On 07/29/2014 12:32 PM, Andreas Welchlin wrote:
Hi All,
currently I am trying to connect to a third party AMQP broker using a
c++ client with qpid 0.28.
The broker is configured to use ssl. The client uses a self signed
certificate. This certificate is available in the broker.
I created the self signed certificate and added it into my certificate
db. I also added the third party broker certificate.
> mkdir clientCertDb
> certutil -N -d clientCertDb
> certutil -A -d clientCertDb -n "BrokerCert" -t "T,," -a -i
clientCertDb/Broker.crt
> certutil -A -d clientCertDb -n "ClientCert" -a -i
clientCertDb/Client.crt -t ",,"
Then I set the environment for the client:
export QPID_SSL_CERT_DB=./clientCertDb
export QPID_SSL_CERT_NAME=ClientCert
export QPID_SSL_CERT_PASSWORD_FILE=./pwfile
The client fails to connect to the server. The client library log says:
-------------------------------------------------------
Driver started
Starting connection to amqp:ssl:<ipaddr>:<port>
Connecting to ssl:<ipaddr>:<port>
ssl:<ipaddr>:<port> Connecting ...
Connecting: <ipaddr>:<port>
Exception constructed: Failed: NSS error [-8179]
That error means "Peer's certificate issuer is not recognized." which I
believe means that the CA that signed the broker's certificate is not
recognised.
(qpid-0.28/qpid-0.28/cpp/src/qpid/sys/ssl/SslSocket.cpp:156)
Failed to connect: Failed: NSS error [-8179]
(qpid-0.28/qpid-0.28/cpp/src/qpid/sys/ssl/SslSocket.cpp:156)
Driver stopped
-------------------------------------------------------
I do not get what is going wrong. As far as I understood I do not have
to give the c++ client any hint where to find the broker certificate.
Is this right?
The brokers certificate needs to be trusted. You need to import the
public certificate for the CA that signed it (with trust flags -t "CT,,")
Unfortunately the error message in the client log is not helpful for me.
I don't see any details what the problem is.
I tried to get more information using openssl s_client:
> openssl s_client -connect <ipaddr>:<port> -CAfile
clientCertDb/Client.crt -debug -key Client.key -CApath clientCertDb/
It says:
Verify return code: 20 (unable to get local issuer certificate)
Does anyone of you know how to configure this or how I can get more
information?
Regards,
Andreas
---
Diese E-Mail ist frei von Viren und Malware, denn der avast! Antivirus
Schutz ist aktiv.
http://www.avast.com
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
