Hi Gordon,
I performed a number of tests for host name verification with proton client
using different self signed certificates created using openssl. I used Qpid
Broker-J in the tests.
My tests include the following:- Broker host FQDN set as CN in certificate
subject(The host name verification worked with JMS client but didnot work with
proton)- Broker host FQDN set as alternate name.(The host name verification
worked with JMS client but didnot work with proton)- Broker host IP set as CN
in certificate subject(The host name verification didnot work with both JMS
client and proton)- Broker host IP set as alternate name.(The host name
verification didnot work with both JMS client and proton)
For all the above my sample proton app was reporting the below error on linux
environment AMQP:ERROR:amqp:connection:framing-error SSL
Failure:error:14090086:SSL routines:ssl3_get_server_certificate:certificate
verify failed.
Here is my sample program i used to check host name verification
ssl_domain = SSLDomain(SSLDomain.MODE_CLIENT)ca =
"path/to/cert.pem"ssl_domain.set_trusted_ca_db(str(ca))ssl_domain.set_peer_authentication(SSLDomain.VERIFY_PEER_NAME,
str(ca))conn = BlockingConnection(url="amqps://<FQDN|IP>:5671",
ssl_domain=ssl_domain, user="guest", password="guest", virtual_host="default",
sni="<FQDN>)conn.close()
please let me know if i need to amend anything here.
It seems that host verification functionality is not working as expected.
Also I tried to test host name verification on windows using pkcs12 without a
password. I got similar error as given
hereAMQP:ERROR:amqp:connection:framing-error SSL Failure: TLS certificate
verification error.
Is there any way to specify pkcs12 password in proton API?
Regards,Dedeepya.T
On Wednesday, 17 March, 2021, 03:50:39 pm IST, Gordon Sim <g...@redhat.com>
wrote:
On 17/03/2021 09:54, Dedeepya Tunga wrote:
> Yes Gordon using OpenSolaris the self signed certificate is verified and ssl
> handshake established. On Linux am using it address to connect.
I'm sorry, I don't understand your response.
Does it work when connecting using the ip address not localhost?
Have you tried using the openssl command line tool to verify the
certificate on linux? What was the output from that?
> On Wed, 17 Mar 2021 at 15:21, Gordon Sim<g...@redhat.com> wrote: On
>16/03/2021 13:11, Dedeepya Tunga wrote:
>> Thanks Gordon for the quick solution. It works on windows when i use pkcs
>>certificate.I am generating a self signed certificate with my ip address as
>>CN and hostname and localhost as alternate DNS. However when i try to verify
>>host am getting the below error on both linux and windows. Kindly suggest.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org
For additional commands, e-mail: users-h...@qpid.apache.org
