qpid-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Trevor Vaughan <tvaug...@onyxpoint.com>
Subject Re: QPid Ruby client and SSL
Date Wed, 23 Oct 2013 12:36:39 GMT
Thanks for getting back to me.

The C++ broker is working fine, I can use the Python code to connect to the
broker over SSL with no issues whatsoever.

Unfortunately, the Ruby client code isn't behaving so well.

The client DB only has the list of trusted CA's with the TC flags set since
I'm not trying to use client certificates.

I did use the FQDN, DNS works properly, and I am going to port 5671.

Thanks,

Trevor


On Wed, Oct 23, 2013 at 6:12 AM, Gordon Sim <gsim@redhat.com> wrote:

> On 10/22/2013 05:49 PM, Trevor Vaughan wrote:
>
>> All,
>>
>> I've been trying to get the Ruby (cqpid) libraries to play well with the
>> Qpid server without much success.
>>
>> I've tried setting the QPID_SSL_USE_EXPORT_POLICY and QPID_SSL_CERT_DB
>> environment variables but the SSL negotiation is not completing.
>>
>> Testing with Openssl s_server and am getting the following error:
>>
>> SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate:s3_pkt.c:1193:SSL
>> alert number 42
>>
>> I'm not trying to use a client certificate, simply an SSL encrypted
>> session
>> and I've verified that my NSS database has the appropriate CA entries.
>>
>> The error remains whether or not I try to provide a client certificate per
>> the C++ environment variables.
>>
>> Has anyone gotten this type of setup to work successfully?
>>
>
> Can you give a bit more detail on what your setup is? How did you start
> the broker (and just to be sure, which broker are you using)? What do the
> brokers and clients certificate dbs have in them (certutil -L -d
> <db-name>)? Did you use the fully qualified domain name when connecting?
> Did you specify port 5671?
>
> I can certainly connect from the cqpid based ruby wrapper to the c++
> broker (i.e. qpidd) over SSL using a cert for the server that is signed by
> a test CA whose certificate is imported into the clients cert db, with or
> without the export policy turned on.
>
>
> ------------------------------**------------------------------**---------
> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.**org<users-unsubscribe@qpid.apache.org>
> For additional commands, e-mail: users-help@qpid.apache.org
>
>


-- 
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699
tvaughan@onyxpoint.com

-- This account not approved for unencrypted proprietary information --

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message