ssl not working

[jjw tectec <jj...@gmail.com>]

I'm trying to add encryption, but couldn't get things to work.

I've done the following (for a single broker scenario):

1) Ran the following script to create a certificate database:
mkdir ${CERT_DIR}
certutil -N -d ${CERT_DIR} -f ${CERT_PW_FILE}
certutil -S -d ${CERT_DIR} -n ${NICKNAME} -s "CN=${NICKNAME}" -t "CT,," -x
-f ${CERT_PW_FILE} -z /usr/bin/certutil

2) in qpidd.conf:
require-encryption=yes
ssl-cert-db=${CERT_DIR}
ssl-cert-password-file=${CERT_PW_FILE}
ssl-cert-name=${NICKNAME}
ssl-port=5671

However, when running the following:
qpid-send -b localhost:5671 -a 'TestQueue; {node:{type:queue}}'
--content-string "hello" --connection-options
"{transport:ssl,protocol:amqp1.0}"
I got "*qpid-send: Connect failed to amqp:ssl:localhost:5671: Reconnect
disabled*"

What am I missing?

Thanks,

jjw

Re: ssl not working

[Gordon Sim <gs...@redhat.com>]

On 01/27/2016 10:02 PM, jjw tectec wrote:
> I'm trying to add encryption, but couldn't get things to work.
>
> I've done the following (for a single broker scenario):
>
> 1) Ran the following script to create a certificate database:
> mkdir ${CERT_DIR}
> certutil -N -d ${CERT_DIR} -f ${CERT_PW_FILE}
> certutil -S -d ${CERT_DIR} -n ${NICKNAME} -s "CN=${NICKNAME}" -t "CT,," -x
> -f ${CERT_PW_FILE} -z /usr/bin/certutil
>
> 2) in qpidd.conf:
> require-encryption=yes
> ssl-cert-db=${CERT_DIR}
> ssl-cert-password-file=${CERT_PW_FILE}
> ssl-cert-name=${NICKNAME}
> ssl-port=5671
>
> However, when running the following:
> qpid-send -b localhost:5671 -a 'TestQueue; {node:{type:queue}}'
> --content-string "hello" --connection-options
> "{transport:ssl,protocol:amqp1.0}"
> I got "*qpid-send: Connect failed to amqp:ssl:localhost:5671: Reconnect
> disabled*"
>
> What am I missing?

The hostname you use to connect has to match the CN of the broker's 
certificate. (From 0.30 onwards there is a connection option - 
ssl_ignore_hostname_verification_failure - which is set to 'true' will 
disable the verification.

(Also note that the proper error messages have been restored on trunk, 
but not yet released: https://issues.apache.org/jira/browse/QPID-6435)


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org

Re: ssl not working

[jjw tectec <jj...@gmail.com>]

Thanks for your message Chuck. The following was the trace I obtained from
the broker:

2016-01-27 17:17:40 [Network] trace Accepting connection with optional SSL
wrapper.
2016-01-27 17:17:40 [Network] trace Accepted SSL connection.
2016-01-27 17:17:40 [Network] info Set TCP_NODELAY on connection to
127.0.0.1:49963
2016-01-27 17:17:40 [System] error Error reading socket: Success(0)
2016-01-27 17:17:40 [System] debug DISCONNECTED
[qpid.127.0.0.1:5671-127.0.0.1:49963]

By the way, in my original email I forgot to mentioned that I had
SSL-related environment variables set up at the client side also (in case
somebody thinks that might be the missing piece in the puzzle):
QPID_SSL_CERT_DB
QPID_SSL_CERT_PASSWORD
QPID_SSL_CERT_NAME

Still seeing the same issue: "qpid-send: Connect failed to
amqp:ssl:localhost:5671: Reconnect disabled"

jjw

On Wed, Jan 27, 2016 at 4:51 PM, Chuck Rolke <cr...@redhat.com> wrote:

> On both the broker and client end you can get some information from
> logging.
>
> export QPID_LOG_ENABLE=trace+
> then qpidd and qpid-send
>
> ----- Original Message -----
> > From: "jjw tectec" <jj...@gmail.com>
> > To: users@qpid.apache.org
> > Sent: Wednesday, January 27, 2016 5:02:24 PM
> > Subject: ssl not working
> >
> > I'm trying to add encryption, but couldn't get things to work.
> >
> > I've done the following (for a single broker scenario):
> >
> > 1) Ran the following script to create a certificate database:
> > mkdir ${CERT_DIR}
> > certutil -N -d ${CERT_DIR} -f ${CERT_PW_FILE}
> > certutil -S -d ${CERT_DIR} -n ${NICKNAME} -s "CN=${NICKNAME}" -t "CT,,"
> -x
> > -f ${CERT_PW_FILE} -z /usr/bin/certutil
> >
> > 2) in qpidd.conf:
> > require-encryption=yes
> > ssl-cert-db=${CERT_DIR}
> > ssl-cert-password-file=${CERT_PW_FILE}
> > ssl-cert-name=${NICKNAME}
> > ssl-port=5671
> >
> > However, when running the following:
> > qpid-send -b localhost:5671 -a 'TestQueue; {node:{type:queue}}'
> > --content-string "hello" --connection-options
> > "{transport:ssl,protocol:amqp1.0}"
> > I got "*qpid-send: Connect failed to amqp:ssl:localhost:5671: Reconnect
> > disabled*"
> >
> > What am I missing?
> >
> > Thanks,
> >
> > jjw
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
> For additional commands, e-mail: users-help@qpid.apache.org
>
>

Re: ssl not working

[Chuck Rolke <cr...@redhat.com>]

On both the broker and client end you can get some information from logging.

export QPID_LOG_ENABLE=trace+
then qpidd and qpid-send

----- Original Message -----
> From: "jjw tectec" <jj...@gmail.com>
> To: users@qpid.apache.org
> Sent: Wednesday, January 27, 2016 5:02:24 PM
> Subject: ssl not working
> 
> I'm trying to add encryption, but couldn't get things to work.
> 
> I've done the following (for a single broker scenario):
> 
> 1) Ran the following script to create a certificate database:
> mkdir ${CERT_DIR}
> certutil -N -d ${CERT_DIR} -f ${CERT_PW_FILE}
> certutil -S -d ${CERT_DIR} -n ${NICKNAME} -s "CN=${NICKNAME}" -t "CT,," -x
> -f ${CERT_PW_FILE} -z /usr/bin/certutil
> 
> 2) in qpidd.conf:
> require-encryption=yes
> ssl-cert-db=${CERT_DIR}
> ssl-cert-password-file=${CERT_PW_FILE}
> ssl-cert-name=${NICKNAME}
> ssl-port=5671
> 
> However, when running the following:
> qpid-send -b localhost:5671 -a 'TestQueue; {node:{type:queue}}'
> --content-string "hello" --connection-options
> "{transport:ssl,protocol:amqp1.0}"
> I got "*qpid-send: Connect failed to amqp:ssl:localhost:5671: Reconnect
> disabled*"
> 
> What am I missing?
> 
> Thanks,
> 
> jjw
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org