You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@rocketmq.apache.org by GitBox <gi...@apache.org> on 2022/06/28 16:56:44 UTC
[GitHub] [rocketmq] zergduan opened a new issue, #4527: 关于配置TLS的几个问题
zergduan opened a new issue, #4527:
URL: https://github.com/apache/rocketmq/issues/4527
**FEATURE REQUEST**
1. Please describe the feature you are requesting.
基于 https://github.com/apache/rocketmq/blob/e05b098327d0781362121c65e1c9445c0cb0684b/docs/cn/Configuration_TLS.md 文档的内容,请教几个问题
a. RocketMQ 4.9.2 及更高版本,TLS必须设置双向认证么?是否可以只做server端认证?
b. 文档文档中3.2内容:
编辑runbroker.sh,在JAVA_OPT中增加以下内容:
JAVA_OPT="${JAVA_OPT} -Dorg.apache.rocketmq.remoting.ssl.mode=enforcing -Dtls.config.file=/opt/rocketmq-4.9.3/conf/tls.properties -Dtls.enable=true"
其中的org.apache.rocketmq.remoting.ssl.mode参数我没有找到源码对应的内容,是不是写错了?
c. 文档中 tls.server.need.client.auth 参数控制是否需要做client认证(及开启双向认证)对么?那么 tls.server.authClient 和 tls.client.authServer 参数是用来做什么的?
d. tls.client.authServer 似乎有些矛盾,文档中在borker、namesrv上此参数被设置为false(tls.properties文件内容),但是在生产者、消费者上此参数被设置为true(JAVA_OPT环境变量),这是为什么?
e. 按照文档中的内容操作,broker和namesrv之间的交互也会进行client认证么?比如 broker 上报自身状态到namesrv,也是TLS加密通信?broker上报namesrv时,broker作为客户端也要被namesrv验证证书对么?
f. 当按照文档中的内容操作后,rocketmq-dashbord 要如何设置才能正常管理rocketmq 集群?
2. Provide any additional detail on your proposed use case for this feature.
2. Indicate the importance of this issue to you (blocker, must-have, should-have, nice-to-have). Are you currently using any workarounds to address this issue?
4. If there are some sub-tasks involved, use -[] for each sub-task and create a corresponding issue to map to the sub-task:
- [sub-task1-issue-number](example_sub_issue1_link_here): sub-task1 description here,
- [sub-task2-issue-number](example_sub_issue2_link_here): sub-task2 description here,
- ...
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@rocketmq.apache.org.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [rocketmq] lizhiboo commented on issue #4527: Some questions about TLS enable in Configuration_TLS.md
Posted by GitBox <gi...@apache.org>.
lizhiboo commented on issue #4527:
URL: https://github.com/apache/rocketmq/issues/4527#issuecomment-1169521379
@zergduan a. RocketMQ support mutual authentication and one-way authentication.
b. yes, it's a mistack, use TLS_SERVER_MODE = "tls.server.mode"
c. imo, tls.server.authClient used for server to auth client, tls.client.authServer used for client to auth server.
d. the same to c
e. yes, i think so
f. i have not check in practice, but imo rocketmq-dashboard is regarded as client, it works well in one-way authenticatin.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@rocketmq.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [rocketmq] zergduan commented on issue #4527: Some questions about TLS enable in Configuration_TLS.md
Posted by GitBox <gi...@apache.org>.
zergduan commented on issue #4527:
URL: https://github.com/apache/rocketmq/issues/4527#issuecomment-1173262690
@lizhanhui 非常感谢您的关注
应该是我前面没说清楚,我把我的需求和步骤明确以下,请您指点:
我的需求是配置一个做client-verify-server's certificate的RocketMQ集群,且这个认证只发生在 Producer 或 Conmuser 与 Namsrv 或 Broker 交互时(Namesrv、Broker之间交互不做任何认证)
按照我的理解,为了实现这个目标,需要做以下几点:
a. 在服务端设置参数 tls.server.need.client.auth=none 来关闭 server-verify-client's certificate # 此处是我不能确定的地方,有可能我理解错了,请指教
即在服务端设置如下JVM参数:tls.server.mode=permissive tls.config.file=/opt/xxx,在xxx文件中配置如下参数:
tls.test.mode.enable=false
tls.server.need.client.auth=none
tls.server.keyPath=/opt/server.key
tls.server.keyPassword=123456
tls.server.certPath=/opt/server.pem
将服务器证书,中间根证书,根证书合并到 server.pem;用pkcs8将私钥打包加密为server.key;将2个文件复制到/opt目录下
b. 在客户端设置 tls.enable=true 确保客户端发起TLS连接,设置 tls.client.authServer=true 确保客户端验证服务端服务器证书的有效性
即在客户端设置参数:-Dtls.client.authServer=true -Dtls.enable=true -Dtls.test.mode.enable=false -Dtls.config.file=/opt/yyy,在yyy文件中配置如下参数:
tls.client.trustCertPath=/opt/ca.pem
将根证书ca.pem文件复制到/opt目录下
梳理一下
服务端(Broker、Namesrv)的设置:
JVM Option:-Dtls.server.mode=permissive -Dtls.config.file=/opt/xxx
xxx文件内容:
> tls.test.mode.enable=false
> tls.server.need.client.auth=none
> tls.server.keyPath=/opt/server.key
> tls.server.keyPassword=123456
> tls.server.certPath=/opt/server.pem
客户端(Producer、Consumer)的设置:
JVM Option:-Dtls.client.authServer=true -Dtls.enable=true -Dtls.test.mode.enable=false -Dtls.config.file=/opt/yyy
yyy文件内容:
> tls.client.trustCertPath=/opt/ca.pem
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@rocketmq.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [rocketmq] lizhanhui commented on issue #4527: Some questions about TLS enable in Configuration_TLS.md
Posted by GitBox <gi...@apache.org>.
lizhanhui commented on issue #4527:
URL: https://github.com/apache/rocketmq/issues/4527#issuecomment-1175896033
@zergduan For a quick reference, with the following Java options,
```bash
-Dtls.enable=true -Dtls.test.mode.enable=false -Dtls.client.authServer=true -Djavax.net.debug=all
```
Clients manage to figure out server certificate is self-signed and reject.
> javax.net.ssl|FINE|15|NettyClientWorkerThread_3|2022-07-06 15:43:11.754 CST|CertificateMessage.java:364|Consuming server Certificate handshake message (
"Certificates": [
"certificate" : {
"version" : "v3",
"serial number" : "00 99 35 96 9A BD 85 03 EC",
"signature algorithm": "SHA256withRSA",
"issuer" : "CN=example.com",
"not before" : "2021-07-06 15:36:21.000 CST",
"not after" : "10000-01-01 07:59:59.000 CST",
"subject" : "CN=example.com",
"subject public key" : "RSA"}
]
)
javax.net.ssl|SEVERE|15|NettyClientWorkerThread_3|2022-07-06 15:43:11.755 CST|TransportContext.java:362|Fatal (CERTIFICATE_UNKNOWN): sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target (
"throwable" : {
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
at sun.security.validator.Validator.validate(Validator.java:271)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:312)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:275)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:140)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:630)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:471)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:367)
at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:376)
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:479)
at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:990)
at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:977)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:924)
at io.netty.handler.ssl.SslHandler.runAllDelegatedTasks(SslHandler.java:1542)
at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1556)
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1440)
at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1267)
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1314)
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:501)
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:440)
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
at io.netty.channel.AbstractChannelHandlerContext.access$600(AbstractChannelHandlerContext.java:61)
at io.netty.channel.AbstractChannelHandlerContext$7.run(AbstractChannelHandlerContext.java:370)
at io.netty.util.concurrent.DefaultEventExecutor.run(DefaultEventExecutor.java:66)
at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989)
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
at java.lang.Thread.run(Thread.java:748)
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
... 29 more}
)
javax.net.ssl|ALL|15|NettyClientWorkerThread_3|2022-07-06 15:43:11.755 CST|SSLSessionImpl.java:839|Invalidated session: Session(1657093391739|SSL_NULL_WITH_NULL_NULL)
javax.net.ssl|ALL|15|NettyClientWorkerThread_3|2022-07-06 15:43:11.755 CST|SSLSessionImpl.java:839|Invalidated session: Session(1657093391752|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
javax.net.ssl|WARNING|15|NettyClientWorkerThread_3|2022-07-06 15:43:11.755 CST|SSLEngineOutputRecord.java:173|outbound has closed, ignore outbound application data
javax.net.ssl|FINE|15|NettyClientWorkerThread_3|2022-07-06 15:43:11.756 CST|SSLEngineOutputRecord.java:510|WRITE: TLS12 alert, length = 2
javax.net.ssl|FINE|15|NettyClientWorkerThread_3|2022-07-06 15:43:11.756 CST|SSLEngineOutputRecord.java:528|Raw write (
0000: 15 03 03 00 02 02 2E .......
)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@rocketmq.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [rocketmq] zergduan commented on issue #4527: Some questions about TLS enable in Configuration_TLS.md
Posted by GitBox <gi...@apache.org>.
zergduan commented on issue #4527:
URL: https://github.com/apache/rocketmq/issues/4527#issuecomment-1169613212
@lizhiboo 感谢您的耐心解答
关于C和D问题,我的疑惑在以下参数:
1. tls.server.need.client.auth
2. tls.server.authClient
3. tls.client.authServer
关于这3个参数,参考 https://github.com/apache/rocketmq/blob/a62b70bc25423c1d7e18043e32af427d29ef9ac4/remoting/src/main/java/org/apache/rocketmq/remoting/netty/TlsSystemConfig.java
按照我的理解如下,如果错误请您指出:
1. tls.server.need.client.auth
a. 此参数只有配置在Server端才生效
b. 这个参数设置为require时,Server端收到Client的认证请求时,会同时向Client发送认证请求,也就是说开启了双向认证
c. 这个参数设置为none时,相当于关闭双向认证
2. tls.server.authClient #To determine whether verify the client endpoint's certificate strictly
这个参数并不是用来判断是否开启客户端认证(上面的参数是用来判断是否开启客户端认证),这个参数用来在客户端认证开启的情况下,判断是否对客户端的做严格认证(例如验证客户端的主机名是否和客户端证书中的CN一致)
3. tls.client.authServer
这个参数并不是用来判断是否开启服务端认证(服务端认证决定于客户端是否发送SSL连接tls.enable,以及服务端是否接受TSL连接tls.server.mode),这个参数是用来在服务端认证开启的情况下,判断是否对服务端的做严格认证(例如验证服务端的主机名是否和服务端证书中的CN一致)
如果我理解错误,请帮忙指正,谢谢
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@rocketmq.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [rocketmq] zergduan commented on issue #4527: Some questions about TLS enable in Configuration_TLS.md
Posted by GitBox <gi...@apache.org>.
zergduan commented on issue #4527:
URL: https://github.com/apache/rocketmq/issues/4527#issuecomment-1173265639
关于TLS是否成功的验证:
1. tcpdump抓包:可以看到开启TLS之前,producer发布消息到broker的数据包中有消息明文;开启TLS之后,producer发布消息到broker的数据包中消息明文消失(被加密)
2. openssl模拟TLS连接:可以看到server端返回的证书就是我们指定的server.pem的内容
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@rocketmq.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [rocketmq] zergduan commented on issue #4527: Some questions about TLS enable in Configuration_TLS.md
Posted by GitBox <gi...@apache.org>.
zergduan commented on issue #4527:
URL: https://github.com/apache/rocketmq/issues/4527#issuecomment-1169614154
下面我整理一套实现单项服务端认证的步骤,请帮忙看一下,是否有错误的地方,非常感谢
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@rocketmq.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [rocketmq] tjq857 commented on issue #4527: Some questions about TLS enable in Configuration_TLS.md
Posted by GitBox <gi...@apache.org>.
tjq857 commented on issue #4527:
URL: https://github.com/apache/rocketmq/issues/4527#issuecomment-1274540881
> tls.enable=true
所以这个流程是可以走通的么?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@rocketmq.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [rocketmq] francisoliverlee commented on issue #4527: Some questions about TLS enable in Configuration_TLS.md
Posted by "francisoliverlee (via GitHub)" <gi...@apache.org>.
francisoliverlee commented on issue #4527:
URL: https://github.com/apache/rocketmq/issues/4527#issuecomment-1534844611
yes, it works for me.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@rocketmq.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [rocketmq] zergduan commented on issue #4527: Some questions about TLS enable in Configuration_TLS.md
Posted by GitBox <gi...@apache.org>.
zergduan commented on issue #4527:
URL: https://github.com/apache/rocketmq/issues/4527#issuecomment-1169614402
1. 在 RocketMQ 的使用过程中,有以下服务器参与交互:Producer,Consumer,Broker,Namesrv,Dashboard;
Producer,Consumer,Dashboard 只能作为 Client,即连接的发起方
Namesrv 只能作为 Server,即连接的接收方
Broker 同时作为 Server 和 Client,broker作为client主动连接Namesrv,borker也作为server被 Producer 和 Consumer 连接
2. Configuration_TLS.md 文档中描述的是一个 Client - Server 双向验证的 TLS 配置过程,因此 Server上配置 server证书、server私钥、根证书,同时 Client 上也许需要配置 client证书、client私钥、根证书。并且所有 Client ( Producer, Consumer, Dashboard,Broker 都需要配置 tls.enable=true,来确保发起 TLS 连接。
3. 其实 RocketMQ 是支持单向认证的,并且可同时支持 TLS 连接和非 TLS 连接, 所以我们一般都只需要配置 Server 端认证的 TLS 就可以了,相对于双向认证,Server 端认证可以避免未来因证书过期导致的大批量更换 Client 证书的工作;同时支持 TLS 和非 TLS 连接,可以让同一套 RocketMQ 同时对内提供服务(非TLS连接,比如Dashboard管理RocketMQ集群)和 对外提供服务(公网或者跨站点访问RocketMQ的生产者,消费者连接),减少我们的管理成本。
实现 Server 端单向认证,并且同时支持TLS连接和非TLS连接,需要我们完成一下工作:
1). 在所有的Server上部署server证书和server私钥,Server包括:Namesrv,Broker
2). 在需要TLS的Client上部署根证书,Client包括:Producer,Consumer,Dashboard,Broker
3). 在所有的Server端,使用 tls.server.mode = permissive 来确保可以同时接收 TLS 和 非 TLS 连接
4). 在需要TLS的Client上使用 tls.enable = true 来确保发起 TLS 连接
5). 在不需要TLS的Client上使用tls.enable = false 来确保发起非 TLS 连接
假设场景:
Namesrv 和 Broker 之间通信不使用TLS
Dashboard 和 Namesrv 之间同时不使用TLS
ProducerA,ConsumerA 使用TLS连接Namesrv和Broker,并且使用Server端单向认证
ProducerB,ConsumerB 使用非TLS连接Namesrv和Broker
所以如果我们使用自签名证书来实现以上场景时的步骤为:
step1 签署CA根证书
openssl req -newkey rsa:2048 -keyout ca_rsa_private.pem -x509 -days 365 -out ca.pem
step2 准备server端认证所需的私钥和证书
step2.1 生成server私钥并签发server证书
openssl req -newkey rsa:2048 -keyout server_rsa.key -out server.csr
openssl x509 -req -days 365 -in server.csr -CA ca.pem -CAkey ca_rsa_private.pem -CAcreateserial -out server.pem
step2.2 打包并加密server私钥
openssl pkcs8 -topk8 -v1 PBE-SHA1-RC4-128 -in server_rsa.key -out server.key
注:在后面配置过程中,需要使用以下3个文件
a. 打包并加密的server私钥 server.key,用于部署在Server端(Namesrv,Broker)
b. server证书 server.pem,用于部署在Server端(Namesrv,Broker)
c. CA根证书 ca.pem,用于部署在需要TLS连接的Client端
step3A 配置Namesrv和Broker(Namesrv 和 Broker 之间通信不使用TLS)
step3A.1 创建tls.properties
# The flag to determine whether use test mode when initialize TLS context. default is true
tls.test.mode.enable=false
# Indicates how SSL engine respect to client authentication, default is none
# 此参数控制是否开启客户端认证,此处设置为none,即关闭客户端认证,从而实现Server端单向认证
tls.server.need.client.auth=none
# The store path of server-side private key
tls.server.keyPath=/opt/certFiles/server.key
# The password of the server-side private key
tls.server.keyPassword=123456
# The store path of server-side X.509 certificate chain in PEM format
tls.server.certPath=/opt/certFiles/server.pem
step3A.2 编辑Namesrv的启动参数,在runserver.sh的JAVA_OPT中增加以下内容:
JAVA_OPT="${JAVA_OPT} -Dtls.server.mode=permissive -Dtls.config.file=/opt/rocketmq-4.9.3/conf/tls.properties"
step3A.3 编辑Broker的启动参数,在runbroker.sh的JAVA_OPT中增加以下内容:
JAVA_OPT="${JAVA_OPT} -Dtls.server.mode=permissive -Dtls.config.file=/opt/rocketmq-4.9.3/conf/tls.properties"
step3B 配置Namesrv和Broker(Namesrv 和 Broker 之间通信使用TLS)
在RocketMQ运行过程中,Namesrv只会作为Server,而Broker会同时作为Server和Client,所以此时Namesrv和Broker的配置并不一致,如下:
step3B.1 创建tls.properties for Namesrv
# The flag to determine whether use test mode when initialize TLS context. default is true
tls.test.mode.enable=false
# Indicates how SSL engine respect to client authentication, default is none
# 此参数控制是否开启客户端认证,此处设置为none,即关闭客户端认证,从而实现Server端单向认证
tls.server.need.client.auth=none
# The store path of server-side private key
tls.server.keyPath=/opt/certFiles/server.key
# The password of the server-side private key
tls.server.keyPassword=123456
# The store path of server-side X.509 certificate chain in PEM format
tls.server.certPath=/opt/certFiles/server.pem
step3B.2 创建tls.properties for Broker
# The flag to determine whether use test mode when initialize TLS context. default is true
tls.test.mode.enable=false
# Indicates how SSL engine respect to client authentication, default is none
# 此参数控制是否开启客户端认证,此处设置为none,即关闭客户端认证,从而实现Server端单向认证
tls.server.need.client.auth=none
# The store path of server-side private key
tls.server.keyPath=/opt/certFiles/server.key
# The password of the server-side private key
tls.server.keyPassword=123456
# The store path of server-side X.509 certificate chain in PEM format
tls.server.certPath=/opt/certFiles/server.pem
# 以下2个参数是当Broker作为Client时生效的
# To determine whether verify the server endpoint's certificate strictly
# 当Broker作为Client进行Server端认证时,此参数控制是否做严格验证,比如是否验证Server的主机名与Server证书中的CN相同
tls.client.authServer=false
# The store path of trusted certificates for verifying the server endpoint's certificate
# 此参数提供了根证书的位置,当Broker作为Client进行Server端认证时,需要找到根证书来确认server证书的合法性
tls.client.trustCertPath=/opt/certFiles/ca.pem
step3B.3 编辑Broker的启动参数,在runbroker.sh的JAVA_OPT中增加以下内容:
# 参数tls.enable=true用来控制,当Broker作为Client时,发起TLS连接
JAVA_OPT="${JAVA_OPT} -Dtls.server.mode=permissive -Dtls.config.file=/opt/rocketmq-4.9.3/conf/tls.properties -Dtls.enable=true"
step4 非TLS连Prodcuer、Consumer、Dashboard配置
无需特殊修改
step5 TLS连接Producer、Consumer配置
step5.1 创建tlsclient.properties
# The store path of trusted certificates for verifying the server endpoint's certificate
# 此参数提供了根证书的位置,作为Client进行Server端认证时,需要找到根证书来确认server证书的合法性
tls.client.trustCertPath=/opt/certFiles/ca.pem
step5.2 JVM中需要加以下参数.tls.config.file的值需要使用之前创建的文件:
# 作为Client进行Server端认证时,tls.client.authServer参数控制是否做严格验证,比如是否验证Server的主机名与Server证书中的CN相同
# 参数tls.enable=true用来控制,Client发起TLS连接
-Dtls.client.authServer=false -Dtls.enable=true -Dtls.test.mode.enable=false -Dtls.config.file=/opt/certs/tlsclient.properties
step 5.3 在连接代码中,需要将setUSETLS设置为true
public class ExampleProducer {
public static void main(String[] args) throws Exception {
DefaultMQProducer producer = new DefaultMQProducer("please_rename_unique_group_name");
//setUseTLS should be true
producer.setUseTLS(true);
producer.start();
// Send messages as usual.
producer.shutdown();
}
}
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@rocketmq.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [rocketmq] lizhanhui closed issue #4527: Some questions about TLS enable in Configuration_TLS.md
Posted by GitBox <gi...@apache.org>.
lizhanhui closed issue #4527: Some questions about TLS enable in Configuration_TLS.md
URL: https://github.com/apache/rocketmq/issues/4527
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@rocketmq.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [rocketmq] zergduan commented on issue #4527: Some questions about TLS enable in Configuration_TLS.md
Posted by GitBox <gi...@apache.org>.
zergduan commented on issue #4527:
URL: https://github.com/apache/rocketmq/issues/4527#issuecomment-1169751366
thanks , I will test it on my env.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@rocketmq.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [rocketmq] lizhanhui commented on issue #4527: Some questions about TLS enable in Configuration_TLS.md
Posted by GitBox <gi...@apache.org>.
lizhanhui commented on issue #4527:
URL: https://github.com/apache/rocketmq/issues/4527#issuecomment-1175865173
> a. Client 发送消息是否使用TLS似乎与 JVM option 中的 -Dtls.enable=true 无关,仅仅决定于代码中的 setUseTLS(true)
验证方法:
a1. 当不设置 setUseTLS(true) 时,无论是否设置 -Dtls.enable=true ,producer发送的数据都不是加密的(从tcpdump可以看出)
a2. 当设置了 setUseTLS(true) 时,无论是否设置 -Dtls.enable=true,producer发送的数据都是加密的(从tcpdump可以看出)
Java option -Dtls.enable is used to provide default value for useTls.
See https://github.com/apache/rocketmq/blob/f34c185e05f5b1a1cc372fa72718d6b40ed6e5cc/client/src/main/java/org/apache/rocketmq/client/ClientConfig.java#L63
> 即使客户端设置了 -Dtls.client.authServer=true,但是依然不会验证服务器证书的合法性
验证方法:
修改客户端的配置文件yyy,将tls.client.trustCertPath=/opt/ccc.pem,ccc.pem这个文件并不存在,此时producer发送消息,并没有报错,依然完成了加密通信,所以怀疑并没有通过根证书验证服务器证书的合法性
-Dtls.client.authServer=true is required to force clients to verify server certificate
If you have specified tls.client.trustCertPath, clients should verify the server certificate chain.
https://github.com/apache/rocketmq/blob/a62b70bc25423c1d7e18043e32af427d29ef9ac4/remoting/src/main/java/org/apache/rocketmq/remoting/netty/TlsHelper.java#L116
Let's add an integration test verifying this use case
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@rocketmq.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [rocketmq] zergduan commented on issue #4527: Some questions about TLS enable in Configuration_TLS.md
Posted by GitBox <gi...@apache.org>.
zergduan commented on issue #4527:
URL: https://github.com/apache/rocketmq/issues/4527#issuecomment-1171171843
关于上面的单项认证已经做了部分验证,以下是初步结论:
1. 单项认证+TLS+非TLS可以同时实现
2. producer、consumer是否开启TLS至于代码中的setUseTLS(true)有关,即使没有在JVM上使用tls.enable=true依然可以实现TLS(tcpdump抓包可见)
3. 似乎证书验证有bug,即使给producer、consumer提供错误的根证书(或者提供一个存在的根证书),依然不会报错,同时实现TLS
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@rocketmq.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [rocketmq] zergduan commented on issue #4527: Some questions about TLS enable in Configuration_TLS.md
Posted by GitBox <gi...@apache.org>.
zergduan commented on issue #4527:
URL: https://github.com/apache/rocketmq/issues/4527#issuecomment-1173269308
目前碰到的几个问题(疑问)
a. Client 发送消息是否使用TLS似乎与 JVM option 中的 -Dtls.enable=true 无关,仅仅决定于代码中的 setUseTLS(true)
验证方法:
a1. 当不设置 setUseTLS(true) 时,无论是否设置 -Dtls.enable=true ,producer发送的数据都不是加密的(从tcpdump可以看出)
a2. 当设置了 -Dtls.enable=true 时,无论是否设置 -Dtls.enable=true,producer发送的数据都是加密的(从tcpdump可以看出)
b. 即使客户端设置了 -Dtls.client.authServer=true,但是依然不会验证服务器证书的合法性
验证方法:
修改客户端的配置文件yyy,将tls.client.trustCertPath=/opt/ccc.pem,ccc.pem这个文件并不存在,此时producer发送消息,并没有报错,依然完成了加密通信,所以怀疑并没有通过根证书验证服务器证书的合法性
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@rocketmq.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [rocketmq] lizhanhui commented on issue #4527: Some questions about TLS enable in Configuration_TLS.md
Posted by GitBox <gi...@apache.org>.
lizhanhui commented on issue #4527:
URL: https://github.com/apache/rocketmq/issues/4527#issuecomment-1171858272
@zergduan I am the original designer and author of this feature.
1. Yes...It is designed to behave this way.
2. Have you configured the following Java options? -Dtls.server.need.client.auth=required -Dtls.server.trustCertPath=<path-to-your-ca-certs>
See https://github.com/apache/rocketmq/blob/a62b70bc25423c1d7e18043e32af427d29ef9ac4/remoting/src/main/java/org/apache/rocketmq/remoting/netty/TlsHelper.java#L140
to inspect how server SslContext is constructed.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@rocketmq.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [rocketmq] zergduan commented on issue #4527: 关于配置TLS的几个问题
Posted by GitBox <gi...@apache.org>.
zergduan commented on issue #4527:
URL: https://github.com/apache/rocketmq/issues/4527#issuecomment-1169108366
Based on the content of the document: https://github.com/apache/rocketmq/blob/e05b098327d0781362121c65e1c9445c0cb0684b/docs/cn/Configuration_TLS.md
I have some questions as below:
a. For rocketmq 4.9.2 and later versions, must TLS set up in mutual authentication? Can it be set in server-side authentication?
b. As the step 3.2 in above document:
>> Edit runbroker SH, in Java_ The following contents are added to opt:
>> JAVA_ OPT="${JAVA_OPT} -Dorg.apache.rocketmq.remoting.ssl.mode=enforcing -Dtls.config.file=/opt/rocketmq-4.9.3/conf/tls.properties -Dtls.enable=true"
I didn't find the corresponding content of the source code for the paramemter "org.apache.rocketmq.remoting.ssl.mode". Is it wrong?
c. It seems the value of parameter "tls.server.need.client.auth" controls whether client authentication (mutual authentication) is enabled, is it right?
but what are the parameter "tls.server.authClient" and "tls.client.authServer" used for?
d. It seems to be some contradiction In the above document: the parameter "tls.client.authServer" is set to false (in tls.properties file) on borker and namesrv, but set to true (in java_opt environment variable) on producer and consumer. Why?
e. When we finish all steps in the above document. Will the interaction between the broker and the namesrv also be subject to client authentication?
For example, the broker reports its own status to namesrv (heartbeat), which is also a TLS encrypted communication?
The mean When a broker reports to a namesrv, the broker as a client, also needs to be verified by the namesrv (client authentication), it is Right?
f. If we enable TLS according to the steps in the document, does it affect the rocketmq-dashboard connection to rocketmq cluster (namesrv) ?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@rocketmq.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [rocketmq] lizhiboo commented on issue #4527: Some questions about TLS enable in Configuration_TLS.md
Posted by GitBox <gi...@apache.org>.
lizhiboo commented on issue #4527:
URL: https://github.com/apache/rocketmq/issues/4527#issuecomment-1169669068
@zergduan the whole process is right, u can try it in practice to verify it.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@rocketmq.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [rocketmq] lizhanhui commented on issue #4527: Some questions about TLS enable in Configuration_TLS.md
Posted by GitBox <gi...@apache.org>.
lizhanhui commented on issue #4527:
URL: https://github.com/apache/rocketmq/issues/4527#issuecomment-1177239624
Close this issue as all questions are resolved. Feel free to reopen it if you have follow-up questions.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@rocketmq.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org