qpid-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robbie Gemmell <robbie.gemm...@gmail.com>
Subject Re: connect Qpid broker using the latest amqp 1.0 qpid-jms-client-0.9 ssl
Date Wed, 25 May 2016 12:03:50 GMT
On 25 May 2016 at 11:14, Steven <mgu@tibco-support.com> wrote:
> Hello,Robbie Gemmell
>
> This time I try to use hostname rather than IP address,Below is my
> connection URL:
> connectionfactory.qpidConnectionfactory =
> amqps://QpidServer:5673?transport.trustStoreLocation=F:/AMQP/QpidSSL/clientts.jks&transport.trustStorePassword=123456
>
> It still reported the following error:
>         at sun.security.ssl.SSLEngineImpl.unwrap(Unknown Source)
>         at javax.net.ssl.SSLEngine.unwrap(Unknown Source)
>         at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:927)
>         at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:871)
>         at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:827)
>         at
> io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:228)
>         at
> io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:141)
>         at
> io.netty.channel.DefaultChannelHandlerContext.invokeChannelRead(DefaultChannelHandlerContext.java:340)
>         at
> io.netty.channel.DefaultChannelHandlerContext.fireChannelRead(DefaultChannelHandlerContext.java:326)
>         at
> io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:785)
>         at
> io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:116)
>         at
> io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:494)
>         at
> io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:461)
>         at
> io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:378)
>         at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:350)
>         at
> io.netty.util.concurrent.SingleThreadEventExecutor$2.run(SingleThreadEventExecutor.java:101)
>         at java.lang.Thread.run(Unknown Source)
> Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
>         at sun.security.ssl.Alerts.getSSLException(Unknown Source)
>         at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source)
>         at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
>         at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
>         at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
>         at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
>         at sun.security.ssl.Handshaker.processLoop(Unknown Source)
>         at sun.security.ssl.Handshaker$1.run(Unknown Source)
>         at sun.security.ssl.Handshaker$1.run(Unknown Source)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at sun.security.ssl.Handshaker$DelegatedTask.run(Unknown Source)
>         at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:960)
>         at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:891)
>         ... 13 more
> Caused by: java.security.cert.CertificateException: No name matching
> QpidServer found
>         at sun.security.util.HostnameChecker.matchDNS(Unknown Source)
>         at sun.security.util.HostnameChecker.match(Unknown Source)
>         at sun.security.ssl.X509TrustManagerImpl.checkIdentity(Unknown Source)
>         at sun.security.ssl.X509TrustManagerImpl.checkIdentity(Unknown Source)
>         at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
>         at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
>         ... 22 more
> but,I use the tcp to communicate with server,It can send message
> successfully.The connection URL:
> connectionfactory.qpidConnectionfactory =
> amqp://QpidServer:5672?jms.username=admin&jms.password=admin&transport.connectTimeout=30000
>
> I used the same truststore file and trustStorePassword with
> qpid-amqp-1.0-client-0.32,It can connect to broker successfully.By the way,I
> notice the connection factory SSL API changed between
> qpid-amqp-1.0-client-0.32 and  qpid-jms-0.9.0
>
> In qpid-amqp-1.0-client-0.32 client API:
> As you can see the below screenshot:
> <http://qpid.2158936.n2.nabble.com/file/n7644530/ssl.png>
> but the qpid-jms-0.9.0 connection factory didn't have the corresponding
> method.
> org.apache.qpid.jms.JmsConnectionFactory,It didn't have setSSL and
> setSSLContext method.
>
>

That is correct, the new client does not have those methods, SSL is
configured via the URI and if desired the standard javax.net.ssl
system properties.

As Gordon mentioned, you need to use a value for the URI hostname that
your server certificate is presenting, otherwise the certificate
hostname verification process will fail. Presumably your servers
certificate is not presenting itself as "QpidServer" like you are
connecting to, hence the exception you see.

The new client performs hostname verification by default and so your
client+server configuration must support that occurring (i.e matching
connect hostname and server certificate names), or else it would need
disabled which is obviously not recommended.

>
> --
> View this message in context: http://qpid.2158936.n2.nabble.com/connect-Qpid-broker-using-the-latest-amqp-1-0-qpid-jms-client-0-9-ssl-tp7644406p7644530.html
> Sent from the Apache Qpid users mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
> For additional commands, e-mail: users-help@qpid.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org


Mime
View raw message