You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@activemq.apache.org by itsebriy <ih...@gmail.com> on 2017/06/28 11:02:30 UTC
Cannot setup secure web sockets with activemq mqtt
Hi All,
I am trying to make secure web sockets to work with activeMQ and have not
been able to do that yet.
My mqttContext.xml looks as following :
<broker id="broker" useShutdownHook="false" useJmx="false"
persistent="true" >
<transportConnectors>
<transportConnector name="vm" uri="vm://localhost"/>
<transportConnector name="mqtt+nio"
uri="mqtt+nio://0.0.0.0:1883"/>
<transportConnector name="ws"
uri="ws://0.0.0.0:1884?websocket.maxBinaryMessageSize=2147483647&allowLinkStealing=true"/>
<transportConnector name="wss"
uri="wss://0.0.0.0:1885?websocket.maxBinaryMessageSize=2147483647&allowLinkStealing=true"/>
</transportConnectors>
<sslContext>
<sslContext keyStore="C:/Users/itsebriy/broker.ks"
keyStorePassword="password"
trustStore="C:/Users/itsebriy/client.ks"
trustStorePassword="password"/>
</sslContext>
I am using self signed certificates and in the browser I get following
error.
mqttws31:977 WebSocket connection to 'wss://192.168.84.184:1885/' failed:
Error in connection establishment: net::ERR_INSECURE_RESPONSE
Is there anything I could be doing wrong?
Thanks,
Ihor
--
View this message in context: http://activemq.2283324.n4.nabble.com/Cannot-setup-secure-web-sockets-with-activemq-mqtt-tp4727995.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: Cannot setup secure web sockets with activemq mqtt
Posted by itsebriy <ih...@gmail.com>.
I also took configuration from ActiveMQ
http://activemq.apache.org/websockets.html
<sslContext>
<sslContext keyStore="file:${activemq.conf}/broker.ks"
keyStorePassword="password"
trustStore="file:${activemq.conf}/broker.ts"
trustStorePassword="password"
/>
</sslContext>
and it didn't seem to work for me. I had to specify broker.ks for both
keystore and truststore and only then it started working.
Also self signed certificate is not an option since as I have observed the
certificate for web sockets and certificate for https has to be the same!
Otherwise there will be "Connection refused error".
--
View this message in context: http://activemq.2283324.n4.nabble.com/Cannot-setup-secure-web-sockets-with-activemq-mqtt-tp4727995p4728191.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: Cannot setup secure web sockets with activemq mqtt
Posted by Tim Bain <tb...@alumni.duke.edu>.
Sorry, I just noticed your second response. I'm glad you got it working.
On Jun 29, 2017 10:53 AM, "Tim Bain" <tb...@alumni.duke.edu> wrote:
>
>
> On Jun 29, 2017 2:32 AM, "itsebriy" <ih...@gmail.com> wrote:
>
> I am using a self-signed certificate which I created with keytool.
>
>
> That doesn't answer the question of whether your browser trusts it. If you
> haven't done anything to make the browser trust the cert, then it doesn't,
> which is why you're getting this error.
>
> Also when going to production, will self-signed certificate be sufficient?
> We could use a certificate from certificate authority but the domain for
> every customer will be different.
>
>
> Only you can answer whether it's sufficient. If you can get each of your
> users to import your self-signed cert into your browser without objections,
> it might be sufficient. If they refuse, it's probably not.
>
> And I hope you don't plan to deploy a single cert (self-signed or
> otherwise) to multiple customer deployments. Your comment about domains
> sounds like you might be planning on doing that, and 1) it won't work, and
> 2) it's an awful thing to do even if it would work.
>
> Tim
>
>
>
> --
> View this message in context: http://activemq.2283324.n4.nab
> ble.com/Cannot-setup-secure-web-sockets-with-activemq-
> mqtt-tp4727995p4728050.html
> Sent from the ActiveMQ - User mailing list archive at Nabble.com.
>
>
>
Re: Cannot setup secure web sockets with activemq mqtt
Posted by Tim Bain <tb...@alumni.duke.edu>.
On Jun 29, 2017 2:32 AM, "itsebriy" <ih...@gmail.com> wrote:
I am using a self-signed certificate which I created with keytool.
That doesn't answer the question of whether your browser trusts it. If you
haven't done anything to make the browser trust the cert, then it doesn't,
which is why you're getting this error.
Also when going to production, will self-signed certificate be sufficient?
We could use a certificate from certificate authority but the domain for
every customer will be different.
Only you can answer whether it's sufficient. If you can get each of your
users to import your self-signed cert into your browser without objections,
it might be sufficient. If they refuse, it's probably not.
And I hope you don't plan to deploy a single cert (self-signed or
otherwise) to multiple customer deployments. Your comment about domains
sounds like you might be planning on doing that, and 1) it won't work, and
2) it's an awful thing to do even if it would work.
Tim
--
View this message in context: http://activemq.2283324.n4.
nabble.com/Cannot-setup-secure-web-sockets-with-activemq-mqtt-
tp4727995p4728050.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: Cannot setup secure web sockets with activemq mqtt
Posted by itsebriy <ih...@gmail.com>.
Problem solved, I enabled ssl debug for my server and saw that my tomcat was
using ssl sertificate generated with SHA1 algorithm which is obsolete now.
For activeMQ self signed sertificate was used with correct signing
algorithm. I ended up re creating the certificate for Tomcat with the right
algorithm and that's it.
--
View this message in context: http://activemq.2283324.n4.nabble.com/Cannot-setup-secure-web-sockets-with-activemq-mqtt-tp4727995p4728058.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: Cannot setup secure web sockets with activemq mqtt
Posted by itsebriy <ih...@gmail.com>.
I am using a self-signed certificate which I created with keytool.
Also when going to production, will self-signed certificate be sufficient?
We could use a certificate from certificate authority but the domain for
every customer will be different.
--
View this message in context: http://activemq.2283324.n4.nabble.com/Cannot-setup-secure-web-sockets-with-activemq-mqtt-tp4727995p4728050.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: Cannot setup secure web sockets with activemq mqtt
Posted by Tim Bain <tb...@alumni.duke.edu>.
Does the browser trust your broker's self-signed cert? It looks like it
doesn't...
Tim
On Jun 28, 2017 12:08 PM, "itsebriy" <ih...@gmail.com> wrote:
> Hi All,
>
> I am trying to make secure web sockets to work with activeMQ and have
> not
> been able to do that yet.
>
> My mqttContext.xml looks as following :
>
> <broker id="broker" useShutdownHook="false" useJmx="false"
> persistent="true" >
> <transportConnectors>
> <transportConnector name="vm" uri="vm://localhost"/>
> <transportConnector name="mqtt+nio"
> uri="mqtt+nio://0.0.0.0:1883"/>
> <transportConnector name="ws"
> uri="ws://0.0.0.0:1884?websocket.maxBinaryMessageSize=2147483647&
> allowLinkStealing=true"/>
> <transportConnector name="wss"
> uri="wss://0.0.0.0:1885?websocket.maxBinaryMessageSize=2147483647&
> allowLinkStealing=true"/>
> </transportConnectors>
>
> <sslContext>
> <sslContext keyStore="C:/Users/itsebriy/broker.ks"
> keyStorePassword="password"
> trustStore="C:/Users/itsebriy/client.ks"
> trustStorePassword="password"/>
> </sslContext>
>
>
> I am using self signed certificates and in the browser I get following
> error.
>
> mqttws31:977 WebSocket connection to 'wss://192.168.84.184:1885/' failed:
> Error in connection establishment: net::ERR_INSECURE_RESPONSE
>
> Is there anything I could be doing wrong?
>
> Thanks,
> Ihor
>
>
>
> --
> View this message in context: http://activemq.2283324.n4.
> nabble.com/Cannot-setup-secure-web-sockets-with-
> activemq-mqtt-tp4727995.html
> Sent from the ActiveMQ - User mailing list archive at Nabble.com.
>