Return-Path: X-Original-To: apmail-activemq-users-archive@www.apache.org Delivered-To: apmail-activemq-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id A3F299DDE for ; Mon, 31 Oct 2011 05:30:44 +0000 (UTC) Received: (qmail 54555 invoked by uid 500); 31 Oct 2011 05:30:44 -0000 Delivered-To: apmail-activemq-users-archive@activemq.apache.org Received: (qmail 54532 invoked by uid 500); 31 Oct 2011 05:30:43 -0000 Mailing-List: contact users-help@activemq.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@activemq.apache.org Delivered-To: mailing list users@activemq.apache.org Received: (qmail 54297 invoked by uid 99); 31 Oct 2011 05:30:41 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 31 Oct 2011 05:30:41 +0000 X-ASF-Spam-Status: No, hits=2.0 required=5.0 tests=SPF_NEUTRAL,URI_HEX X-Spam-Check-By: apache.org Received-SPF: neutral (nike.apache.org: local policy) Received: from [216.139.236.26] (HELO sam.nabble.com) (216.139.236.26) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 31 Oct 2011 05:30:35 +0000 Received: from joe.nabble.com ([192.168.236.139]) by sam.nabble.com with esmtp (Exim 4.72) (envelope-from ) id 1RKkRq-00023L-1Y for users@activemq.apache.org; Sun, 30 Oct 2011 22:30:14 -0700 Date: Sun, 30 Oct 2011 22:30:14 -0700 (PDT) From: wolfie To: users@activemq.apache.org Message-ID: <1320039014025-3954853.post@n4.nabble.com> Subject: SSL certificates not being sent in C# listener connection MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org Hi all, I'm completely new to ActiveMQ and am struggling to get two way SSL certificate exchange working between my listener application (which sits on my company's server) and the broker (which is on a server run by a separate company). The communication worked totally fine without certificates in place, but once the broker turned on the requirement for certificates to be in place it can no longer connect. I'm using the Apache.NMS (V1.5.0.2194) dlls that come in the Spring.Net packages to create the listener. I'm worried that I'm doing it wrong even though it worked without certificates and now the way I'm creating the connection is not passing the SSL certificate to the client. The broker keeps getting a null cert chain error because my certificate has not been sent. I'm thinking (perhaps) that this is something to do with the application not having access to the place where the certificate is stored, or perhaps that I'm not setting up the connection correctly in the code. The connection code I'm using is this (I've removed the exact ip addresses and port names for privacy, strings in triangle brackets represent actual ip addresses, port numbers and certificate names): IConnectionFactory factory = new ConnectionFactory( "ssl://:" ); IConnection conn = factory.CreateConnection(); conn.ExceptionListener += new ExceptionListener( conn_ExceptionListener ); ISession session = conn.CreateSession( AcknowledgementMode.AutoAcknowledge); IDestination dest = session.GetQueue( ); IMessageConsumer receiver = session.CreateConsumer( dest ); receiver.Listener += new MessageListener( receiver_Listener ); conn.Start(); I've subsequently changed the connection URI to try and include the certificate subject name like so: ssl://:/?transport.clientcertsubject=CN= Right now upon my connection attempt I get this: Apache.NMS.NMSException: Could not connect to broker URL: ssl://:/?transport.clientcertsubject=CN= Reason: A call to SSPI failed, see inner exception. ---> System.Security.Authentication.AuthenticationException: A call to SSPI failed, see inner exception. ---> System.ComponentModel.Win32Exception: An unknown error occurred while processing the certificate --- End of inner exception stack trace --- at Apache.NMS.ActiveMQ.Transport.Tcp.SslTransport.CreateSocketStream() at Apache.NMS.ActiveMQ.Transport.Tcp.TcpTransport.Start() at Apache.NMS.ActiveMQ.Transport.TransportFilter.Start() at Apache.NMS.ActiveMQ.Transport.TransportFilter.Start() at Apache.NMS.ActiveMQ.Transport.WireFormatNegotiator.Start() at Apache.NMS.ActiveMQ.Transport.TransportFilter.Start() at Apache.NMS.ActiveMQ.Transport.TransportFilter.Start() at Apache.NMS.ActiveMQ.ConnectionFactory.CreateActiveMQConnection(String userName, String password) The application is a C# ASP.NET windows application running on a Windows Server 2003 server. I know the certificate is in the Personal certificate store in the server running this application, because I can retrieve it successfully in the code and I in fact use the retrieved certificate subject name in the connection string (I did check what account the application is running under and it's the same at the current user that I was logged in as when I run it). X509Store store = new X509Store( StoreName.My, StoreLocation.CurrentUser ); store.Open( OpenFlags.ReadOnly ); X509Certificate2Collection col = store.Certificates.Find( X509FindType.FindBySerialNumber, "", true ); I am however trying to figure out why the certificate is not actually sent during connection. The Trace.Listener logs the following error in the SSL handshake: System.Net Information: 0 : [2548] SecureChannel#43527150::.ctor(hostname=, #clientCertificates=4) System.Net Information: 0 : [2548] Enumerating security packages: System.Net Information: 0 : [2548] SecureChannel#43527150 - Client delegate did not provide a certificate; but there are other user-provided certificates". System.Net Information: 0 : [2548] SecureChannel#43527150 - Left with 0 client certificates to choose from. The actual data being sent out in the first connection attempt seems too small to have a certificate in it: System.Net.Sockets Verbose: 0 : [2548] Data from Socket#41962596::Send System.Net.Sockets Verbose: 0 : [2548] 00000000 : 16 03 01 00 41 01 00 00-3D 03 01 4E AE 27 26 07 : ....A...=..N.'&. System.Net.Sockets Verbose: 0 : [2548] 00000010 : 89 10 0C E3 BA C7 4F 05-A6 41 90 57 E7 67 B9 6D : ......O..A.W.g.m System.Net.Sockets Verbose: 0 : [2548] 00000020 : DC CD C8 0D E8 BF 67 73-20 57 B3 00 00 16 00 04 : ......gs W...... System.Net.Sockets Verbose: 0 : [2548] 00000030 : 00 05 00 0A 00 09 00 64-00 62 00 03 00 06 00 13 : .......d.b...... System.Net.Sockets Verbose: 0 : [2548] 00000040 : 00 12 00 63 01 00 : ...c.. System.Net.Sockets Verbose: 0 : [2548] Exiting Socket#41962596::Send() -> 70#70 When I look at the data coming back from the broker I can see their certificate and our certificate names in the data being received, so I would expect that the data going out to them would also include the certificate names. I wondering: 1) Am I coding this all wrong? Do I need to completely rewrite the connection code if I want to use certificates? 2) Since I'm not running a Java server and don't therefore have a java certificate truststore/keystore set up, do I need to create a java trustore/keystore specifically for this application? 3) If so, is there a specific place I should store it so that the C# ASP.NET application can access it? 4) Is the problem that while I may be retrieving the certificate successfully in the code from the X509 certificate store, the Apache.NMS connection attempt is looking else where for the certificate and thus can't retrieve it to send it? Can anyone offer any insight at all into this? I've been going around in circles for the last five days with no solution in site, and its starting to get very very urgent. -- View this message in context: http://activemq.2283324.n4.nabble.com/SSL-certificates-not-being-sent-in-C-listener-connection-tp3954853p3954853.html Sent from the ActiveMQ - User mailing list archive at Nabble.com.