You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@qpid.apache.org by Calvin Lee <73...@riva-networks.com> on 2010/03/12 21:15:38 UTC

Re: SSL and C++ client - anyone have a complete example ?

Hi,

I am trying to build my c++ windows client with ssl using qpid 0.7.  And I
am getting this NSS 5938 error from the qpidd daemon.  I was able to get the
c++ client on Linux to work.  I just have to specify ssl-cert-db in the
qpidc.conf file.  What is the equivalent on Windows?  Does anyone have any
sample code that does this on Windows?

Thanks,
Calvin
-- 
View this message in context: http://n2.nabble.com/SSL-and-C-client-anyone-have-a-complete-example-tp4030718p4724210.html
Sent from the Apache Qpid users mailing list archive at Nabble.com.

---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:users-subscribe@qpid.apache.org

Re: SSL and C++ client - anyone have a complete example ?

Posted by Rajith Attapattu <ra...@gmail.com>.

If I am not mistaken, SSL support is still being developed on the windows side.
Steve Huston who is working on that could provide you with a more
detailed update.

On Fri, Mar 12, 2010 at 3:15 PM, Calvin Lee <73...@riva-networks.com> wrote:
>
> Hi,
>
> I am trying to build my c++ windows client with ssl using qpid 0.7.  And I
> am getting this NSS 5938 error from the qpidd daemon.  I was able to get the
> c++ client on Linux to work.  I just have to specify ssl-cert-db in the
> qpidc.conf file.  What is the equivalent on Windows?  Does anyone have any
> sample code that does this on Windows?
>
> Thanks,
> Calvin
> --
> View this message in context: http://n2.nabble.com/SSL-and-C-client-anyone-have-a-complete-example-tp4030718p4724210.html
> Sent from the Apache Qpid users mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> Apache Qpid - AMQP Messaging Implementation
> Project:      http://qpid.apache.org
> Use/Interact: mailto:users-subscribe@qpid.apache.org
>
>



-- 
Regards,

Rajith Attapattu
Red Hat
http://rajith.2rlabs.com/

---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:users-subscribe@qpid.apache.org

RE: SSL and C++ client - anyone have a complete example ?

Posted by calvin <ca...@riva-networks.com>.

Steve,

I upgraded to qpid 0.8 recently and wanted to connect my .net C# client to
the c++ broker using ssl.  The 2 variations in ConnectSSL() function require
a client certificate to be passed in.  However, my broker is configured to
not require ssl client authentication.  

It seems that the broker would let me connect to it with any certificate. 
I'm wondering if there's a way for the c# client to connect to the broker
without passing the client certificate like my windows c++ client.

Thanks,

Calvin

--
View this message in context: http://apache-qpid-users.2158936.n2.nabble.com/SSL-and-C-client-anyone-have-a-complete-example-tp4030718p6194738.html
Sent from the Apache Qpid users mailing list archive at Nabble.com.

---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:users-subscribe@qpid.apache.org

RE: SSL and C++ client - anyone have a complete example ?

Posted by Steve Huston <sh...@riverace.com>.

Great, Elena - I'm glad to hear you got it working.

If you can attach your C# changes to a jira
(http://issues.apache.org/jira/browse/qpid) as a patch, and please make
sure to check the box granting rights to Apache, that would be great.

Thanks,
-Steve

--
Steve Huston, Riverace Corporation
Total Lifecycle Support for Your Networked Applications
http://www.riverace.com


> -----Original Message-----
> From: Elena Nee [mailto:elena.nee@xitee.com] 
> Sent: Thursday, April 08, 2010 1:36 PM
> To: users@qpid.apache.org
> Subject: RE: SSL and C++ client - anyone have a complete example ?
> 
> 
> 
> Hi Steve,
> 
> Thank you for your reply.
> 
> > Did you use https://broker-addr:5671 ?
> > (If you use http:// it would probably act as you observed)
> Indeed I haven't thought of https, and you are exactly right, 
> it works. I only doubted the broker configuration and format 
> of the client certificate because I was having various 
> authentication problems.
> 
> > Which C# client are you using, from which qpid version?
> I am using a C# client from qpid-0.6 and yes, the SSL support 
> wasn't enabled in it. Which is why I couldn't get it to work 
> without changing the client's source code.
> 
> I finally got it to work.
> 
> Just in case somebody else is out there looking for answers 
> to the same questions. I found out that for SSL encrypted 
> connection C# client internally uses .NET SslStream's 
> AuthenticateAsClient() method, which takes X509 certificates 
> in DER (binary) format.
> 
> In my case broker was configured for SASL EXTERNAL 
> authentication mechanism. Client certificate had to have both 
> public and private keys. C# client uses PLAIN mechanism by 
> default so I had to extend Client.Connect*() methods to 
> support different SASL mechanisms.
> 
> Also when using EXTERNAL mechanism username and password 
> shouldn't be sent, I presume those are taken from the 
> certificate, otherwise connection fails.
> 
> Steve, thank you for being so helpful.
> 
> 
> Kind regards,
> 
> Elena
> -- 
> View this message in context: 
> http://n2.nabble.com/SSL-and-C-client-anyone-have-a-complete-e
xample-tp4030718p4872632.html
Sent from the Apache Qpid users mailing list archive at Nabble.com.

---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:users-subscribe@qpid.apache.org



---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:users-subscribe@qpid.apache.org

RE: SSL and C++ client - anyone have a complete example ?

Posted by Elena Nee <el...@xitee.com>.

Hi Steve,

Thank you for your reply.

> Did you use https://broker-addr:5671 ?
> (If you use http:// it would probably act as you observed)
Indeed I haven't thought of https, and you are exactly right, it works. I
only doubted the broker configuration and format of the client certificate
because I was having various authentication problems.

> Which C# client are you using, from which qpid version?
I am using a C# client from qpid-0.6 and yes, the SSL support wasn't enabled
in it. Which is why I couldn't get it to work without changing the client's
source code.

I finally got it to work.

Just in case somebody else is out there looking for answers to the same
questions. I found out that for SSL encrypted connection C# client
internally uses .NET SslStream's AuthenticateAsClient() method, which takes
X509 certificates in DER (binary) format.

In my case broker was configured for SASL EXTERNAL authentication mechanism.
Client certificate had to have both public and private keys. C# client uses
PLAIN mechanism by default so I had to extend Client.Connect*() methods to
support different SASL mechanisms.

Also when using EXTERNAL mechanism username and password shouldn't be sent,
I presume those are taken from the certificate, otherwise connection fails.

Steve, thank you for being so helpful.


Kind regards,

Elena
-- 
View this message in context: http://n2.nabble.com/SSL-and-C-client-anyone-have-a-complete-example-tp4030718p4872632.html
Sent from the Apache Qpid users mailing list archive at Nabble.com.

---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:users-subscribe@qpid.apache.org

RE: SSL and C++ client - anyone have a complete example ?

Posted by Steve Huston <sh...@riverace.com>.

Hi Elena,

> I'm getting the same error: 'Unknown NSS error code. [-5938] 
> (qpid/sys/ssl/SslSocket.cpp:151)'
> 
> And unlike Calvin I can't even connect to C++ broker using 
> browser. IE says 'Opening page...' and progress bar stops 
> somewhere in the middle.

Did you use https://broker-addr:5671 ?
(If you use http:// it would probably act as you observed)

> The same broker already serves a Java client without any 
> problem. Is there anything missing in the broker 
> configuration to allow SSL connection using a C# client on Windows?

Which C# client are you using, from which qpid version?

I know the new WCF C# client doesn't have SSL support in it yet (it's
coming, I believe).

> Thank you.

You're welcome.

-Steve

--
Steve Huston, Riverace Corporation
Total Lifecycle Support for Your Networked Applications
http://www.riverace.com


---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:users-subscribe@qpid.apache.org

RE: SSL and C++ client - anyone have a complete example ?

Posted by Elena Nee <el...@xitee.com>.

Hi Steve,

I'm getting the same error: 'Unknown NSS error code. [-5938]
(qpid/sys/ssl/SslSocket.cpp:151)'

And unlike Calvin I can't even connect to C++ broker using browser. IE says
'Opening page...' and progress bar stops somewhere in the middle.

The same broker already serves a Java client without any problem. Is there
anything missing in the broker configuration to allow SSL connection using a
C# client on Windows?

Thank you.

Elena
-- 
View this message in context: http://n2.nabble.com/SSL-and-C-client-anyone-have-a-complete-example-tp4030718p4863638.html
Sent from the Apache Qpid users mailing list archive at Nabble.com.

---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:users-subscribe@qpid.apache.org

RE: SSL and C++ client - anyone have a complete example ?

Posted by Calvin Lee <73...@riva-networks.com>.

Thanks, Steve!  It works now.  Much appreciated!

Calvin
-- 
View this message in context: http://n2.nabble.com/SSL-and-C-client-anyone-have-a-complete-example-tp4030718p4724859.html
Sent from the Apache Qpid users mailing list archive at Nabble.com.

---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:users-subscribe@qpid.apache.org

RE: SSL and C++ client - anyone have a complete example ?

Posted by Steve Huston <sh...@riverace.com>.

Hi Calvin,

The Windows SSL support is via built-in SSL support in Windows, not via
NSS as the Linux version is. So the Windows certificate handling is
used.

Try this...

On your Windows system, start IE (not another browser) and connect to
<your qpid broker>:5671 (assuming your broker is listening for SSL on
port 5671.

You'll probably get a certificate error from IE. Follow the prompts to
import it.

Now try your client.

-Steve

--
Steve Huston, Riverace Corporation
Total Lifecycle Support for Your Networked Applications
http://www.riverace.com


> -----Original Message-----
> From: Calvin Lee [mailto:73books@riva-networks.com] 
> Sent: Friday, March 12, 2010 3:16 PM
> To: users@qpid.apache.org
> Subject: Re: SSL and C++ client - anyone have a complete example ?
> 
> 
> 
> Hi,
> 
> I am trying to build my c++ windows client with ssl using 
> qpid 0.7.  And I am getting this NSS 5938 error from the 
> qpidd daemon.  I was able to get the
> c++ client on Linux to work.  I just have to specify 
> ssl-cert-db in the
> qpidc.conf file.  What is the equivalent on Windows?  Does 
> anyone have any sample code that does this on Windows?
> 
> Thanks,
> Calvin
> -- 
> View this message in context: 
> http://n2.nabble.com/SSL-and-C-client-anyone-have-a-complete-e
xample-tp4030718p4724210.html
Sent from the Apache Qpid users mailing list archive at Nabble.com.

---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:users-subscribe@qpid.apache.org



---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:users-subscribe@qpid.apache.org