qpid-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pavel Moravec <pmora...@redhat.com>
Subject Re: qpid-stat/qpid-config and SSL connections
Date Thu, 06 Nov 2014 09:23:46 GMT
Hello,
you have to use qpid-stat options:

    --ssl-certificate=<cert>
                        Client SSL certificate (PEM Format)
    --ssl-key=<key>     Client SSL private key (PEM Format)

to specify client SSL certificate and key. Self-signed certificate should not be a problem,
afaik.

Kind regards,
Pavel


----- Original Message -----
> From: "Tim Wojtulewicz" <timwoj@ieee.org>
> To: users@qpid.apache.org
> Sent: Wednesday, November 5, 2014 9:01:53 PM
> Subject: qpid-stat/qpid-config and SSL connections
> 
> I recently configured our qpid C++ brokers to use SSL encryption via a
> self-signed certificate for all connections.  We have it working with both
> C++ and Java clients without any problems, but all of the qpid-tools
> applications fail.  Here's how everything is configured:
> 
> /etc/qpid/qpidd.conf:
> 
> require-encryption=yes
> ssl-cert-db=/etc/pki/TGS
> ssl-cert-password-file=/etc/pki/TGS/password
> ssl-cert-name=infra
> ssl-port=5672
> ssl-require-client-authentication=yes
> 
> /etc/pki/TGScontains cert8.db and key3.db holding the certs and keys, as
> well as the java truststore and keystore.
> 
> certutil -L -d . in /etc/pki/TEST returns:
> 
> Certificate Nickname                                         Trust
> Attributes
> 
> SSL,S/MIME,JAR/XPI
> 
> TGS_RootCA                                                   CT,,
> infra                                                        u,u,u
> client                                                       u,u,u
> 
> That is correct for the CA certificate and the server/client certificates
> that I generated.
> 
> For the C++ clients some environment variables are set to point to the
> certificates:
> 
> QPID_SSL_CERT_DB=/etc/pki/TGS/
> QPID_SSL_CERT_NAME=client
> QPID_SSL_CERT_PASSWORD_FILE=/etc/pki/TGS/password
> 
> openssl s_client -connect localhost:5672 finds the certificate correctly
> and complains about it being a self-signed cert, which I'm pretty sure is
> normal because it is one after all.
> 
> CONNECTED(00000003)
> depth=1 CN = TGS_RootCA
> verify error:num=19:self signed certificate in certificate chain
> verify return:0
> 139681568163656:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad
> certificate:s3_pkt.c:1257:SSL alert number 42
> 139681568163656:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
> failure:s23_lib.c:177:
> ---
> Certificate chain
>  0 s:/CN=infra
>    i:/CN=TGS_RootCA
>  1 s:/CN=TGS_RootCA
>    i:/CN=TGS_RootCA
> 
> qpid-stat -q -b amqps://localhost:5672 returns this:
> 
> Failed: ConnectError - [Errno 1] _ssl.c:492: error:14094412:SSL
> routines:SSL3_READ_BYTES:sslv3 alert bad certificate
> 
> which matches the error that openssl threw too.  I also tried extracting
> the cert and the private key and passing those as arguments to qpid-stat,
> but it gave me the same errors.  Is this an issue with python not accepting
> the certificate because it's self-signed? Does everything look like I have
> it set up right?
> 
> Tim
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org


Mime
View raw message