SHA256
ssl_options.ciphers.12=DHE-DSS-AES128-GCM-SHA256
ssl_options.ciphers.13=ECDHE-ECDSA-AES256-SHA384
ssl_options.ciphers.14=ECDHE-RSA-AES256-SHA384
ssl_options.ciphers.15=ECDHE-ECDSA-DES-CBC3-SHA
ssl_options.ciphers.16=ECDH-ECDSA-AES256-SHA384
ssl_options.ciphers.17=ECDH-RSA-AES256-SHA384
ssl_options.ciphers.18=DHE-DSS-AES256-SHA256
ssl_options.ciphers.19=AES256-GCM-SHA384
ssl_options.ciphers.20=AES256-SHA256
ssl_options.ciphers.21=ECDHE-ECDSA-AES128-SHA256
ssl_options.ciphers.22=ECDHE-RSA-AES128-SHA256
ssl_options.ciphers.23=ECDH-ECDSA-AES128-SHA256
ssl_options.ciphers.24=ECDH-RSA-AES128-SHA256
ssl_options.ciphers.25=DHE-DSS-AES128-SHA256
ssl_options.ciphers.26=AES128-GCM-SHA256
ssl_options.ciphers.27=AES128-SHA256
ssl_options.ciphers.28=ECDHE-ECDSA-AES256-SHA
ssl_options.ciphers.29=ECDHE-RSA-AES256-SHA
ssl_options.ciphers.30=DHE-DSS-AES256-SHA
ssl_options.ciphers.31=ECDH-ECDSA-AES256-SHA
ssl_options.ciphers.32=ECDH-RSA-AES256-SHA
ssl_options.ciphers.33=AES256-SHA
ssl_options.ciphers.34=ECDHE-ECDSA-AES128-SHA
ssl_options.ciphers.35=ECDHE-RSA-AES128-SHA
ssl_options.ciphers.36=DHE-DSS-AES128-SHA
ssl_options.ciphers.37=ECDH-ECDSA-AES128-SHA
ssl_options.ciphers.38=ECDH-RSA-AES128-SHA
ssl_options.ciphers.39=AES128-SHA

步骤4 Java 客户端连接测试

这边说明一下,官网的demo,大部分都是对的,但是会有些小问题
比如: 需要将factory.enableHostnameVerification(); 取消。

    public static void main(String[] args) throws Exception {
    
       // tls 执行命令中设置的密码 make PASSWORD=rabbit
        char[] passphrase = "rabbit".toCharArray();
        KeyStore ks = KeyStore.getInstance("PKCS12");
        //tls生成的result目录下的client_key.p12
        ks.load(new FileInputStream("D:\\work\\client_key.p12"), passphrase);

        KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
        kmf.init(ks, passphrase);
  		//keytools 生成过程中,设置的密码
        char[] trustPassphrase = "rabbit".toCharArray();
        KeyStore tks = KeyStore.getInstance("JKS");
        //keytools 生成的rabbitstore
        tks.load(new FileInputStream("D:\\work\\rabbitstore"), trustPassphrase);

        TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
        tmf.init(tks);

        SSLContext c = SSLContext.getInstance("TLSv1.2");
        c.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);

        ConnectionFactory factory = new ConnectionFactory();
        factory.setHost("IP地址");
        factory.setPort(5671);
        factory.useSslProtocol(c);
        factory.setUsername("admin");
        factory.setPassword("admin");
//        factory.enableHostnameVerification();

        Connection conn = factory.newConnection();
        Channel channel = conn.createChannel();
        channel.queueDeclare(QUEUE_NAME, false, false, false, null);
        System.out.println(" [*] Waiting for messages. To exit press CTRL+C");

        DeliverCallback deliverCallback = (consumerTag, delivery) -> {
    
            String message = new String(delivery.getBody(), "UTF-8");
            System.out.println(" [x] Received '" + message + "'");
        };
        channel.basicConsume(QUEUE_NAME, true, deliverCallback, consumerTag -> {
    
        });
    }
  

上面就是基本的rabbitmq tls 的基础支持。

版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/Charles2628/article/details/109711678

智能推荐

服务器数据收发测试软件,Packet Sender(UDP/TCP网络测试工具) v7.0.5-程序员宅基地

文章浏览阅读4k次。Packet Sender(UDP/TCP网络测试工具)是一个开源实用程序,允许发送和接收TCP、UDP和SSL(加密的TCP)数据包,主线分支正式支持Windows、Mac和桌面Linux,其他地方可以重新编译和重新分发分组发送器。Packet Sender软件特色数据包发送方可以在您选择的端口上发送和接收UDP、TCP和SSL。所有服务器和客户端可以同时运行。100%免费开源。没有广告,没有捆..._packet sender

Java 使用工具类 Collections.sort() 对集合根据时间排序(DESC)_java list 日期 desc-程序员宅基地

文章浏览阅读1.2k次,点赞2次,收藏2次。# 使用Coollections.sort(@NotNull List<T> list,@NotNull Comparator<? super T> c)Collections.sort(warcEnterInfos, new Comparator<WARCEnterInfo>() { @Override public int compare..._java list 日期 desc

sql语句 改变日期格式_易语言sql语言修改日期框-程序员宅基地

文章浏览阅读7.2k次。一般存入数据库中的时间格式为yyyy-mm-ddhh:mm:ss 如果要转换为yyyy-mm-dd 短日期格式.可以使用convert函数.下面是sqlserver帮助中关于convert函数的声明:使用 CONVERT:CONVERT (data_type[(length)],expression[,style])参数expression是任何有效的 Micr_易语言sql语言修改日期框

转载和积累系列 - Nodejs HTTP多线程_node http 多线程吗-程序员宅基地

文章浏览阅读3.1k次。译自:http://developer.yahoo.net/blog/archives/2010/07/multicore_http_server_with_nodejs.html(稍有修改), 转载请指明原文链接:http://www.grati.org/?p=307简单地说,NodeJS是一个使用了Google高性能V8引擎 的服务器端JavaScript实现。它提供了一个(几乎)_node http 多线程吗

Android Studio Error:Connection timed out: connect._android studio connection timed out-程序员宅基地

文章浏览阅读813次。最近在配置使用android studio时遇到了个错误Android Studio Error:Connection timed out: connect.,纠结了很久,后来在网上看到了一篇文章,试了下很有帮助,在这里给大家也看一下,希望能帮到同样错误的小伙伴Error:Connection timed out: connect. If you are behind an HTTP proxy,..._android studio connection timed out

php判断是否为手机浏览器_php 判断为手机浏览器-程序员宅基地

文章浏览阅读3.8k次。function is_mobile(){ // returns true if one of the specified mobile browsers is detected // 如果监测到是指定的浏览器之一则返回true $regex_match="/(nokia|iphone|android|motorola|^mot_php 判断为手机浏览器

随便推点

vue出现空白页面的可能情况_前端导出v-if是空白-程序员宅基地

文章浏览阅读4.2k次。如果在父组件中注册了组件,然后又用路由出口跳转到这个组件,当点击页面刷新的时候,就会出现空白的页面,解决方法就删除父组件里的注册。_前端导出v-if是空白

在ubuntu20.10上安装unity3d-程序员宅基地

文章浏览阅读1.1k次。打开下载页面,点击start here点击agree and download下载完成后开始安装先授权后安装启动前要登陆_在ubuntu20.10上安装unity3d

离线安装Cloudera Manager 5和CDH5(最新版5.9.3) 完全教程(四)数据库安装(单节点)_cdh5.9 重新配置数据库-程序员宅基地

文章浏览阅读159次。离线安装Cloudera Manager 5和CDH5(最新版5.9.3) 完全教程(四)数据库安装(单节点)一、卸载CentOS自带的MySQL1.1 查看之前是否安装过mysql[root@master mysql]# rpm -qa|grep -i mysqlmysql-libs-5.1.71-1.el6.x86_64[root@master mysql]#1.2 卸载自带的..._cdh5.9 重新配置数据库

安装gitbook sourcetree或命令行推送数据到Githup上 No “xxx“ file (or is ignored) which查看软件安装目录 operation not permi_"filenotfounderror: no \"readme\" file (or is igno-程序员宅基地

文章浏览阅读1.1k次。mac如何安装gitbook、sourcetree、typera等。如何使用sourcetree或命令行推送数据到Githup上。以及在安装的过程中,解决FileNotFoundError: No "README" file (or is ignored)的问题。使用which gitbook可以查看Gitbook安装到哪里。解决operation not permitted的权限问题。......_"filenotfounderror: no \"readme\" file (or is ignored)"

FTP-----局域网内部远程桌面_远程登陆ftp-程序员宅基地

文章浏览阅读1.8k次。从此文学会远程桌面(局域网内部)。_远程登陆ftp

制作bat和linux下的sh文件-程序员宅基地

文章浏览阅读323次。 1.制作bat文件(test.bat)set CLASSPATH=%CLASSPATH%;./test/Ice.jar;./test/slf4j-api-1.4.3.jar; 设置CLASSPATH需要导入的jar文件 java test.TestSoufunProxy 执行TestSoufunProxy 类 ,不要忘了前面的包名test 2.制作linux 下的.s..._linux怎么弄成bat文件弄成sh服务