i enabled the SSL debug mode, find below snippets from the re-execution of
the client.
trustStore is:
/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/security/cacerts
trustStore type is : jks
trustStore provider is :
init truststore
<the truststore is different from what i am suggesting from the command
prompt>
trigger seeding of SecureRandom
done seeding SecureRandom
Using SSLEngineImpl.
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1346624684 bytes = { 20, 74, 205, 217, 77, 143, 238,
126, 133, 164, 207, 193, 231, 220, 87, 107, 62, 245, 10, 69, 172, 183, 189,
148, 155, 180, 52, 23 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA,
SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA,
SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
***
main, WRITE: TLSv1 Handshake, length = 81
main, WRITE: SSLv2 client hello message, length = 110
IoReceiver -
ec2-50-18-37-212.us-west-1.compute.amazonaws.com/10.166.127.160:5674, READ:
TLSv1 Handshake, length = 1228
*** ServerHello, TLSv1
RandomCookie: GMT: 1346624684 bytes = { 207, 112, 175, 7, 145, 21, 235, 70,
47, 9, 75, 82, 73, 245, 62, 149, 81, 168, 118, 7, 162, 160, 121, 85, 243,
103, 216, 134 }
Session ID: {114, 152, 165, 78, 15, 70, 250, 40, 28, 240, 160, 177, 57,
181, 190, 25, 41, 158, 57, 152, 45, 172, 223, 250, 156, 180, 212, 147, 105,
58, 114, 147}
Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
chain [1] = [
[
Version: V3
Subject: CN=MyRootCA, O=apigee, ST=Karnataka, C=IN
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 1024 bits
modulus:
137997964298887209384479128320055191066843167019269420534433863101269214484401782456395456869191001049060472463466981482222538166698998250176134400490952671572289049712933938611474519480922970314195718462040027519575065319741485960135931606611449850660661735083257942025194914951565563808821921192048728852967
public exponent: 65537
Validity: [From: Mon Sep 03 13:20:06 UTC 2012,
To: Mon Dec 03 13:20:06 UTC 2012]
Issuer: CN=MyRootCA, O=apigee, ST=Karnataka, C=IN
SerialNumber: [ 99197fe8]
Certificate Extensions: 1
[1]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]
]
IoReceiver - ec2-xxx.us-west-1.compute.amazonaws.com/xxx:5674, fatal error:
46: General SSLEngine problem
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
IoReceiver - ec2-xxx.us-west-1.compute.amazonaws.com/xxx:5674, SEND TLSv1
ALERT: fatal, description = certificate_unknown
IoReceiver - ec2-xxx.us-west-1.compute.amazonaws.com/xxx:5674, WRITE: TLSv1
Alert, length = 2
main, fatal: engine already closed. Rethrowing
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
< i have masked the ip and machine names above>
While on the server side, i make the following observations
Find below the command i execute and its output:
/ebs/qpid/cpp/src/qpidd --load-module src/.libs/ssl.so --ssl-cert-db
server_db/ --ssl-cert-password-file broker-pfile --ssl-cert-name
ec2-XXX.us-west-1.compute.amazonaws.com --ssl-port 5674
2012-09-03 13:34:28 notice Listening on TCP/TCP6 port 5672
2012-09-03 13:34:28 notice Listening for SSL connections on TCP port 5674
2012-09-03 13:34:28 notice SSL plugin not enabled, you must set
--ssl-cert-db to enable it.
2012-09-03 13:34:28 notice Broker running
2012-09-03 13:35:30 error Error reading socket: Encountered end of file
[-5938]
<note the message about SSL plugin not enabled, even though i pass the flag
and parameter>
There are no other errors i see on the broker's console.
-Naveen
--
View this message in context:
http://qpid.2158936.n2.nabble.com/Unable-to-Setup-SSL-between-Java-Client-and-C-broker-tp7581558p7581614.html
Sent from the Apache Qpid users mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
