qpid-stat/qpid-config and SSL connections

Wed, 05 Nov 2014 12:04:38 -0800 

I recently configured our qpid C++ brokers to use SSL encryption via a
self-signed certificate for all connections.  We have it working with both
C++ and Java clients without any problems, but all of the qpid-tools
applications fail.  Here's how everything is configured:

/etc/qpid/qpidd.conf:

require-encryption=yes
ssl-cert-db=/etc/pki/TGS
ssl-cert-password-file=/etc/pki/TGS/password
ssl-cert-name=infra
ssl-port=5672
ssl-require-client-authentication=yes

/etc/pki/TGScontains cert8.db and key3.db holding the certs and keys, as
well as the java truststore and keystore.

certutil -L -d . in /etc/pki/TEST returns:

Certificate Nickname                                         Trust
Attributes

SSL,S/MIME,JAR/XPI

TGS_RootCA                                                   CT,,
infra                                                        u,u,u
client                                                       u,u,u

That is correct for the CA certificate and the server/client certificates
that I generated.

For the C++ clients some environment variables are set to point to the
certificates:

QPID_SSL_CERT_DB=/etc/pki/TGS/
QPID_SSL_CERT_NAME=client
QPID_SSL_CERT_PASSWORD_FILE=/etc/pki/TGS/password

openssl s_client -connect localhost:5672 finds the certificate correctly
and complains about it being a self-signed cert, which I'm pretty sure is
normal because it is one after all.

CONNECTED(00000003)
depth=1 CN = TGS_RootCA
verify error:num=19:self signed certificate in certificate chain
verify return:0
139681568163656:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad
certificate:s3_pkt.c:1257:SSL alert number 42
139681568163656:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:177:
---
Certificate chain
 0 s:/CN=infra
   i:/CN=TGS_RootCA
 1 s:/CN=TGS_RootCA
   i:/CN=TGS_RootCA

qpid-stat -q -b amqps://localhost:5672 returns this:

Failed: ConnectError - [Errno 1] _ssl.c:492: error:14094412:SSL
routines:SSL3_READ_BYTES:sslv3 alert bad certificate

which matches the error that openssl threw too.  I also tried extracting
the cert and the private key and passing those as arguments to qpid-stat,
but it gave me the same errors.  Is this an issue with python not accepting
the certificate because it's self-signed? Does everything look like I have
it set up right?

Tim

Reply via email to