qpid-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gordon Sim <g...@redhat.com>
Subject Re: C++ Client: SSL connection configuration
Date Tue, 29 Jul 2014 12:05:19 GMT
On 07/29/2014 12:32 PM, Andreas Welchlin wrote:
> Hi All,
>
> currently I am trying to connect to a third party AMQP broker using a
> c++ client with qpid 0.28.
>
> The broker is configured to use ssl. The client uses a self signed
> certificate. This certificate is available in the broker.

>
> I created the self signed certificate and added it into my certificate
> db. I also added the third party broker certificate.
>
>  > mkdir clientCertDb
>  > certutil -N -d clientCertDb
>  > certutil -A -d clientCertDb -n "BrokerCert"  -t "T,," -a -i
> clientCertDb/Broker.crt
>  > certutil -A -d clientCertDb -n "ClientCert"  -a -i
> clientCertDb/Client.crt -t ",,"
>
> Then I set the environment for the client:
> export QPID_SSL_CERT_DB=./clientCertDb
> export QPID_SSL_CERT_NAME=ClientCert
> export QPID_SSL_CERT_PASSWORD_FILE=./pwfile
>
> The client fails to connect to the server. The client library log says:
>
> -------------------------------------------------------
> Driver started
> Starting connection to amqp:ssl:<ipaddr>:<port>
> Connecting to ssl:<ipaddr>:<port>
> ssl:<ipaddr>:<port> Connecting ...
> Connecting: <ipaddr>:<port>
> Exception constructed: Failed: NSS error [-8179]

That error means "Peer's certificate issuer is not recognized." which I 
believe means that the CA that signed the broker's certificate is not 
recognised.


> (qpid-0.28/qpid-0.28/cpp/src/qpid/sys/ssl/SslSocket.cpp:156)
> Failed to connect: Failed: NSS error [-8179]
> (qpid-0.28/qpid-0.28/cpp/src/qpid/sys/ssl/SslSocket.cpp:156)
> Driver stopped
> -------------------------------------------------------
>
> I do not get what is going wrong. As far as I understood I do not have
> to give the c++ client any hint where to find the broker certificate.
> Is this right?

The brokers certificate needs to be trusted. You need to import the 
public certificate for the CA that signed it (with trust flags -t "CT,,")

> Unfortunately the error message in the client log is not helpful for me.
> I don't see any details what the problem is.
>
>
> I tried to get more information using openssl s_client:
>
>  > openssl s_client -connect <ipaddr>:<port> -CAfile
> clientCertDb/Client.crt -debug  -key Client.key -CApath clientCertDb/
>
> It says:
> Verify return code: 20 (unable to get local issuer certificate)
>
>
> Does anyone of you know how to configure this or how I can get more
> information?
>
> Regards,
> Andreas
>
>
>
>
>
> ---
> Diese E-Mail ist frei von Viren und Malware, denn der avast! Antivirus
> Schutz ist aktiv.
> http://www.avast.com
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
> For additional commands, e-mail: users-help@qpid.apache.org
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org


Mime
View raw message