[ 
https://issues.apache.org/jira/browse/PROTON-1168?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robbie Gemmell updated PROTON-1168:
-----------------------------------
    Attachment: PROTON-1168_reactor_ssl.patch

I posted the following reply on the users list thread\[1\] yesterday, copying 
here for later ease and also attaching the patch contents from the referenced 
pastebin in case anyone has problems with the link.

{quote}
Hi Jack,

This isn't something I had tried before, but I was able to establish a
connecting using the master/0.13.0-SNAPSHOT proton-j reactor and send
messages to a 6.0.x/6.0.2-SNAPSHOT Qpid Java broker that was
configured to require SSL client certs and use the EXTERNAL SASL
mechanism (I didn't have a Dispatch set up appropriately and that was
easier for me, plus the issue described seemed to be client-side).

I had to make the following changes to the existing Send example to
add a required dependency, actually set where the sender is attaching,
change the sasl mech, and configure use of ssl plus provide the
cert/trust details:

    http://pastebin.com/TR5azYFR

I notice that the C code you attached to the JIRA (PROTON-1168 for
interested folks) is actually using Messenger with proton-c, and not
the Reactor as mentioned here for proton-j. I'm not sure if your Java
code is actually doing the same since you didn't include it, but that
isn't something I have tried either in any case. I do seem to recall
previous discussion around proton-c Messenger that it isn't actually
possible to set the particular sasl mechanism with Messenger (though
that would presumably be a separate issue from the one the Dispatch
logs suggest occurred, of not sending a cert as requested/required).

Robbie
{quote}

\[1\] 
http://mail-archives.apache.org/mod_mbox/qpid-users/201604.mbox/%3CCAFitrpTn2smMXbCVNQCLxo5B6S%3D5KUzmbQwozti1%2BQb4ezRS8Q%40mail.gmail.com%3E

> 2-way Authentication via Certificates Fails in Proton-J
> -------------------------------------------------------
>
>                 Key: PROTON-1168
>                 URL: https://issues.apache.org/jira/browse/PROTON-1168
>             Project: Qpid Proton
>          Issue Type: Bug
>          Components: proton-j
>    Affects Versions: 0.12.0
>         Environment: Ubuntu 15.10 & RHEL 7
> Qpid Dispatch 0.5 & 0.6
> Proton-C 0.12 and Proton-J 0.12
>            Reporter: Jack Gibson
>            Priority: Critical
>         Attachments: PROTON-1168_reactor_ssl.patch, 
> my_qdrouterd_B_standalone.conf, recv_with_ssl.c, send_with_ssl.c
>
>
> Using qpid dispatch, we are unable to enable 2 way SSL with proton-j but able 
> to with proton-c.
> To reproduce use the attached config to enable 2 WAY SSL with “authenticate 
> Peer” flag set to TRUE.
> Restart the qdrouterd instance to pick up the config changes.
> Make the client send a message based on the AMQP-CLIENT library (which uses 
> Proton J). 
> Client Error Message: from the log file
> AMQP framing error
> EventImpl{type=TRANSPORT_ERROR, context=TransportImpl 
> [_connectionEndpoint=org.apache.qpid.proton.engine.impl.ConnectionImpl@6ef351a0,
>  org.apache.qpid.proton.engine.impl.TransportImpl@44c213d9]}
> Server Error Message: from the log file
> =64, totalFreeToHeap=0, transferBatchSize=64, 
> type=org.apache.qpid.dispatch.allocator, typeName=qd_timer_t, typeSize=56)
> Wed Mar 30 12:00:47 2016 AGENT (info) Activating management agent on 
> $management
> Wed Mar 30 12:00:47 2016 ROUTER (info) In-Process Address Registered: 
> $management
> Wed Mar 30 12:00:47 2016 ROUTER (info) In-Process Address Registered: 
> $management
> Wed Mar 30 12:00:47 2016 AGENT (debug) Add entity: 
> FixedAddressEntity(bias=closest, fanout=single, identity=fixedAddress/0, 
> name=fixedAddress/0, prefix=/, type=org.apache.qpid.dispatch.fixedAddress)
> Wed Mar 30 12:00:47 2016 ROUTER (info) Configured Address: prefix=/ phase=0 
> fanout=QD_SCHEMA_FIXEDADDRESS_FANOUT_SINGLE 
> bias=QD_SCHEMA_FIXEDADDRESS_BIAS_CLOSEST
> Wed Mar 30 12:00:47 2016 AGENT (debug) Add entity: 
> ListenerEntity(addr=0.0.0.0, authenticatePeer=True, 
> certDb=/home/vsharda/protected/pprootca_cert.pem, 
> certFile=/home/vsharda/protected/generic_cert.pem, 
> identity=listener/0.0.0.0:20009, idleTimeoutSeconds=16, 
> keyFile=/home/vsharda/protected/generic_key.pem, maxFrameSize=65536, 
> name=listener/0.0.0.0:20009, password=pn2.GmdXmkKv.X7fPq.oYDFj8Cs, 
> port=20009, requireEncryption=True, requireSsl=True, role=normal, 
> saslMechanisms=EXTERNAL, stripAnnotations=both, 
> type=org.apache.qpid.dispatch.listener)
> Wed Mar 30 12:00:47 2016 CONN_MGR (info) Configured Listener: 0.0.0.0:20009 
> proto=any role=normal
> Wed Mar 30 12:00:47 2016 SERVER (trace) Listening on 0.0.0.0:20009
> Wed Mar 30 12:00:47 2016 AGENT (debug) Add entity: 
> ConsoleEntity(identity=console/0, name=console/0, 
> type=org.apache.qpid.dispatch.console, wsport=5673)
> Wed Mar 30 12:00:47 2016 SERVER (info) Operational, 4 Threads Running
> Wed Mar 30 12:01:06 2016 SERVER (debug) Accepting incoming connection from 
> 10.225.90.106:51196 to 0.0.0.0:20009
> Wed Mar 30 12:01:06 2016 SERVER (trace) Configuring SSL on incoming 
> connection from 10.225.90.106:51196 to 0.0.0.0:20009
> Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:Server SSL socket created.
> Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:SSL/TLS connection detected
> Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:process_input_ssl( data size=162 )
> Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:Wrote 162 bytes to BIO Layer, 0 
> left over
> Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:Detected read-blocked
> Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:process_input_ssl() returning 162
> Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:Read 3651 bytes from BIO Layer
> Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:process_output_ssl() returning 
> 3651
> Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:process_output_ssl() returning 0
> Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:process_output_ssl() returning 0
> Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:process_output_ssl() returning 0
> Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:process_output_ssl() returning 0
> Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:process_input_ssl( data size=205 )
> Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:Wrote 205 bytes to BIO Layer, 0 
> left over
> Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:ERROR 
> amqp:connection:framing-error SSL Failure: error:140890C7:SSL 
> routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
> Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:  <- EOS
> Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:  -> EOS
> Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:SSL socket freed.
> For your reference please find the attached client/server code which is 
> written using the proton C where the 2 way SSL worked fine. (send_with_ssl.c 
> & recv_with_ssl.c)



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to