Something change for client SSL support in 0.14?

[Paul Colby <pa...@colby.id.au>]

Hi guys,

Did something change with the way we enable SSL for clients in 0.14?

I'm trying 0.14 cpp clients to talk to 0.14 cpp brokers.

My current setup works correctly (ie uses SSL) with 0.12 client / servers,
but not 0.14.

I'm setting the client-side transport option to SSL.  The, if I
intentionally don't set the NSS environment vars, then I (correctly) get
the Qpid error "SSL connector not enabled, you must set QPID_SSL_CERT_DB to
enable it.".  If I set the env vars, then the error goes away, but the
connection just hangs for about 5 minutes trying to connect to the broker.
 After the 5 minutes or so, the client stops with "Traffic timeout", and
the broker reports a read failed error.

If I stop the broker, and run netcat to listen on port 5671, I can see the
client begins with "AMQP" - in the clear, ie NOT an SSL handshake.  Whereas
the exact same code compiled against the 0.12 client libs begins with
non-printable SSL handshake data.  So it looks to me like the client is not
performing an SSL handshake (and presumably the broker is waiting for one,
since this is the broker's SSL-only port).

Could this be a change as a result of
https://issues.apache.org/jira/browse/QPID-3514 ?  Or do we need to do
something different / extra to enable client-side SSL in 0.14?

PS Non-SSL connections (via 5672) are working fine.

Thanks!

pc
----
http://colby.id.au

Re: Something change for client SSL support in 0.14?

[Paul Colby <pa...@colby.id.au>]

Found the bug.

Creating JIRA...

pc
----
http://colby.id.au


On Thu, Feb 9, 2012 at 2:51 PM, Paul Colby <pa...@colby.id.au> wrote:

> Hi guys,
>
> Did something change with the way we enable SSL for clients in 0.14?
>
> I'm trying 0.14 cpp clients to talk to 0.14 cpp brokers.
>
> My current setup works correctly (ie uses SSL) with 0.12 client / servers,
> but not 0.14.
>
> I'm setting the client-side transport option to SSL.  The, if I
> intentionally don't set the NSS environment vars, then I (correctly) get
> the Qpid error "SSL connector not enabled, you must set QPID_SSL_CERT_DB to
> enable it.".  If I set the env vars, then the error goes away, but the
> connection just hangs for about 5 minutes trying to connect to the broker.
>  After the 5 minutes or so, the client stops with "Traffic timeout", and
> the broker reports a read failed error.
>
> If I stop the broker, and run netcat to listen on port 5671, I can see the
> client begins with "AMQP" - in the clear, ie NOT an SSL handshake.  Whereas
> the exact same code compiled against the 0.12 client libs begins with
> non-printable SSL handshake data.  So it looks to me like the client is not
> performing an SSL handshake (and presumably the broker is waiting for one,
> since this is the broker's SSL-only port).
>
> Could this be a change as a result of
> https://issues.apache.org/jira/browse/QPID-3514 ?  Or do we need to do
> something different / extra to enable client-side SSL in 0.14?
>
> PS Non-SSL connections (via 5672) are working fine.
>
> Thanks!
>
> pc
> ----
> http://colby.id.au
>

Re: Something change for client SSL support in 0.14?

[Paul Colby <pa...@colby.id.au>]

Hi Gordon,

I've turned on tracing (see logs below), and for the 0.14 client libs it's
creating a TCPConnector, whereas the 0.12 version creates an SslConnector
instead.

0.14:
Created connection redacted:5671 with {heartbeat:60, password:guest,
reconnect-urls:[redacted :5671], transport:ssl, username:guest}
Trying to connect to redacted:5671...
Created IO thread: 0
TCPConnector created for 0-10
Connecting: 192.168.9.92:5671

0.12:
Created connection redacted:5671 with {heartbeat:60, password:guest,
reconnect-urls:[redacted:5671], transport:ssl, username:guest}
Trying to connect to  redacted :5671...
Created IO thread: 0
SslConnector created for \x00-

Any advice would be much appreciated :)

pc
----
http://colby.id.au


On Sat, Feb 11, 2012 at 1:08 AM, Gordon Sim <gs...@redhat.com> wrote:

> On 02/09/2012 03:51 AM, Paul Colby wrote:
>
>> Hi guys,
>>
>> Did something change with the way we enable SSL for clients in 0.14?
>>
>
> Not that I know of...
>
>
>  I'm trying 0.14 cpp clients to talk to 0.14 cpp brokers.
>>
>> My current setup works correctly (ie uses SSL) with 0.12 client / servers,
>> but not 0.14.
>>
>> I'm setting the client-side transport option to SSL.  The, if I
>> intentionally don't set the NSS environment vars, then I (correctly) get
>> the Qpid error "SSL connector not enabled, you must set QPID_SSL_CERT_DB
>> to
>> enable it.".  If I set the env vars, then the error goes away, but the
>> connection just hangs for about 5 minutes trying to connect to the broker.
>>  After the 5 minutes or so, the client stops with "Traffic timeout", and
>> the broker reports a read failed error.
>>
>> If I stop the broker, and run netcat to listen on port 5671, I can see the
>> client begins with "AMQP" - in the clear, ie NOT an SSL handshake.
>>  Whereas
>> the exact same code compiled against the 0.12 client libs begins with
>> non-printable SSL handshake data.  So it looks to me like the client is
>> not
>> performing an SSL handshake (and presumably the broker is waiting for one,
>> since this is the broker's SSL-only port).
>>
>> Could this be a change as a result of
>> https://issues.apache.org/**jira/browse/QPID-3514<https://issues.apache.org/jira/browse/QPID-3514>?  Or do we need to do
>> something different / extra to enable client-side SSL in 0.14?
>>
>
> I don't *think* so, but it is always possible...
>
> Can you turn on debug level logging for the client (e.g. export
> QPID_LOG_ENABLE=debug+)? We should then see something like 'SslConnector
> created for ...' if the client is correctly setup. The
> existence/non-existence of such a log statement would help direct
> investigation a bit.
>
>
>  PS Non-SSL connections (via 5672) are working fine.
>>
>> Thanks!
>>
>> pc
>> ----
>> http://colby.id.au
>>
>>
>
> ------------------------------**------------------------------**---------
> Apache Qpid - AMQP Messaging Implementation
> Project:      http://qpid.apache.org
> Use/Interact: mailto:users-subscribe@qpid.**apache.org<us...@qpid.apache.org>
>
>

Re: Something change for client SSL support in 0.14?

[Gordon Sim <gs...@redhat.com>]

On 02/09/2012 03:51 AM, Paul Colby wrote:
> Hi guys,
>
> Did something change with the way we enable SSL for clients in 0.14?

Not that I know of...

> I'm trying 0.14 cpp clients to talk to 0.14 cpp brokers.
>
> My current setup works correctly (ie uses SSL) with 0.12 client / servers,
> but not 0.14.
>
> I'm setting the client-side transport option to SSL.  The, if I
> intentionally don't set the NSS environment vars, then I (correctly) get
> the Qpid error "SSL connector not enabled, you must set QPID_SSL_CERT_DB to
> enable it.".  If I set the env vars, then the error goes away, but the
> connection just hangs for about 5 minutes trying to connect to the broker.
>   After the 5 minutes or so, the client stops with "Traffic timeout", and
> the broker reports a read failed error.
>
> If I stop the broker, and run netcat to listen on port 5671, I can see the
> client begins with "AMQP" - in the clear, ie NOT an SSL handshake.  Whereas
> the exact same code compiled against the 0.12 client libs begins with
> non-printable SSL handshake data.  So it looks to me like the client is not
> performing an SSL handshake (and presumably the broker is waiting for one,
> since this is the broker's SSL-only port).
>
> Could this be a change as a result of
> https://issues.apache.org/jira/browse/QPID-3514 ?  Or do we need to do
> something different / extra to enable client-side SSL in 0.14?

I don't *think* so, but it is always possible...

Can you turn on debug level logging for the client (e.g. export 
QPID_LOG_ENABLE=debug+)? We should then see something like 'SslConnector 
created for ...' if the client is correctly setup. The 
existence/non-existence of such a log statement would help direct 
investigation a bit.

> PS Non-SSL connections (via 5672) are working fine.
>
> Thanks!
>
> pc
> ----
> http://colby.id.au
>


---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:users-subscribe@qpid.apache.org