On 01/27/2010 06:31 PM, john dunning wrote:
Hi all. While trying to test something else, I attempted to set up my
qpidd with some certs, according to the instructions in
http://www.mozilla.org/projects/security/pki/nss/ref/ssl/gtstd.html
I'm losing big time; I can start qpidd ok, but when I try to connect to
it, both client and server flame, with errors like this:
2010-01-27 12:49:23 error Error reading socket: Unknown error
18446744073709551615(-1)
That error does seem to be a regression of some sort; on an earlier
version I get the following logged on the broker:
2010-jan-29 07:21:49 error Could not accept socket: Failed: SSL peer
cannot verify your certificate. [-12271] (qpid/sy/ssl/SslSocket.cpp:123)
My initial guess would be that perhaps changes around the connection
code have broken correct error handling in some way (or for some
conditions).
I've kicked it around with some folks around here, and the concensus is
that either there's something non-obvious wrong with my certs, or a new
bug has crept into the code.
I believe the ssl tests do not include testing certs of the form
produced by the above instructions. Does anybody have
insight/experience running this way?
I originally created the certs by hand, but ended up re-doing it enough
times that it was worth it to write it down. Attached is the script
I've been using generate the certs; it's essentially a transcription of
the instructions in the above page.
After running that script on rhel5 (nss-tools-3.12.3.99.3-1.el5_3.2) and
then trying to verify the certs as per the page you link to above, I get:
certutil: certificate is invalid: Certificate type not approved for
application.
Do you see the same? If so that suggests
On f11 (nss-tools-3.12.4-3.fc11.i586) the script fails mid way through
with an error:
certutil -A -d ./server_db -n redhat.com -a -i ./server_db/server.crt -t
,, -f ./cert.password -z ./random
certutil: could not obtain certificate from file: You are attempting to
import a cert with the same issuer/serial as an existing cert, but that
is not the same cert.
Error 255
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscr...@qpid.apache.org
