qpid-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gordon Sim <g...@redhat.com>
Subject Re: Broker federation with SSL client auth and SASL EXTERNAL
Date Mon, 19 Oct 2015 14:37:02 GMT
On 10/17/2015 01:36 AM, Chris Richardson wrote:
> Hi,
>
> I'm attempting to set up a broker federation topology using purely SSL
> client authentication and the EXTERNAL SASL mechanism on qpid-cpp 0.34.
> This seems to be within an iota of working but I can't quite get the
> configuration correct for the inter-broker routes.
>
> The point I have arrived at is that I have 2 brokers, both of which are
> configured to accept only connections over SSL with client cert
> authentication. Both python (qpid-stat et al) and c++ (qpid-send/receive)
> clients work perfectly - however the route between the brokers does not
> work because the broker establishing the connection does not use a suitable
> certificate. The connection fails with
> Inter-broker link disconnected from broker-2:5671 Failed: SSL peer cannot
> verify your certificate. [-12271]

Was the broker certificate signed by a trusted CA as for the client 
certificates? I.e. does the broker accepting the incoming inter-broker 
connection trust the other broker?

>
> I've found I can fix this by setting the QPID_SSL_CERT_DB,
> QPID_SSL_CERT_PASSWORD_FILE and QPID_SSL_CERT_NAME variables in the
> environment of the source broker process, but c++ client connections to
> this broker then fail with
> Failed to connect: Failed: NSS error [-8101]
> (/var/tmp/portage/net-misc/qpid-cpp-0.34/work/qpid-cpp-0.34/src/qpid/sys/ssl/SslSocket.cpp:177)
> According to the NSS documentation this error is due to an invalid use of
> an SSL certificate (eg: server auth cert being used for client auth) but
> this is the same certificate which previously worked fine. Python client
> connections are unaffected.
>
> I have a swathe of configuration data and logs which I can share if needed,
> but to begin with can you tell me if this is something which should, at
> least in principle, work?
>
> Thanks in advance
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org


Mime
View raw message