Try   HackMD

RabbitMQ Server 啟用 SSL/TLS 相關實驗

在下述設定的前提下,進行下述實驗:

RabbitMQ Server: fail_if_no_peer_cert = false
RabbitMQ Client: verification server certificates=false and verify_none

實驗

測試Server憑證與Client憑證是否必須匹配,以及Server設定中的verify (verify_peer/verify_none)對連線的影響

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

基於實驗結果可知:

  • 當Client沒有提供憑證或者憑證不完整時,因為Server設置的fail_if_no_peer_cert=false, 還是能夠連得到Server。
  • 當Server的verify設為verify_none時,不管Server端的憑證是否匹配,Client皆不會去檢查Server端的憑證,直接可以連線成功。
  • 當Server的verify設為verify_peer時,Client會去檢查Server端的憑證,若Server端的憑證與Client端的憑證出自不同的CA的話則無法連線。

憑證過期實驗

接續上述實驗,當1d的憑證過期後是否有影響

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

由過期實驗可知:

  • 當Client沒有提供憑證或者憑證不完整時,仍然能連線成功,並無影響。
  • 當Server的verify設為verify_none時,仍然能連線成功,並無影響。
  • 當Server的verify設為verify_peer時,若遇到過期的情況時,即便是相匹配的憑證也無法連線成功,說明了Client檢查Server憑證時也會檢查使用期限是否合法,也有可能是因為Client本身的憑證也是過期的關係,所以無法連線成功

補充實驗

利用mosquitto_pub進行連線測試,有無加入insecure參數代表的意義為何?

mosquitto_pub --cafile /path/to/ca.crt --cert /path/to/client.crt --key /path/to/client.key -h hostname -p 8883 -t topic -m message --insecure

由mosquitto_pub的help可知

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

此參數用來控制client是否會檢查server的憑證裡的dns與目前連的server有無符合,無符合則拒絕連線。
在RabbitMQ server的log裡也會提示由client拒絕連線。
Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

至於Server中的ssl_options.verify設成verify_peer或者verify_none,則與此參數無關,

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

verify的具體用途在於決定是否與client交換憑證檢查。所以即便設為verify_none,在client沒有加上insecure的話,因為client還是會檢查server的DNS,故仍然會連線失敗。

Last changed by 
WISE-DeviceOn
DeviceOn Technical Documentation
0
510

Read more

IEC 62443 4-2 Requirement Details

sfds

Feb 22, 2024
DeviceOn x Power Suite

mermaidgraph TD;國產疫苗–>二期解盲成功就EUA;國產疫苗–>三期歐美標準才可EUA;二期解盲成功就EUA–>時效派;三期歐美標準才可EUA–>標規派;時效派–>需公開透明;時效派–>需醫界共識;時效派–>需預盤風險;時效派—>仍可做三期試驗;標規派–>延後半年短缺因應;仍可做三期試驗–>可跟國外大型藥廠合作試驗;

Jan 3, 2024
DeviceOn User Manual

Standalone (VM)

Jan 2, 2024
FAQ

General How to Get DeviceOn Product and News? You are welcome to visit the following pages for more information and experience on DeviceOn. DeviceOn Product Page News & Solution Package How to Get DeviceOn Server and DeviceOn Agent Installer? Please try to get the installer package from below download link.

Nov 28, 2023
Read more from WISE-DeviceOn
Published on HackMD