qpid-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ganesh Murthy <gmur...@redhat.com>
Subject Re: [Dispatch router 0.7.0] [Proton 0.16.0] SSL commands failing on the Dispatch Router on Linux
Date Wed, 01 Feb 2017 14:07:21 GMT
Hi Adel,
    Looking at your log, it looks like the SSL negotiation between the broker and the router
is failing. 

qdmanage --ssl-trustfile=ca-certificate.pem --ssl-certificate=client-certificate.pem --ssl-key=client-private-key.pem
--ssl-password=client-password --ssl-disable-peer-name-verify -b amqps://localhost:10498 create
--type=connector role=route-container addr=localhost port=10305 name=localhost.10305.connector
sslProfile=ssl-test-profile verifyHostName=no

Looking at the above command, you are creating a connector with sslProfile=ssl-test-profile
which means that you want the router to initiate a SSL exchange with the broker using the
certificates specified in the ssl-test-profile.
This SSL handshake between the router and the broker seems to be failing. If the handshake
was successful, we would see open frames exchanged between the broker and the router.

Is the broker listening port setup correctly in order for a successful SSL handshake? 

Thanks.

----- Original Message -----
> From: "Adel Boutros" <Adelboutros@live.com>
> To: users@qpid.apache.org
> Sent: Wednesday, February 1, 2017 8:49:31 AM
> Subject: Re: [Dispatch router 0.7.0] [Proton 0.16.0] SSL commands failing on the Dispatch
Router on Linux
> 
> Hello Ganesh,
> 
> 
> Actually one of our tests will require the below dispatch router to talk to
> another dispatche router So the interior mode is intended.
> 
> 
> Regards,
> 
> Adel
> 
> ________________________________
> From: Adel Boutros <adelboutros@live.com>
> Sent: Wednesday, February 1, 2017 1:09:02 PM
> To: users@qpid.apache.org
> Subject: Re: [Dispatch router 0.7.0] [Proton 0.16.0] SSL commands failing on
> the Dispatch Router on Linux
> 
> Hello Ganesh,
> 
> We are not in the stage of deploying multiple dispatch routers yet.
> 
> However may I know why you think this is the cause of the below failure?
> 
> Regards,
> Adel
> 
> Get Outlook for Android<https://aka.ms/ghei36>
> 
> 
> From: Ganesh Murthy
> Sent: Wednesday, February 1, 13:06
> Subject: Re: [Dispatch router 0.7.0] [Proton 0.16.0] SSL commands failing on
> the Dispatch Router on Linux
> To: users@qpid.apache.org
> 
> Hi Adel, Why is your router mode set to 'interior'? Do you have more than one
> router involved? If not, the mode should be set to 'standalone'. Thanks.
> ----- Original Message ----- > From: "Adel Boutros" > To:
> users@qpid.apache.org > Sent: Wednesday, February 1, 2017 6:55:35 AM >
> Subject: Re: [Dispatch router 0.7.0] [Proton 0.16.0] SSL commands failing on
> the Dispatch Router on Linux > > Correction to the original mail: > If I
> remove any of the commands, the last command no longer fail. > >
> ________________________________ > From: Adel Boutros > Sent: Wednesday,
> February 1, 2017 12:35:35 PM > To: users@qpid.apache.org > Subject: Re:
> [Dispatch router 0.7.0] [Proton 0.16.0] SSL commands failing on > the
> Dispatch Router on Linux > > > Re-attaching the dispatch router log. > >
> ________________________________ > From: Adel Boutros > Sent: Wednesday,
> February 1, 2017 12:10:45 PM > To: users@qpid.apache.org > Subject:
> [Dispatch router 0.7.0] [Proton 0.16.0] SSL commands failing on the >
> Dispatch Router on Linux > > > Hello, > > > We have launched our test
suite
> on the dispatch router 0.7.0 and noticed that > connections on a Listener
> configured with SASL External was not working > anymore. > > > With the
> below configuration and script, we have this exception ('SSL > Failure:
> Unknown error.') which keeps occurring. > > If I remove any of the commands
> except the one failing, the last one fails. > It seems we need to query the
> Dispatch router once and create 2 entities on > it for the 4th operation to
> fail. If I replace the "create" commands by > "delete" operation it doesn't
> seem to fail. > > > PS: All certificates used here are taken from the
> qpid-dispatch repository > here
> https://github.com/apache/qpid-dispatch/tree/0.7.0/tests/ssl_certs > > > >
> Exception client-side > > --------------------------- > >
> ConnectionException: Connection amqps://green-lx-slave1:10498/$management >
> disconnected: Condition('amqp:connection:framing-error', 'SSL Failure: >
> Unknown error.') > > > Router config > > ------------------------- >
>
> container { > worker-threads: 4 > containerName: qpid.dispatch.router.10501
> > } > > sslProfile { > keyFile: server-private-key.pem > password:
> server-password > certFile: server-certificate.pem > name: ssl-test-profile
> > certDb: ca-certificate.pem > } > > listener { > host: 0.0.0.0 > port:
> 10498 > saslMechanisms: EXTERNAL > sslProfile: ssl-test-profile >
> authenticatePeer: yes > requireSsl: yes > } > > router { > mode: interior
>
> routerId: router.10501 > } > > log { > module: DEFAULT > enable: trace+
>
> source: false > output: dispatch.10501.log > } > > > Commands to launch
in
> the below order > > --------------------------------------------------------
> > > * Restart Dispatch Router > > > * Restart Broker > > > *
qdstat -g -b
> amqp://localhost:10501 > > * qdmanage --ssl-trustfile=ca-certificate.pem >
> --ssl-certificate=client-certificate.pem --ssl-key=client-private-key.pem >
> --ssl-password=client-password --ssl-disable-peer-name-verify -b >
> amqps://localhost:10498 create --type=address prefix=cluster.SSLMutualQueue
> > waypoint=true name=cluster.SSLMutualQueue.addr > > * qdmanage
> --ssl-trustfile=ca-certificate.pem >
> --ssl-certificate=client-certificate.pem --ssl-key=client-private-key.pem >
> --ssl-password=client-password --ssl-disable-peer-name-verify -b >
> amqps://localhost:10498 create --type=connector role=route-container >
> addr=localhost port=10305 name=localhost.10305.connector >
> sslProfile=ssl-test-profile verifyHostName=no > > * (Failing command)
> qdmanage --ssl-trustfile=ca-certificate.pem >
> --ssl-certificate=client-certificate.pem --ssl-key=client-private-key.pem >
> --ssl-password=client-password --ssl-disable-peer-name-verify -b >
> amqps://localhost:10498 delete --type=autoLink --name >
> localhost.10305.cluster.SSLMutualQueue.in > > Dispatch Router log >
> --------------------------- > See attached file > > Regards, > Adel >
>
> --------------------------------------------------------------------- To
> unsubscribe, e-mail: users-unsubscribe@qpid.apache.org For additional
> commands, e-mail: users-help@qpid.apache.org
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org


Mime
View raw message