Hi All,
I need help on using CA signed certificates with a Qpid Proton C++ app and an
ActiveMQ broker for SSL.
I have in /home/user/cert_dir the following -
rootCACert.pem
broker-signedcert.pem
client-signedcert.pem
client-key.pem
password
The password file just contains password which is the password used for all.
I then ran the following commands to set up the certificate database -
certutil -N -d /home/user/cert_dir -f /home/user/cert_dir/password
certutil -A -i broker-signedcert.pem -d /home/user/cert_dir -f
/home/user/cert_dir/password -n broker -t "P"
certutil -A -i rootCACert.pem -d /home/user/cert_dir -f
/home/user/cert_dir/password -n root -t "TC"
I kick off the broker by running the following script -
setenv JAVA_HOME /programs/Java/jdk1.8.0_121
setenv PATH ${JAVA_HOME}/bin:${PATH}
setenv ACTIVEMQ_SSL_OPTS "-Djavax.net.ssl.keyStore=/pki/broker.ks
-Djavax.net.ssl.keyStorePassword=password
-Djavax.net.ssl.trustStore=/pki/broker.ts
-Djavax.net.ssl.trustStorePassword=password -Djavax.net.debug=ssl"
./activemq console
I have confidence that the broker is not the problem because I can run -
openssl s_client -connect localhost:5671 -showcerts -cert
/home/user/cert_dir/client-signedcert.pem -key
/home/user/cert_dir/client-key.pem -pass pass:password -CAfile
/home/user/cert-dir/rootCACert.pem
which returns a verify code of 0 (ok). If I leave off the -CAfile it returns
with a verify code of 19 (self signed certificate in chain). I can see in the
broker window that the SSL handshake completed. When from the s_client I try to
send a message, the broker closes the connection with the broker logging - WARN
| Connection attempt from non AMQP v1.0 client.
My qpid proton app code has -
void on_container_start(proton:container &c)
{
std:cout << "-INFO- on_container_start -" << std::endl;
proton::ssl_certificate certificate("/pki/client-signedcert.pem",
"/pki/client-private.pem", "password");
proton::ssl::verify_mode = proton::ssl::VERIFY_PEER_NAME;
proton::ssl_client_options sslClientOptions(certificate,
"/pki/broker-signedcert.pem", ssl_verify_mode);
proton::connection_options connectionOptions;
connectionOptions.ssl_client_options(sslClientOptions);
connectionOptions.virtual_host("broker"); // this is the CN of the broker
certificate
connectionOptions.idle_timeout(proton::duration::FOREVER);
c.client_connection_options(connectionOptions);
c.connect("localhost:5671", connectionOptions); // broker runs on same
machine
}
I launch the client code with a script that has
export QPID_SSL_CERT_DB="/home/user/cert_dir"
export QPID_SSL_CERT_PASSWORD_FILE="/home/user/cert_dir/password"
Client CA signed certificates (fails)
SSL:TRACE:Client SSL socket created.
EVENT:DEBUG:(PN_CONNECTION_INIT, pn_connection<0x82107e8>
EVENT:DEBUG:(PN_CONNECTION_BOUND, pn_connection<0x82107e8>
SSL:TRACE:Gathered 8 bytes from app to send to peer
SSL:TRACE:Detected read-blocked
SSL:TRACE:Wrote 280 bytes to BIO Layer, 0 left over
SSL:TRACE:Detected read-blocked
SSL:TRACE:process_output_ssl() returning 0
SSL:TRACE:Detected read-blocked
SSL:TRACE:process_output_ssl() returning 0
SSL:TRACE:process_input_ssl( data size=3695 )
SSL:TRACE:Wrote 3695 bytes to BIO Layer, 0 left over
AMQP:ERROR:amqp:connection:framing-error SSL Failure error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Broker CA signed certificates
*** ServerHelloDone
ActiveMQ Transport: ssl:///192.168.107.206.45206, WRITE: TLSv1.2 Handshake,
length = 3690
ActiveMQ Transport: ssl:///192.168.107.206.45206, received EOFException: error
ActiveMQ Transport: ssl:///192.168.107.206.45206, handling exception:
javax.net.ssl.SSLHandshakeException: Remote host closed connection during
handshake
Can anyone help with what I need to do differently?
Thanks,
Glen
________________________________
The preceding message (including attachments) is covered by the Electronic
Communication Privacy Act, 18 U.S.C. sections 2510-2512, is intended only for
the person or entity to which it is addressed, and may contain information that
is confidential, protected by attorney-client or other privilege, or otherwise
protected from disclosure by law. If you are not the intended recipient, you
are hereby notified that any retention, dissemination, distribution, or copying
of this communication is strictly prohibited. Please reply to the sender that
you have received the message in error and destroy the original message and all
copies.
