activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From wolfie <>
Subject SSL certificates not being sent in C# listener connection
Date Mon, 31 Oct 2011 05:30:14 GMT
Hi all,

I'm completely new to ActiveMQ and am struggling to get two way SSL
certificate exchange working between my listener application (which sits on
my company's server) and the broker (which is on a server run by a separate
company). The communication worked totally fine without certificates in
place, but once the broker turned on the requirement for certificates to be
in place it can no longer connect.

I'm using the Apache.NMS (V1.5.0.2194) dlls that come in the Spring.Net
packages to create the listener.  I'm worried that I'm doing it wrong even
though it worked without certificates and now the way I'm creating the
connection is not passing the SSL certificate to the client. The broker
keeps getting a null cert chain error because my certificate has not been
sent. I'm thinking (perhaps) that this is something to do with the
application not having access to the place where the certificate is stored,
or perhaps that I'm not setting up the connection correctly in the code.

The connection code I'm using is this (I've removed the exact ip addresses
and port names for privacy, strings in triangle brackets represent actual ip
addresses, port numbers and certificate names):

IConnectionFactory factory = new ConnectionFactory( "ssl://<client
ip>:<portno>" );
IConnection conn = factory.CreateConnection();
conn.ExceptionListener += new ExceptionListener( conn_ExceptionListener );
ISession session = conn.CreateSession( AcknowledgementMode.AutoAcknowledge);
IDestination dest = session.GetQueue( <queue name>);
IMessageConsumer receiver = session.CreateConsumer( dest );
receiver.Listener += new MessageListener( receiver_Listener );

I've subsequently changed the connection URI to try and include the
certificate subject name like so:

ssl://<client ip>:<portno>/?transport.clientcertsubject=CN=<cert Name>

Right now upon my connection attempt I get this:

Apache.NMS.NMSException: Could not connect to broker URL: ssl://<client
ip>:<portno>/?transport.clientcertsubject=CN=<cert Name>
 Reason: A call to SSPI failed, see inner exception. --->
System.Security.Authentication.AuthenticationException: A call to SSPI
failed, see inner exception. ---> System.ComponentModel.Win32Exception: An
unknown error occurred while processing the certificate
   --- End of inner exception stack trace ---
   at Apache.NMS.ActiveMQ.Transport.Tcp.SslTransport.CreateSocketStream()
   at Apache.NMS.ActiveMQ.Transport.Tcp.TcpTransport.Start()
   at Apache.NMS.ActiveMQ.Transport.TransportFilter.Start()
   at Apache.NMS.ActiveMQ.Transport.TransportFilter.Start()
   at Apache.NMS.ActiveMQ.Transport.WireFormatNegotiator.Start()
   at Apache.NMS.ActiveMQ.Transport.TransportFilter.Start()
   at Apache.NMS.ActiveMQ.Transport.TransportFilter.Start()
   at Apache.NMS.ActiveMQ.ConnectionFactory.CreateActiveMQConnection(String
userName, String password)

The application is a C# ASP.NET windows application running on a Windows
Server 2003 server. I know the certificate is in the Personal certificate
store in the server running this application, because I can retrieve it
successfully in the code and I in fact use the retrieved certificate subject
name in the connection string (I did check what account the application is
running under and it's the same at the current user that I was logged in as
when I run it).

X509Store store = new X509Store( StoreName.My, StoreLocation.CurrentUser );
store.Open( OpenFlags.ReadOnly );
X509Certificate2Collection col = store.Certificates.Find(
X509FindType.FindBySerialNumber, "<serial number>", true );
I am however trying to figure out why the certificate is not actually sent
during connection.

The Trace.Listener logs the following error in the SSL handshake:

System.Net Information: 0 : [2548]
SecureChannel#43527150::.ctor(hostname=<host name>, #clientCertificates=4)
System.Net Information: 0 : [2548] Enumerating security packages:
<snip list of security packages>
System.Net Information: 0 : [2548] SecureChannel#43527150 - Client delegate
did not provide a certificate; but there are other user-provided
System.Net Information: 0 : [2548] SecureChannel#43527150 - Left with 0
client certificates to choose from.

The actual data being sent out in the first connection attempt seems too
small to have a certificate in it:

System.Net.Sockets Verbose: 0 : [2548] Data from Socket#41962596::Send
System.Net.Sockets Verbose: 0 : [2548] 00000000 : 16 03 01 00 41 01 00 00-3D
03 01 4E AE 27 26 07 : ....A...=..N.'&.
System.Net.Sockets Verbose: 0 : [2548] 00000010 : 89 10 0C E3 BA C7 4F 05-A6
41 90 57 E7 67 B9 6D : ......O..A.W.g.m
System.Net.Sockets Verbose: 0 : [2548] 00000020 : DC CD C8 0D E8 BF 67 73-20
57 B3 00 00 16 00 04 : W......
System.Net.Sockets Verbose: 0 : [2548] 00000030 : 00 05 00 0A 00 09 00 64-00
62 00 03 00 06 00 13 : .......d.b......
System.Net.Sockets Verbose: 0 : [2548] 00000040 : 00 12 00 63 01 00                      
: ...c..
System.Net.Sockets Verbose: 0 : [2548] Exiting Socket#41962596::Send() 	->

When I look at the data coming back from the broker I can see their
certificate and our certificate names in the data being received, so I would
expect that the data going out to them would also include the certificate

I wondering:
1) Am I coding this all wrong? Do I need to completely rewrite the
connection code if I want to use certificates? 
2) Since I'm not running a Java server and don't therefore have a java
certificate truststore/keystore set up, do I need to create a java
trustore/keystore specifically for this application? 
3) If so, is there a specific place I should store it so that the C# ASP.NET
application can access it?
4) Is the problem that while I may be retrieving the certificate
successfully in the code from the X509 certificate store, the Apache.NMS
connection attempt is looking else where for the certificate and thus can't
retrieve it to send it?

Can anyone offer any insight at all into this? I've been going around in
circles for the last five days with no solution in site, and its starting to
get very very urgent.

View this message in context:
Sent from the ActiveMQ - User mailing list archive at

View raw message