Skip to content

fix ssl connection for php amqplib #35

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
Jun 18, 2017
Merged

fix ssl connection for php amqplib #35

merged 8 commits into from
Jun 18, 2017

Conversation

prolic
Copy link
Owner

@prolic prolic commented Apr 28, 2017

resolves #9

@basz @dl1ely Can you check if this is working for you?

@prolic prolic added the bug label Apr 28, 2017
@prolic prolic self-assigned this Apr 28, 2017
@coveralls
Copy link

Coverage Status

Coverage increased (+0.2%) to 95.113% when pulling 6de10cc on phpamqplib-ssl-connection into eb023f4 on master.

@basz
Copy link
Collaborator

basz commented Apr 28, 2017

Since i currently connect locally I never continued with setting up TLS for this connection. I keep getting "Service with name "amqp-connection" could not be created. Reason: Library e
rror: a socket error occurred - Potential login failure." ... whenever I connect over the TLS port. I haveconfigured rabbitmq with letsencrypt certificates, which works for the admin and the web stomp plugin. (browsers can connect to it websockets over TLS).

I would expect things to work with these settings (using the extension)

Array
(
    [host] => 127.0.0.1
    [port] => 5671
    [login] => api-plhw-client
    [password] => ***
    [vhost] => api-plhw-development
    [persistent] => 
    [connect_timeout] => 1
    [read_timeout] => 60
    [write_timeout] => 2
    [heartbeat] => 0
    [cacert] => /home-projects/api-plhw-development/deploy/releases/20170210133916UTC/config/autoload/../../data/ssl/ca.pem
    [verify] => 
)

where ca.pem contains this: https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt which is the same as cat /etc/rabbitmq/ssl/chain.pem which is a copy of /etc/letsencrypt/live/mq.plhw.nl/*. (also tried fullchain.pem and cert.pem) With the following rabbitmq configuration.

cat /etc/rabbitmq/rabbitmq.config 
[
  {
    rabbit,
    [
            {tcp_listeners, [{"127.0.0.1", 5672}, {"::1", 5672}]},
            {ssl_listeners, [5671]},
            {
              ssl_options, [
                           {cacertfile, "/etc/rabbitmq/ssl/fullchain.pem"},
                           {certfile,   "/etc/rabbitmq/ssl/cert.pem"},
                           {keyfile,    "/etc/rabbitmq/ssl/privkey.pem"},
                           {verify,     verify_none},
                           {fail_if_no_peer_cert,false}
                           ]
            }
    ]
  },
  {
    rabbitmq_web_stomp,
    [
            {
              ssl_config, [
                          {port,       15671},
                          {backlog,    1024},
                          {cacertfile, "/etc/rabbitmq/ssl/fullchain.pem"},
                          {certfile,   "/etc/rabbitmq/ssl/cert.pem"},
                          {keyfile,    "/etc/rabbitmq/ssl/privkey.pem"},
                          {password,   ""}
                          ]
            }
    ]
  }
].

Please tell me if i'm missing something obvious...

I did noticed this; https://github.com/prolic/HumusAmqp/blob/master/src/ConnectionOptions.php#L264 which means the option given must be like c_a_cert to camelcase to setCACert

@prolic
Copy link
Owner Author

prolic commented May 1, 2017

@basz the options class doesn't map to setters but the class properties, that's why I think that c_a_cert is not your problem. cacert is correct and should be working.

About your usecase, I need to setup my environment for this specific use case and run some tests on my side to see what's going on. Please give me a couple of days, as I am quite busy these days. I will not forget it! :-)

@basz
Copy link
Collaborator

basz commented May 1, 2017 via email

@prolic
Copy link
Owner Author

prolic commented Jun 4, 2017

@basz @dl1ely It's updated and supported by tests now, please check.

@prolic prolic force-pushed the phpamqplib-ssl-connection branch from b739c1e to 145be47 Compare June 4, 2017 14:15
@coveralls
Copy link

Coverage Status

Coverage decreased (-3.9%) to 90.941% when pulling b739c1e on phpamqplib-ssl-connection into eb023f4 on master.

@coveralls
Copy link

coveralls commented Jun 4, 2017
edited
Loading

Coverage Status

Coverage increased (+0.4%) to 91.117% when pulling 145be47 on phpamqplib-ssl-connection into 8b2eac8 on master.

@coveralls
Copy link

coveralls commented Jun 18, 2017
edited
Loading

Coverage Status

Coverage increased (+0.07%) to 90.959% when pulling 0e2f05d on phpamqplib-ssl-connection into 32741c1 on master.

@coveralls
Copy link

Coverage Status

Coverage increased (+0.07%) to 90.959% when pulling 0e2f05d on phpamqplib-ssl-connection into 32741c1 on master.

1 similar comment
@coveralls
Copy link

Coverage Status

Coverage increased (+0.07%) to 90.959% when pulling 0e2f05d on phpamqplib-ssl-connection into 32741c1 on master.

@prolic prolic merged commit bc002f4 into master Jun 18, 2017
@prolic prolic deleted the phpamqplib-ssl-connection branch June 18, 2017 14:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@prolic prolic

Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Q: ssl Connection on php-lib requires validation and client certs
3 participants
@prolic @coveralls @basz