RE: [qpid-dispatch 0.6.0] Client certificate authentication with Java Broker 6.0.0

[Adel Boutros]

It seems the error is coming from Proton side and is related to my certificate 
configuration. However, I would expect to have some proton logs in my log file 
but this is not the case. Did I miss something in the configuration?

Qpid-dispatch 0.6.0 (src/server.c)
if (config->ssl_certificate_file) {
    if (pn_ssl_domain_set_credentials(domain,
                                      config->ssl_certificate_file,
                                      config->ssl_private_key_file,
                                      config->ssl_password)) {
        qd_log(ct->server->log_source, QD_LOG_ERROR,
               "SSL local configuration failed for %s:%s",
               ct->config->host, ct->config->port);
    }
}

Proton 0.12.2 (proton-c/src/ssl/openssl.c)
Before returning, for every error, there is a log line ("ssl_log_error") but I 
cannot find any of them in the dispatch.10396.log file

int pn_ssl_domain_set_credentials( pn_ssl_domain_t *domain,
                               const char *certificate_file,
                               const char *private_key_file,
                               const char *password)
{
  if (!domain || !domain->ctx) return -1;

  if (SSL_CTX_use_certificate_chain_file(domain->ctx, certificate_file) != 1) {
    ssl_log_error("SSL_CTX_use_certificate_chain_file( %s ) failed", 
certificate_file);
    return -3;
  }

  if (password) {
    domain->keyfile_pw = pn_strdup(password);  // @todo: obfuscate me!!!
    SSL_CTX_set_default_passwd_cb(domain->ctx, keyfile_pw_cb);
    SSL_CTX_set_default_passwd_cb_userdata(domain->ctx, domain->keyfile_pw);
  }

  if (SSL_CTX_use_PrivateKey_file(domain->ctx, private_key_file, 
SSL_FILETYPE_PEM) != 1) {
    ssl_log_error("SSL_CTX_use_PrivateKey_file( %s ) failed", private_key_file);
    return -4;
  }
...

Regards,
Adel

> From: adelbout...@live.com
> To: users@qpid.apache.org
> Subject: RE: [qpid-dispatch 0.6.0] Client certificate authentication with 
> Java Broker 6.0.0
> Date: Wed, 13 Jul 2016 12:38:57 +0200
> 
> Actually, I have an error message in the log file of the dispatcher which 
> comes up every 5 seconds (If I am not mistaken, every x seconds the 
> dispatcher will re-try to connect to the broker?)
> 
> bash$ tail -f dispatch.10396.log
> Wed Jul 13 12:35:51 2016 SERVER (error) SSL local configuration failed for 
> localhost:10101
> Wed Jul 13 12:35:56 2016 SERVER (error) SSL local configuration failed for 
> localhost:10101
> Wed Jul 13 12:36:01 2016 SERVER (error) SSL local configuration failed for 
> localhost:10101
> Wed Jul 13 12:36:06 2016 SERVER (error) SSL local configuration failed for 
> localhost:10101
> 
> Regards,
> Adel
> 
> > From: adelbout...@live.com
> > To: users@qpid.apache.org
> > Subject: [qpid-dispatch 0.6.0] Client certificate authentication with Java 
> > Broker 6.0.0
> > Date: Wed, 13 Jul 2016 11:44:05 +0200
> > 
> > Hello,
> > 
> > On a previous 
> > post(http://qpid.2158936.n2.nabble.com/Qpid-Dispatch-SSL-SASL-configuration-on-a-listener-tp7646048.html),
> >  I had asked about how to setup the qpid-dispatch to work with SSL and SASL 
> > authentication and I was able thanks to your help to get clients 
> > (Consumer/producer) to connect to the dispatcher using the correct 
> > certificates. 
> > 
> > At that time, I was connected to the open AMQP port of the Java Broker 
> > which had no security. I then, tried to connect to a port which only 
> > required SSL and this is also working.
> > 
> > What is not working however is connecting the dispatcher to a port which 
> > has SSL and requires client certificates on the Java Broker. When I run the 
> > qdmanage command to create the connector, no connections shows up on the 
> > virtual host tab in the Java Broker Web management console.
> > 
> > The qdmanage commands are not showing any errors and there are no errors on 
> > the  Java Broker's side. Is there a way to debug further what is happening 
> > with qdmanage?
> > 
> > As a reminder, my certificates are generated by a self-signed CA composed 
> > of a root authority and an intermediate one.
> > 
> > Dispatcher config
> > router {
> >     id: router.10396
> >     mode: interior
> >     worker-threads: 4
> > }
> > 
> > ssl-profile {
> >     name: ssl-full-profile
> >     certFile: cert_lx.pem
> >     keyFile: key_lx.pem
> >     certDb: ca-chain.cert.pem
> > }
> > 
> > listener {
> >     host: 0.0.0.0
> >     port: 10396
> >     role: normal
> >     saslMechanisms: EXTERNAL
> >     sslProfile: ssl-full-profile
> >     requireSsl: yes
> >     authenticatePeer: yes
> > }
> > 
> > listener {
> >     host: 0.0.0.0
> >     port: 10395
> >     role: normal
> >     saslMechanisms: ANONYMOUS
> >     sslProfile: ssl-full-profile
> >     requireSsl: yes
> >     authenticatePeer: no
> > }
> > 
> > log {
> >     module: DEFAULT
> >     enable: warn+
> >     output: dispatch.10396.log
> > }
> > 
> > Java Broker
> > AMP port is 10101 configured with the proper "KeyStore" of the broker, a 
> > "NonJavaTrustStore" containing the ca-chain.cert.pem (Combination of the 
> > root and intermediate certificates) and "Want SSL Client Certificate".
> > 
> > qdmanage commands
> > qdmanage -b amqps://localhost:10395 --ssl-key=key_lx.pem 
> > --ssl-certificate=cert_lx.pem create --type=address prefix=perfQueue 
> > waypoint=true name=perf.queue.addr
> > 
> > qdmanage -b amqps://localhost:10395 --ssl-key=key_lx.pem 
> > --ssl-certificate=cert_lx.pem create --type=connector role=route-container 
> > addr=localhost port=10101 name=localhost.broker.10101.connector 
> > certFile=cert_lx.pem certDb=ca-chain.cert.pem
> > 
> > Regards,
> > Adel
> >                                       
>