You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@qpid.apache.org by Bruno França <br...@digirati.com.br> on 2011/10/05 00:36:14 UTC
Qpid-tools and SSL certificates
Hi,
when I set ssl-require-client-authentication and require-encryption on
my Qpid C++ broker and try to connect to it using qpid-stat, I get the
following error:
$ export QPID_SSL_CERT_DB=/path/to/mycert_db
$ export QPID_SSL_CERT_NAME=mycert
$ ./bin/qpid-stat -q amqps://bruno.mz.digirati.com.br
Failed: SSLError - [Errno 1] _ssl.c:499: error:14094412:SSL
routines:SSL3_READ_BYTES:sslv3 alert bad certificate
Seems like the client certificate is being ignored. Is there a way to
inform qpid-stat which certificate to use? The above command works if I
disable ssl-require-client-authentication. I'm using SVN rev 1177431 on
Ubuntu 11.04 x86_64.
Regards,
Bruno França.
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:users-subscribe@qpid.apache.org
Re: Qpid-tools and SSL certificates
Posted by Gordon Sim <gs...@redhat.com>.
On 10/04/2011 11:36 PM, Bruno França wrote:
> Hi,
>
> when I set ssl-require-client-authentication and require-encryption on
> my Qpid C++ broker and try to connect to it using qpid-stat, I get the
> following error:
>
> $ export QPID_SSL_CERT_DB=/path/to/mycert_db
> $ export QPID_SSL_CERT_NAME=mycert
> $ ./bin/qpid-stat -q amqps://bruno.mz.digirati.com.br
> Failed: SSLError - [Errno 1] _ssl.c:499: error:14094412:SSL
> routines:SSL3_READ_BYTES:sslv3 alert bad certificate
>
> Seems like the client certificate is being ignored. Is there a way to
> inform qpid-stat which certificate to use? The above command works if I
> disable ssl-require-client-authentication. I'm using SVN rev 1177431 on
> Ubuntu 11.04 x86_64.
Unfortunately the python client (which qpid-stat uses) does not support
client authentication with SSL (the env vars above are only valid for
the C++ client and those APIs that wrap it).
There is a JIRA open for this and a (modified) patch attached:
https://issues.apache.org/jira/browse/QPID-3175. Rafi, are you happy
with that now? Could we push to get that in for 0.14, it's been around a
while now and would be an important gap to close.
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:users-subscribe@qpid.apache.org