Minimum Air Induction

Experimental TLS/SSL support was introduced to the AS3 library for AMQP in version 0.1.2. This provides TLS-based tunneling to an AMQP broker that provides this functionality. This article describes how to set up transport layer encryption for the interaction between an AS3 client and the RabbitMQ broker.

Overview

In contrast to other languages, there is no SSL variant of the basic Socket class in the core AS3 libraries. However, Metal Hurlant has written the AS3 Crypto library, which provides basic TLS support in AS3. Although AS3 Crypto currently only provides partial support for TLS, it is good enough to provide a secure connection to a remote AMQP endpoint.

RabbitMQ does not support TLS/SSL out of the box. However, it is trivial to implement this functionality using an SSL tunnel provided by stunnel. This has already been done before using the RabbitMQ Java client for AMQP as described in this FAQ. The deployment is illustrated in the following diagram:

Configuring The Server

It is assumed that you already have RabbitMQ running in your environment. Should this not be the case, please refer to the documentation about how to go about doing this.

You will also need stunnel installed in your environment. You can obtain a source tarball from the stunnel site or use the package manager of your choice. This set up was tested using stunnel version 4.24.

To create an SSL proxy for RabbitMQ, use the following stunnel.conf file:

pid=/tmp/stunnel.pid
foreground=yes
setuid=nobody
setgid=nobody
client=no
[RabbitMQ]
accept  = 5673
connect = 5672

Here you can see that we are using port 5673 to proxy encrypted traffic to the default AMQP port, namely 5672. To start stunnel in the foreground, type in the following:

$ [sudo] stunnel PATH_TO_CONF/stunnel.conf -f

If this was successful, it should have produced output similar to this:

stunnel 4.24 on i686-apple-darwin9.2.2 with OpenSSL 0.9.7l 28 Sep 2006
Threading:PTHREAD SSL:ENGINE Sockets:SELECT,IPv6 Auth:LIBWRAP
125 clients allowed

Now we are ready to connect to the proxy using the AS3 client.

Connecting To The Proxy

The ConnectionState class in the AS3 client encapsulates all of the configuration parameters needed to connect to an AMQP broker. ConnectionState contains a flag called useTLS that, if set to true, will automatically perform a TLS handshake with the remote peer. By default the client assumes the remote port to be 5673 (as used in this example), but this can be overridden.

The easiest way to test this out is to run the Pet Store application using an SSL connection. Follow exactly the same instructions as in the article, making one modification to the application context file by setting the useTLS flag to true:

<object id="connectionState" class="org.amqp.ConnectionState">
    <property name="username" value="guest"/>
    <property name="password" value="guest"/>
    <property name="vhostpath" value="/"/>
    <property name="serverhost" value="localhost"/>
    <property name="useTLS" value="true"/>
</object>

When you run the test, you should see the normal output in the AMQP broker console, the Pet Store server console and the trace output in the AS3 client (if run in debug mode). In addition to this, you should see output in the stunnel log that looks similar to this:

RabbitMQ accepted connection from 127.0.0.1:62459
RabbitMQ connected remote server from 127.0.0.1:62460

And that's it. Without having changed a line of code, you can easily switch between non-encrypted communication and SSL.

Outlook

Although the basic functionality is already provided, the AS3 Crypto is a key dependency. AS3 Crypto has gone through some iterations and is relatively stable, but it is only in a semi-mature phase at the moment and it is likely that updates to this library may be required. The version of AS3 Crypto that is shipped with the AMQP client has had a minor patch applied to it to get it to work with stunnel. Hopefully, a fix for this can find its way into the next release.