qpid-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andreas Welchlin <andreas.welch...@comyno.com>
Subject Re: C++ Client: SSL connection configuration
Date Tue, 29 Jul 2014 14:11:00 GMT
Thank you, Gordon!

I added the CA-Certificates and it helped.


Am 29.07.2014 um 14:05 schrieb Gordon Sim:
> On 07/29/2014 12:32 PM, Andreas Welchlin wrote:
>> Hi All,
>>
>> currently I am trying to connect to a third party AMQP broker using a
>> c++ client with qpid 0.28.
>>
>> The broker is configured to use ssl. The client uses a self signed
>> certificate. This certificate is available in the broker.
>
>>
>> I created the self signed certificate and added it into my certificate
>> db. I also added the third party broker certificate.
>>
>>  > mkdir clientCertDb
>>  > certutil -N -d clientCertDb
>>  > certutil -A -d clientCertDb -n "BrokerCert"  -t "T,," -a -i
>> clientCertDb/Broker.crt
>>  > certutil -A -d clientCertDb -n "ClientCert"  -a -i
>> clientCertDb/Client.crt -t ",,"
>>
>> Then I set the environment for the client:
>> export QPID_SSL_CERT_DB=./clientCertDb
>> export QPID_SSL_CERT_NAME=ClientCert
>> export QPID_SSL_CERT_PASSWORD_FILE=./pwfile
>>
>> The client fails to connect to the server. The client library log says:
>>
>> -------------------------------------------------------
>> Driver started
>> Starting connection to amqp:ssl:<ipaddr>:<port>
>> Connecting to ssl:<ipaddr>:<port>
>> ssl:<ipaddr>:<port> Connecting ...
>> Connecting: <ipaddr>:<port>
>> Exception constructed: Failed: NSS error [-8179]
>
> That error means "Peer's certificate issuer is not recognized." which 
> I believe means that the CA that signed the broker's certificate is 
> not recognised.
>
>
>> (qpid-0.28/qpid-0.28/cpp/src/qpid/sys/ssl/SslSocket.cpp:156)
>> Failed to connect: Failed: NSS error [-8179]
>> (qpid-0.28/qpid-0.28/cpp/src/qpid/sys/ssl/SslSocket.cpp:156)
>> Driver stopped
>> -------------------------------------------------------
>>
>> I do not get what is going wrong. As far as I understood I do not have
>> to give the c++ client any hint where to find the broker certificate.
>> Is this right?
>
> The brokers certificate needs to be trusted. You need to import the 
> public certificate for the CA that signed it (with trust flags -t "CT,,")
>
>> Unfortunately the error message in the client log is not helpful for me.
>> I don't see any details what the problem is.
>>
>>
>> I tried to get more information using openssl s_client:
>>
>>  > openssl s_client -connect <ipaddr>:<port> -CAfile
>> clientCertDb/Client.crt -debug  -key Client.key -CApath clientCertDb/
>>
>> It says:
>> Verify return code: 20 (unable to get local issuer certificate)
>>
>>
>> Does anyone of you know how to configure this or how I can get more
>> information?
>>
>> Regards,
>> Andreas
>>
>>
>>
>>
>>
>> ---
>> Diese E-Mail ist frei von Viren und Malware, denn der avast! Antivirus
>> Schutz ist aktiv.
>> http://www.avast.com
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
>> For additional commands, e-mail: users-help@qpid.apache.org
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
> For additional commands, e-mail: users-help@qpid.apache.org
>

-- 
Comyno Ltd.
Mainzer Landstrasse 46
60325 Frankfurt

www.comyno.com


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org


Mime
View raw message