qpid-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dr. Frank Heuschen" <frank.heusc...@oraise.com>
Subject AW: proton-j 0.7 problem with SSL Certificate
Date Fri, 12 Sep 2014 12:54:20 GMT
Hi Rob,

thanks for your answer, but it still does not work well for me. As you rightly assumed, I
am working on a client application and received a "trusted" certificate package containing
a *.cer and a *.pem file.

If I remove the two lines messenger.setCertificate and messenger.setPrivateKey as suggested,
and use 

messenger.setTrustedCertificates(certificate); with the *.cer file, I receive following exception:
org.apache.qpid.proton.engine.TransportException: javax.net.ssl.SSLHandshakeException: General
SSLEngine problem

messenger.setTrustedCertificates(certificate); with the *.pem file yields:  org.apache.qpid.proton.engine.TransportException:
org.apache.qpid.proton.engine.TransportException: File ./src/main/config/CBKER.pem does not
provide a object of the required type. Read an object of class org.bouncycastle.jcajce.provider.asymmetric.rsa.BCRSAPrivateCrtKey
whilst expecting an implementation of one of the following  : [class java.security.cert.Certificate]

If I use messenger.setCertificate (certificate); instead (just without the private key statement),
I have as well Exceptions for both file types:
org.apache.qpid.proton.engine.TransportException: javax.net.ssl.SSLException: Received fatal
alert: bad_certificate

Unfortunately I am not at all an SSL expert and kind of desparate ...

Kind regards
Frank

-----Urspr√ľngliche Nachricht-----
Von: Rob Godfrey [mailto:rob.j.godfrey@gmail.com] 
Gesendet: Mittwoch, 10. September 2014 22:15
An: users@qpid.apache.org
Betreff: Re: proton-j 0.7 problem with SSL Certificate

On 5 September 2014 14:41, Dr. Frank Heuschen <frank.heuschen@oraise.com>
wrote:

> Hi,
>
>
>
> I am trying out to use proton-j 0.7 to communicate with a AMQP server 
> that always uses SSL encryption. On order to do so, we received a pem 
> file from the organisation operating the broker.
>
> While the proton-c port uses this file directly and worked like a 
> charm, in Java it is not working with SSL at all for me.
>
>
>
> I tried the following:
>
> /// ==== 8< ==== ///
>
> if (addresses.size() < 1) {
>
>
> this.addresses.add("amqps://some_ip:some_port/queue://some_queue_name"
> );
>
>             this.addresses.add("amqps:// some_ip:some_port 
> /topic://some_topic_name");
>
>         }
>
> /// ==== 8< ==== ///
>
> messenger.start();
>
>
>
>             messenger.setCertificate("path_2_file.pem");
>
>             messenger.setPrivateKey("path_2_file.pem ");
>
>
>
So - I'm no expert on the Messenger API, but if you are the client connecting to a server
providing SSL I would expect that you should be providing the certificates that you trust.
 The API calls above would seem to be for the case where you are writing the server and you
are providing the certificate and the private key for the certificate.

Messenger appears to provide a method

    messenger.setTrustedCertificates(String trusted);

Have you tried using this, and removing the two statements above?



>
>             for (String address : addresses) {
>
>                 messenger.subscribe(address);
>
>             }
>
>            messenger.recv();
>
> /// ==== 8< ==== ///
>
>
>
> As soon as the function messenger.recv(); is called, the application 
> is searching for classes from org. bouncycastle, which I added in the 
> version
> 1.47 in maven, because the desired Functions are no longer available 
> in later versions.
>
>
>
> Afterwards (as the bouncycastle stuff is available) I always receive 
> the following error:
>
>
>
> org.apache.qpid.proton.engine.TransportException:
> org.apache.qpid.proton.engine.TransportException: File path_2_file.pem 
> does not provide a object of the required type. Read an object of 
> class 
> org.bouncycastle.jcajce.provider.asymmetric.rsa.BCRSAPrivateCrtKey 
> whilst expecting an implementation of one of the following  : [class 
> java.security.cert.Certificate]
>
>
>
As above - I think you are making the wrong API calls, calling
setPrivateKey() you would need to be providing a file containing an RSA Private Key... but
as the client you don't need to do this - you only need to provide the certificate of the
server you trust, or the certificate of a signing authority who has signed the certificate
of your server.

Hope this helps,
Rob


> What needs to be done, to have this working with the same pem files as 
> in C?
> Should I convert the file to another format?
>
>
>
> Thanks an kind regards
>
> Frank
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org


Mime
View raw message