You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@qpid.apache.org by Bruno França <br...@digirati.com.br> on 2011/10/05 00:36:14 UTC

Qpid-tools and SSL certificates

Hi,

when I set ssl-require-client-authentication and require-encryption on 
my Qpid C++ broker and try to connect to it using qpid-stat, I get the 
following error:

$ export QPID_SSL_CERT_DB=/path/to/mycert_db
$ export QPID_SSL_CERT_NAME=mycert
$ ./bin/qpid-stat -q amqps://bruno.mz.digirati.com.br
Failed: SSLError - [Errno 1] _ssl.c:499: error:14094412:SSL 
routines:SSL3_READ_BYTES:sslv3 alert bad certificate

Seems like the client certificate is being ignored. Is there a way to 
inform qpid-stat which certificate to use? The above command works if I 
disable ssl-require-client-authentication. I'm using SVN rev 1177431 on 
Ubuntu 11.04 x86_64.

Regards,
Bruno França.

---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:users-subscribe@qpid.apache.org

Re: Qpid-tools and SSL certificates

Posted by Gordon Sim <gs...@redhat.com>.

On 10/04/2011 11:36 PM, Bruno França wrote:
> Hi,
>
> when I set ssl-require-client-authentication and require-encryption on
> my Qpid C++ broker and try to connect to it using qpid-stat, I get the
> following error:
>
> $ export QPID_SSL_CERT_DB=/path/to/mycert_db
> $ export QPID_SSL_CERT_NAME=mycert
> $ ./bin/qpid-stat -q amqps://bruno.mz.digirati.com.br
> Failed: SSLError - [Errno 1] _ssl.c:499: error:14094412:SSL
> routines:SSL3_READ_BYTES:sslv3 alert bad certificate
>
> Seems like the client certificate is being ignored. Is there a way to
> inform qpid-stat which certificate to use? The above command works if I
> disable ssl-require-client-authentication. I'm using SVN rev 1177431 on
> Ubuntu 11.04 x86_64.

Unfortunately the python client (which qpid-stat uses) does not  support 
client authentication with SSL (the env vars above are only valid for 
the C++ client and those APIs that wrap it).

There is a JIRA open for this and a (modified) patch attached: 
https://issues.apache.org/jira/browse/QPID-3175. Rafi, are you happy 
with that now? Could we push to get that in for 0.14, it's been around a 
while now and would be an important gap to close.

---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:users-subscribe@qpid.apache.org