qpid-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Cliff Jansen <cliffjan...@gmail.com>
Subject Re: Problem with establishing TLS1.1/TLS1.2 connection between cpp client and java broker with disabled TLS1.0 on broker side
Date Sun, 03 Jan 2016 22:39:47 GMT
Hi Alex,

You may be running into https://issues.apache.org/jira/browse/QPID-6966.

There is a prospective patch: https://reviews.apache.org/r/41800

Also note that the qpid cpp client uses NSS libraries for TLS/SSL, not OpenSSL.

Regards,

Cliff

On Tue, Dec 29, 2015 at 5:21 AM, Oleksandr Rudyy <orudyy@gmail.com> wrote:
> Hi,
>
> I tried cpp client with openssl 1.0.2e-fips
> $ openssl version
> OpenSSL 1.0.2e-fips 3 Dec 2015
>
> The connectivity was established successfully. cpp client sends ***
> ClientHello, TLSv1.2.
>
> It seems that it is an issue with openssl 1.0.1e-fips or my environment.
>
> Is there any way to force cpp client to use TLSv1.2/TLSv1.1 with
> openssl 1.0.1e-fips?
>
> Thanks,
> Alex
>
> On 29 December 2015 at 12:40, Oleksandr Rudyy <orudyy@gmail.com> wrote:
>> Hi,
>>
>> TLSv1 was disabled on Java Broker as part of QPID-6938.
>>
>> After that trunk cpp client fails to establish TLS connection with Java Broker.
>>
>> $ openssl version
>> OpenSSL 1.0.1e-fips 11 Feb 2013
>>
>> On client side I see the following in the logs:
>>
>> ./hello_world localhost:35671 'hello-world ; { create: always }'
>> '{username:guest,password:guest,transport:ssl}'
>> 2015-12-29 10:54:53 [Unspecified] debug Config file not read:
>> /usr/local/etc/qpid/qpidc.conf
>> 2015-12-29 10:54:53 [Unspecified] debug Config file not read:
>> /usr/local/etc/qpid/qpidc.conf
>> 2015-12-29 10:54:53 [Unspecified] debug Config file not read:
>> /usr/local/etc/qpid/qpidc.conf
>> 2015-12-29 10:54:53 [Unspecified] debug Config file not read:
>> /usr/local/etc/qpid/qpidc.conf
>> 2015-12-29 10:54:53 [Messaging] debug Protocol defaults:
>> 2015-12-29 10:54:53 [Messaging] debug Trying versions amqp0-10
>> 2015-12-29 10:54:53 [Unspecified] debug Config file not read:
>> /usr/local/etc/qpid/qpidc.conf
>> 2015-12-29 10:54:53 [Unspecified] debug Config file not read:
>> /usr/local/etc/qpid/qpidc.conf
>> 2015-12-29 10:54:53 [Client] debug Starting connection, urls=[localhost:35671]
>> 2015-12-29 10:54:53 [Client] info Trying to connect to localhost:35671...
>> 2015-12-29 10:54:53 [Client] debug Created IO thread: 0
>> 2015-12-29 10:54:53 [Unspecified] debug Config file not read:
>> /usr/local/etc/qpid/qpidc.conf
>> 2015-12-29 10:54:53 [Unspecified] debug Config file not read:
>> /usr/local/etc/qpid/qpidc.conf
>> 2015-12-29 10:54:53 [Security] debug SslConnector created for 0-10
>> 2015-12-29 10:54:53 [System] info Connecting: ZZZ.ZZZ.ZZZ.ZZZ:35671
>> 2015-12-29 10:54:53 [System] debug Exception constructed: Failed:
>> Cannot communicate securely with peer: no common encryption
>> algorithm(s). [-12286]
>> (/apps/qpid/jenkins/workspace/Apache-Qpid-Cpp/qpid/cpp/src/qpid/sys/ssl/SslSocket.cpp:175)
>> 2015-12-29 10:54:53 [Security] warning Connect failed: Failed: Cannot
>> communicate securely with peer: no common encryption algorithm(s).
>> [-12286] (/apps/qpid/jenkins/workspace/Apache-Qpid-Cpp/qpid/cpp/src/qpid/sys/ssl/SslSocket.cpp:175)
>> 2015-12-29 10:54:53 [Client] debug Connection  closed
>> 2015-12-29 10:54:53 [System] debug Exception constructed: Connection  closed
>> 2015-12-29 10:54:53 [Client] info Failed to connect to
>> localhost:35671: Connection  closed
>> Failed to connect (reconnect disabled)
>>
>>
>> On broker side, JVM ssl logging looks like the one below:
>>
>> trigger seeding of SecureRandom
>> done seeding SecureRandom
>> Using SSLEngineImpl.
>> Allow unsafe renegotiation: false
>> Allow legacy hello messages: true
>> Is initial handshake: true
>> Is secure renegotiation: false
>> [Raw read]: length = 5
>> 0000: 16 03 01 00 73                                     ....s
>> [Raw read]: length = 115
>> 0000: 01 00 00 6F 03 01 8C 7B   92 93 EB 12 B3 E2 4A AC  ...o..........J.
>> 0010: B8 53 DB 2E C0 A0 47 4B   6E FF 87 23 13 F9 4E C2  .S....GKn..#..N.
>> 0020: 1C 95 62 D9 DF 3D 00 00   16 00 33 00 32 00 39 00  ..b..=....3.2.9.
>> 0030: 38 00 16 00 13 00 2F 00   35 00 0A 00 05 00 04 01  8...../.5.......
>> 0040: 00 00 30 00 00 00 27 00   25 00 00 22 66 61 73 74  ..0...'.%.."XXXX
>> 0050: 64 65 76 6C 30 34 30 30   2E 73 76 72 2E 65 6D 65  XXXXXXXX.XXX.XXX
>> 0060: 61 2E 6A 70 6D 63 68 61   73 65 2E 6E 65 74 FF 01  X.XXXX.XXX..
>> 0070: 00 01 00                                           ...
>> IO-/ZZZ.ZZZ.ZZZ.ZZZ:52076, READ: TLSv1 Handshake, length = 115
>> *** ClientHello, TLSv1
>> RandomCookie:  GMT: -1938124397 bytes = { 235, 18, 179, 226, 74, 172,
>> 184, 83, 219, 46, 192, 160, 71, 75, 110, 255, 135, 35, 19, 249, 78,
>> 194, 28, 149, 98, 217, 223, 61 }
>> Session ID:  {}
>> Cipher Suites: [TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
>> TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
>> TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
>> SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
>> TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
>> SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5]
>> Compression Methods:  { 0 }
>> Extension server_name, server_name: [host_name: XXXXXXX.XXX.XXXXX.XXXXX.XXX]
>> Extension renegotiation_info, renegotiated_connection: <empty>
>> ***
>> [read] MD5 and SHA1 hashes:  len = 115
>> 0000: 01 00 00 6F 03 01 8C 7B   92 93 EB 12 B3 E2 4A AC  ...o..........J.
>> 0010: B8 53 DB 2E C0 A0 47 4B   6E FF 87 23 13 F9 4E C2  .S....GKn..#..N.
>> 0020: 1C 95 62 D9 DF 3D 00 00   16 00 33 00 32 00 39 00  ..b..=....3.2.9.
>> 0030: 38 00 16 00 13 00 2F 00   35 00 0A 00 05 00 04 01  8...../.5.......
>> 0040: 00 00 30 00 00 00 27 00   25 00 00 22 66 61 73 74  ..0...'.%.."XXXX
>> 0050: 64 65 76 6C 30 34 30 30   2E 73 76 72 2E 65 6D 65  XXXXX.XXX.XXX
>> 0060: 61 2E 6A 70 6D 63 68 61   73 65 2E 6E 65 74 FF 01  XXXXXXXX.XXXX..
>> 0070: 00 01 00                                           ...
>> IO-/ZZZ.ZZZ.ZZZ.ZZZ:52076, fatal error: 40: Client requested protocol
>> TLSv1 not enabled or not supported
>> javax.net.ssl.SSLHandshakeException: Client requested protocol TLSv1
>> not enabled or not supported
>> IO-/ZZZ.ZZZ.ZZZ.ZZZ:52076, SEND TLSv1 ALERT:  fatal, description =
>> handshake_failure
>> IO-/ZZZ.ZZZ.ZZZ.ZZZ:52076, WRITE: TLSv1 Alert, length = 2
>> IO-/ZZZ.ZZZ.ZZZ.ZZZ:52076, fatal: engine already closed.  Rethrowing
>> javax.net.ssl.SSLHandshakeException: Client requested protocol TLSv1
>> not enabled or not supported
>> [Raw write]: length = 7
>> 0000: 15 03 01 00 02 02 28                               ......(
>> IO-/ZZZ.ZZZ.ZZZ.ZZZ:52076, called closeOutbound()
>> IO-/ZZZ.ZZZ.ZZZ.ZZZ:52076, closeOutboundInternal()
>> IO-/ZZZ.ZZZ.ZZZ.ZZZ:52076, called closeInbound()
>> IO-/ZZZ.ZZZ.ZZZ.ZZZ:52076, fatal: engine already closed.  Rethrowing
>> javax.net.ssl.SSLException: Inbound closed before receiving peer's
>> close_notify: possible truncation attack?
>>
>> What is interesting SSL handshake looks successful when using openssl
>> s_client with tls1_2 and tls1_1:
>>
>> $ openssl s_client -connect localhost:35671 -tls1_2
>> CONNECTED(00000003)
>> ... snip...
>> ---
>> No client certificate CA names sent
>> Server Temp Key: ECDH, secp521r1, 521 bits
>> ---
>> SSL handshake has read 4487 bytes and written 499 bytes
>> ---
>> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
>> Server public key is 2048 bit
>> Secure Renegotiation IS supported
>> Compression: NONE
>> Expansion: NONE
>> SSL-Session:
>>     Protocol  : TLSv1.2
>>     Cipher    : ECDHE-RSA-AES256-SHA384
>>     Session-ID: 56827A91D1B2DA88C54CF3CF09A3D0C339E7AA9FF089315AFFD9996B33773886
>>     Session-ID-ctx:
>>     Master-Key: YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY
>>     Key-Arg   : None
>>     Krb5 Principal: None
>>     PSK identity: None
>>     PSK identity hint: None
>>     Start Time: 1451391633
>>    Timeout   : 7200 (sec)
>>     Verify return code: 0 (ok)
>> ---
>> read:errno=0
>>
>> I am not sure whether it is a cpp client issue or issue with openssl
>> and my environment.
>>
>> Is it possible to establish TLS1.2/TLS1.1 connectivity from cpp client
>> using OpenSSL 1.0.1e-fips?
>>
>> I have not tried other openssl versions yet. I'll do that as next step
>> in my investigation of the issue.
>>
>> Kind Regards,
>> Alex
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
> For additional commands, e-mail: users-help@qpid.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org


Mime
View raw message