-
Notifications
You must be signed in to change notification settings - Fork 575
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Handshake error when connecting to AWS NLB using TLS 1.2 and NIO #1280
Comments
I believe the cause for the exception is that the Affected code: rabbitmq-java-client/src/main/java/com/rabbitmq/client/impl/nio/SslEngineHelper.java Lines 111 to 153 in ca510a0
The code flow for this particular scenario is as follows:
I'm not familiar with all the TLS handshake flows and details but, from a mere ByteArray perspective, I don't think we need the if (unwrapResult.getHandshakeStatus() == NEED_TASK) {
handshakeStatus = runDelegatedTasks(sslEngine);
// removed the IF...ELSE condition and now always updates the cipherIn position
cipherIn.position(positionBeforeUnwrapping + unwrapResult.bytesConsumed());
} else {
handshakeStatus = unwrapResult.getHandshakeStatus();
} Please check if this analysis makes sense. 🙏 |
@bmleite it does make sense. Please submit a PR and we will test it some more. Thank you! |
Describe the bug
When using a recent version of rabbitmq-java-client, we cannot connect to a AWS Load Balancer using TLS 1.2 and NIO due to an "handshake error".
We were unable to replicate using a local RMQ instance with TLS 1.2, only when connecting to the load balancer.
It also does not occur when connecting using TLS 1.3 or when using TLS 1.2 without NIO.
Downgrading rabbitmq-java-client to 5.13.1 fixes the issue, so we believe it is caused by #716.
Reproduction steps
useNio()
anduseSslProtocol()
(defaults to TLSv1.2 and trusts every certificate).Expected behavior
Application is able to connect to the load balancer with TLSv1.2 and NIO.
Additional context
This occurs after client_hello and server_hello. TLS 1.2 is negotiated.
It occurs just after the certificate chain is received.
Details
The text was updated successfully, but these errors were encountered: