Hi Cliff, Reading the example you cited more carefully helped. The key though was that the truststores, server_CA and client_CA in the example, just needs to be a file with both the broker-signedcert.pem and the rootCACert.pem in it, "cat broker-signedcert.pem > client-truststore.pem; cat rootCACert.pem >> client-truststore.pem". Then also the virtual_host name needs to match the CN (common name) in the broker-signedcert.pem.
Thanks for helping me get this working, Glen -----Original Message----- From: Cliff Jansen <cliffjan...@gmail.com> Sent: Monday, January 17, 2022 2:21 AM To: users@qpid.apache.org Subject: Re: Help using CA signed certificates with a Qpid Proton C++ app [External Email] ________________________________ Hi Glen, I believe you are mixing old and new methodologies. NSS and certutil are unrelated to the Qpid Proton C++ library which uses OpenSSL on Posix systems. The environment variables QPID_SSL_CERT_XXX are not used for TLS configuration. See the example at https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fapache%2Fqpid-proton%2Fblob%2Fmain%2Fcpp%2Fexamples%2Fssl_client_cert.cpp&data=04%7C01%7CGShipley%40asrcfederal.com%7Cba9e2c568fbf405ae68008d9d98a0b99%7C1f308074864f4c28b2ba2882af19e8f3%7C0%7C0%7C637780009207474735%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=JOlrVeWHY%2BReIRy0TOPzIZWewxLbPCy3yA%2BVHcfnvTk%3D&reserved=0 and see the configuration pertaining to "using_OpenSSL()". That should show you where to plug in the "XXX.pem" files you started from. Cliff On Fri, Jan 14, 2022 at 7:00 PM Shipley, Glen <gship...@asrcfederal.com.invalid> wrote: > Hi All, > > I need help on using CA signed certificates with a Qpid Proton C++ app > and an ActiveMQ broker for SSL. > > I have in /home/user/cert_dir the following - > > rootCACert.pem > broker-signedcert.pem > client-signedcert.pem > client-key.pem > password > > The password file just contains password which is the password used > for all. > > I then ran the following commands to set up the certificate database - > > certutil -N -d /home/user/cert_dir -f /home/user/cert_dir/password > certutil -A -i broker-signedcert.pem -d /home/user/cert_dir -f > /home/user/cert_dir/password -n broker -t "P" > certutil -A -i rootCACert.pem -d /home/user/cert_dir -f > /home/user/cert_dir/password -n root -t "TC" > > I kick off the broker by running the following script - setenv > JAVA_HOME /programs/Java/jdk1.8.0_121 setenv PATH > ${JAVA_HOME}/bin:${PATH} setenv ACTIVEMQ_SSL_OPTS > "-Djavax.net.ssl.keyStore=/pki/broker.ks > -Djavax.net.ssl.keyStorePassword=password > -Djavax.net.ssl.trustStore=/pki/broker.ts > -Djavax.net.ssl.trustStorePassword=password -Djavax.net.debug=ssl" > ./activemq console > > I have confidence that the broker is not the problem because I can run > - openssl s_client -connect localhost:5671 -showcerts -cert > /home/user/cert_dir/client-signedcert.pem -key > /home/user/cert_dir/client-key.pem -pass pass:password -CAfile > /home/user/cert-dir/rootCACert.pem > > which returns a verify code of 0 (ok). If I leave off the -CAfile it > returns with a verify code of 19 (self signed certificate in chain). I > can see in the broker window that the SSL handshake completed. When > from the s_client I try to send a message, the broker closes the > connection with the broker logging - WARN | Connection attempt from non AMQP > v1.0 client. > > > My qpid proton app code has - > void on_container_start(proton:container &c) { > std:cout << "-INFO- on_container_start -" << std::endl; > proton::ssl_certificate certificate("/pki/client-signedcert.pem", > "/pki/client-private.pem", "password"); > > proton::ssl::verify_mode = proton::ssl::VERIFY_PEER_NAME; > > proton::ssl_client_options sslClientOptions(certificate, > "/pki/broker-signedcert.pem", ssl_verify_mode); > > proton::connection_options connectionOptions; > connectionOptions.ssl_client_options(sslClientOptions); > connectionOptions.virtual_host("broker"); // this is the CN of the > broker certificate > connectionOptions.idle_timeout(proton::duration::FOREVER); > > c.client_connection_options(connectionOptions); > > c.connect("localhost:5671", connectionOptions); // broker runs on > same machine } > > I launch the client code with a script that has export > QPID_SSL_CERT_DB="/home/user/cert_dir" > export QPID_SSL_CERT_PASSWORD_FILE="/home/user/cert_dir/password" > > > Client CA signed certificates (fails) > SSL:TRACE:Client SSL socket created. > EVENT:DEBUG:(PN_CONNECTION_INIT, pn_connection<0x82107e8> > EVENT:DEBUG:(PN_CONNECTION_BOUND, pn_connection<0x82107e8> > SSL:TRACE:Gathered 8 bytes from app to send to peer SSL:TRACE:Detected > read-blocked SSL:TRACE:Wrote 280 bytes to BIO Layer, 0 left over > SSL:TRACE:Detected read-blocked > SSL:TRACE:process_output_ssl() returning 0 SSL:TRACE:Detected > read-blocked > SSL:TRACE:process_output_ssl() returning 0 > SSL:TRACE:process_input_ssl( data size=3695 ) SSL:TRACE:Wrote 3695 > bytes to BIO Layer, 0 left over > AMQP:ERROR:amqp:connection:framing-error SSL Failure > error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate > verify failed > > Broker CA signed certificates > *** ServerHelloDone > ActiveMQ Transport: ssl:///192.168.107.206.45206, WRITE: TLSv1.2 > Handshake, length = 3690 ActiveMQ Transport: > ssl:///192.168.107.206.45206, received EOFException: > error > ActiveMQ Transport: ssl:///192.168.107.206.45206, handling exception: > javax.net.ssl.SSLHandshakeException: Remote host closed connection > during handshake > > Can anyone help with what I need to do differently? > > Thanks, > Glen > > > ________________________________ > > The preceding message (including attachments) is covered by the > Electronic Communication Privacy Act, 18 U.S.C. sections 2510-2512, is > intended only for the person or entity to which it is addressed, and > may contain information that is confidential, protected by > attorney-client or other privilege, or otherwise protected from > disclosure by law. If you are not the intended recipient, you are > hereby notified that any retention, dissemination, distribution, or > copying of this communication is strictly prohibited. Please reply to > the sender that you have received the message in error and destroy the > original message and all copies. > ________________________________ The preceding message (including attachments) is covered by the Electronic Communication Privacy Act, 18 U.S.C. sections 2510-2512, is intended only for the person or entity to which it is addressed, and may contain information that is confidential, protected by attorney-client or other privilege, or otherwise protected from disclosure by law. If you are not the intended recipient, you are hereby notified that any retention, dissemination, distribution, or copying of this communication is strictly prohibited. Please reply to the sender that you have received the message in error and destroy the original message and all copies. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org For additional commands, e-mail: users-h...@qpid.apache.org
