[ 
https://issues.apache.org/jira/browse/PROTON-1168?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jack Gibson updated PROTON-1168:
--------------------------------
    Description: 
Using qpid dispatch, we are unable to enable 2 way SSL with proton-j but able 
to with proton-c.

To reproduce use the attached config to enable 2 WAY SSL with “authenticate 
Peer” flag set to TRUE.

Restart the qdrouterd instance to pick up the config changes.

Make the client send a message based on the AMQP-CLIENT library (which uses 
Proton J). 

Client Error Message: from the log file
AMQP framing error
EventImpl{type=TRANSPORT_ERROR, context=TransportImpl 
[_connectionEndpoint=org.apache.qpid.proton.engine.impl.ConnectionImpl@6ef351a0,
 org.apache.qpid.proton.engine.impl.TransportImpl@44c213d9]}
Server Error Message: from the log file
=64, totalFreeToHeap=0, transferBatchSize=64, 
type=org.apache.qpid.dispatch.allocator, typeName=qd_timer_t, typeSize=56)
Wed Mar 30 12:00:47 2016 AGENT (info) Activating management agent on $management
Wed Mar 30 12:00:47 2016 ROUTER (info) In-Process Address Registered: 
$management
Wed Mar 30 12:00:47 2016 ROUTER (info) In-Process Address Registered: 
$management
Wed Mar 30 12:00:47 2016 AGENT (debug) Add entity: 
FixedAddressEntity(bias=closest, fanout=single, identity=fixedAddress/0, 
name=fixedAddress/0, prefix=/, type=org.apache.qpid.dispatch.fixedAddress)
Wed Mar 30 12:00:47 2016 ROUTER (info) Configured Address: prefix=/ phase=0 
fanout=QD_SCHEMA_FIXEDADDRESS_FANOUT_SINGLE 
bias=QD_SCHEMA_FIXEDADDRESS_BIAS_CLOSEST
Wed Mar 30 12:00:47 2016 AGENT (debug) Add entity: ListenerEntity(addr=0.0.0.0, 
authenticatePeer=True, certDb=/home/vsharda/protected/pprootca_cert.pem, 
certFile=/home/vsharda/protected/generic_cert.pem, 
identity=listener/0.0.0.0:20009, idleTimeoutSeconds=16, 
keyFile=/home/vsharda/protected/generic_key.pem, maxFrameSize=65536, 
name=listener/0.0.0.0:20009, password=pn2.GmdXmkKv.X7fPq.oYDFj8Cs, port=20009, 
requireEncryption=True, requireSsl=True, role=normal, saslMechanisms=EXTERNAL, 
stripAnnotations=both, type=org.apache.qpid.dispatch.listener)
Wed Mar 30 12:00:47 2016 CONN_MGR (info) Configured Listener: 0.0.0.0:20009 
proto=any role=normal
Wed Mar 30 12:00:47 2016 SERVER (trace) Listening on 0.0.0.0:20009
Wed Mar 30 12:00:47 2016 AGENT (debug) Add entity: 
ConsoleEntity(identity=console/0, name=console/0, 
type=org.apache.qpid.dispatch.console, wsport=5673)
Wed Mar 30 12:00:47 2016 SERVER (info) Operational, 4 Threads Running
Wed Mar 30 12:01:06 2016 SERVER (debug) Accepting incoming connection from 
10.225.90.106:51196 to 0.0.0.0:20009
Wed Mar 30 12:01:06 2016 SERVER (trace) Configuring SSL on incoming connection 
from 10.225.90.106:51196 to 0.0.0.0:20009
Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:Server SSL socket created.
Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:SSL/TLS connection detected
Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:process_input_ssl( data size=162 )
Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:Wrote 162 bytes to BIO Layer, 0 
left over
Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:Detected read-blocked
Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:process_input_ssl() returning 162
Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:Read 3651 bytes from BIO Layer
Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:process_output_ssl() returning 3651
Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:process_output_ssl() returning 0
Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:process_output_ssl() returning 0
Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:process_output_ssl() returning 0
Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:process_output_ssl() returning 0
Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:process_input_ssl( data size=205 )
Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:Wrote 205 bytes to BIO Layer, 0 
left over
Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:ERROR amqp:connection:framing-error 
SSL Failure: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did 
not return a certificate
Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:  <- EOS
Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:  -> EOS
Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:SSL socket freed.

For your reference please find the attached client/server code which is written 
using the proton C where the 2 way SSL worked fine. (send_with_ssl.c & 
recv_with_ssl.c)


  was:
To use the attached config to enable 2 WAY SSL with “authenticate Peer” flag 
set to TRUE.
Restart the qdrouterd instance to pick up the config changes.
Make the client send a message based on the AMQP-CLIENT library (which uses 
Proton J). Code Repository with our client changes - : 
https://github.paypal.com/sivthiyagarajan/amqp-client
Client Error Message: from the log file
AMQP framing error
EventImpl{type=TRANSPORT_ERROR, context=TransportImpl 
[_connectionEndpoint=org.apache.qpid.proton.engine.impl.ConnectionImpl@6ef351a0,
 org.apache.qpid.proton.engine.impl.TransportImpl@44c213d9]}
Server Error Message: from the log file
=64, totalFreeToHeap=0, transferBatchSize=64, 
type=org.apache.qpid.dispatch.allocator, typeName=qd_timer_t, typeSize=56)
Wed Mar 30 12:00:47 2016 AGENT (info) Activating management agent on $management
Wed Mar 30 12:00:47 2016 ROUTER (info) In-Process Address Registered: 
$management
Wed Mar 30 12:00:47 2016 ROUTER (info) In-Process Address Registered: 
$management
Wed Mar 30 12:00:47 2016 AGENT (debug) Add entity: 
FixedAddressEntity(bias=closest, fanout=single, identity=fixedAddress/0, 
name=fixedAddress/0, prefix=/, type=org.apache.qpid.dispatch.fixedAddress)
Wed Mar 30 12:00:47 2016 ROUTER (info) Configured Address: prefix=/ phase=0 
fanout=QD_SCHEMA_FIXEDADDRESS_FANOUT_SINGLE 
bias=QD_SCHEMA_FIXEDADDRESS_BIAS_CLOSEST
Wed Mar 30 12:00:47 2016 AGENT (debug) Add entity: ListenerEntity(addr=0.0.0.0, 
authenticatePeer=True, certDb=/home/vsharda/protected/pprootca_cert.pem, 
certFile=/home/vsharda/protected/generic_cert.pem, 
identity=listener/0.0.0.0:20009, idleTimeoutSeconds=16, 
keyFile=/home/vsharda/protected/generic_key.pem, maxFrameSize=65536, 
name=listener/0.0.0.0:20009, password=pn2.GmdXmkKv.X7fPq.oYDFj8Cs, port=20009, 
requireEncryption=True, requireSsl=True, role=normal, saslMechanisms=EXTERNAL, 
stripAnnotations=both, type=org.apache.qpid.dispatch.listener)
Wed Mar 30 12:00:47 2016 CONN_MGR (info) Configured Listener: 0.0.0.0:20009 
proto=any role=normal
Wed Mar 30 12:00:47 2016 SERVER (trace) Listening on 0.0.0.0:20009
Wed Mar 30 12:00:47 2016 AGENT (debug) Add entity: 
ConsoleEntity(identity=console/0, name=console/0, 
type=org.apache.qpid.dispatch.console, wsport=5673)
Wed Mar 30 12:00:47 2016 SERVER (info) Operational, 4 Threads Running
Wed Mar 30 12:01:06 2016 SERVER (debug) Accepting incoming connection from 
10.225.90.106:51196 to 0.0.0.0:20009
Wed Mar 30 12:01:06 2016 SERVER (trace) Configuring SSL on incoming connection 
from 10.225.90.106:51196 to 0.0.0.0:20009
Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:Server SSL socket created.
Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:SSL/TLS connection detected
Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:process_input_ssl( data size=162 )
Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:Wrote 162 bytes to BIO Layer, 0 
left over
Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:Detected read-blocked
Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:process_input_ssl() returning 162
Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:Read 3651 bytes from BIO Layer
Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:process_output_ssl() returning 3651
Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:process_output_ssl() returning 0
Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:process_output_ssl() returning 0
Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:process_output_ssl() returning 0
Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:process_output_ssl() returning 0
Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:process_input_ssl( data size=205 )
Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:Wrote 205 bytes to BIO Layer, 0 
left over
Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:ERROR amqp:connection:framing-error 
SSL Failure: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did 
not return a certificate
Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:  <- EOS
Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:  -> EOS
Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:SSL socket freed.

For your reference please find the attached client/server code which is written 
using the proton C where the 2 way SSL worked fine. (send_with_ssl.c & 
recv_with_ssl.c)



> 2-way Authentication via Certificates Fails in Proton-J
> -------------------------------------------------------
>
>                 Key: PROTON-1168
>                 URL: https://issues.apache.org/jira/browse/PROTON-1168
>             Project: Qpid Proton
>          Issue Type: Bug
>          Components: proton-j
>    Affects Versions: 0.12.0
>         Environment: Ubuntu 15.10 & RHEL 7
> Qpid Dispatch 0.5 & 0.6
> Proton-C 0.12 and Proton-J 0.12
>            Reporter: Jack Gibson
>            Priority: Critical
>
> Using qpid dispatch, we are unable to enable 2 way SSL with proton-j but able 
> to with proton-c.
> To reproduce use the attached config to enable 2 WAY SSL with “authenticate 
> Peer” flag set to TRUE.
> Restart the qdrouterd instance to pick up the config changes.
> Make the client send a message based on the AMQP-CLIENT library (which uses 
> Proton J). 
> Client Error Message: from the log file
> AMQP framing error
> EventImpl{type=TRANSPORT_ERROR, context=TransportImpl 
> [_connectionEndpoint=org.apache.qpid.proton.engine.impl.ConnectionImpl@6ef351a0,
>  org.apache.qpid.proton.engine.impl.TransportImpl@44c213d9]}
> Server Error Message: from the log file
> =64, totalFreeToHeap=0, transferBatchSize=64, 
> type=org.apache.qpid.dispatch.allocator, typeName=qd_timer_t, typeSize=56)
> Wed Mar 30 12:00:47 2016 AGENT (info) Activating management agent on 
> $management
> Wed Mar 30 12:00:47 2016 ROUTER (info) In-Process Address Registered: 
> $management
> Wed Mar 30 12:00:47 2016 ROUTER (info) In-Process Address Registered: 
> $management
> Wed Mar 30 12:00:47 2016 AGENT (debug) Add entity: 
> FixedAddressEntity(bias=closest, fanout=single, identity=fixedAddress/0, 
> name=fixedAddress/0, prefix=/, type=org.apache.qpid.dispatch.fixedAddress)
> Wed Mar 30 12:00:47 2016 ROUTER (info) Configured Address: prefix=/ phase=0 
> fanout=QD_SCHEMA_FIXEDADDRESS_FANOUT_SINGLE 
> bias=QD_SCHEMA_FIXEDADDRESS_BIAS_CLOSEST
> Wed Mar 30 12:00:47 2016 AGENT (debug) Add entity: 
> ListenerEntity(addr=0.0.0.0, authenticatePeer=True, 
> certDb=/home/vsharda/protected/pprootca_cert.pem, 
> certFile=/home/vsharda/protected/generic_cert.pem, 
> identity=listener/0.0.0.0:20009, idleTimeoutSeconds=16, 
> keyFile=/home/vsharda/protected/generic_key.pem, maxFrameSize=65536, 
> name=listener/0.0.0.0:20009, password=pn2.GmdXmkKv.X7fPq.oYDFj8Cs, 
> port=20009, requireEncryption=True, requireSsl=True, role=normal, 
> saslMechanisms=EXTERNAL, stripAnnotations=both, 
> type=org.apache.qpid.dispatch.listener)
> Wed Mar 30 12:00:47 2016 CONN_MGR (info) Configured Listener: 0.0.0.0:20009 
> proto=any role=normal
> Wed Mar 30 12:00:47 2016 SERVER (trace) Listening on 0.0.0.0:20009
> Wed Mar 30 12:00:47 2016 AGENT (debug) Add entity: 
> ConsoleEntity(identity=console/0, name=console/0, 
> type=org.apache.qpid.dispatch.console, wsport=5673)
> Wed Mar 30 12:00:47 2016 SERVER (info) Operational, 4 Threads Running
> Wed Mar 30 12:01:06 2016 SERVER (debug) Accepting incoming connection from 
> 10.225.90.106:51196 to 0.0.0.0:20009
> Wed Mar 30 12:01:06 2016 SERVER (trace) Configuring SSL on incoming 
> connection from 10.225.90.106:51196 to 0.0.0.0:20009
> Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:Server SSL socket created.
> Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:SSL/TLS connection detected
> Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:process_input_ssl( data size=162 )
> Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:Wrote 162 bytes to BIO Layer, 0 
> left over
> Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:Detected read-blocked
> Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:process_input_ssl() returning 162
> Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:Read 3651 bytes from BIO Layer
> Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:process_output_ssl() returning 
> 3651
> Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:process_output_ssl() returning 0
> Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:process_output_ssl() returning 0
> Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:process_output_ssl() returning 0
> Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:process_output_ssl() returning 0
> Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:process_input_ssl( data size=205 )
> Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:Wrote 205 bytes to BIO Layer, 0 
> left over
> Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:ERROR 
> amqp:connection:framing-error SSL Failure: error:140890C7:SSL 
> routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
> Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:  <- EOS
> Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:  -> EOS
> Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:SSL socket freed.
> For your reference please find the attached client/server code which is 
> written using the proton C where the 2 way SSL worked fine. (send_with_ssl.c 
> & recv_with_ssl.c)



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to