[jira] [Closed] (PROTON-1168) 2-way Authentication via Certificates Fails in Proton-J

["Justin Ross (JIRA)" <ji...@apache.org>]

     [ https://issues.apache.org/jira/browse/PROTON-1168?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Justin Ross closed PROTON-1168.
-------------------------------
    Resolution: Cannot Reproduce

Jack, let us know if you get new information on this.

> 2-way Authentication via Certificates Fails in Proton-J
> -------------------------------------------------------
>
>                 Key: PROTON-1168
>                 URL: https://issues.apache.org/jira/browse/PROTON-1168
>             Project: Qpid Proton
>          Issue Type: Bug
>          Components: proton-j
>    Affects Versions: 0.12.0
>         Environment: Ubuntu 15.10 & RHEL 7
> Qpid Dispatch 0.5 & 0.6
> Proton-C 0.12 and Proton-J 0.12
>            Reporter: Jack Gibson
>            Priority: Critical
>         Attachments: PROTON-1168_reactor_ssl.patch, my_qdrouterd_B_standalone.conf, recv_with_ssl.c, send_with_ssl.c, ssl_logs1.tar.gz
>
>
> Using qpid dispatch, we are unable to enable 2 way SSL with proton-j but able to with proton-c.
> To reproduce use the attached config to enable 2 WAY SSL with “authenticate Peer” flag set to TRUE.
> Restart the qdrouterd instance to pick up the config changes.
> Make the client send a message based on the AMQP-CLIENT library (which uses Proton J). 
> Client Error Message: from the log file
> AMQP framing error
> EventImpl{type=TRANSPORT_ERROR, context=TransportImpl [_connectionEndpoint=org.apache.qpid.proton.engine.impl.ConnectionImpl@6ef351a0, org.apache.qpid.proton.engine.impl.TransportImpl@44c213d9]}
> Server Error Message: from the log file
> =64, totalFreeToHeap=0, transferBatchSize=64, type=org.apache.qpid.dispatch.allocator, typeName=qd_timer_t, typeSize=56)
> Wed Mar 30 12:00:47 2016 AGENT (info) Activating management agent on $management
> Wed Mar 30 12:00:47 2016 ROUTER (info) In-Process Address Registered: $management
> Wed Mar 30 12:00:47 2016 ROUTER (info) In-Process Address Registered: $management
> Wed Mar 30 12:00:47 2016 AGENT (debug) Add entity: FixedAddressEntity(bias=closest, fanout=single, identity=fixedAddress/0, name=fixedAddress/0, prefix=/, type=org.apache.qpid.dispatch.fixedAddress)
> Wed Mar 30 12:00:47 2016 ROUTER (info) Configured Address: prefix=/ phase=0 fanout=QD_SCHEMA_FIXEDADDRESS_FANOUT_SINGLE bias=QD_SCHEMA_FIXEDADDRESS_BIAS_CLOSEST
> Wed Mar 30 12:00:47 2016 AGENT (debug) Add entity: ListenerEntity(addr=0.0.0.0, authenticatePeer=True, certDb=/home/vsharda/protected/pprootca_cert.pem, certFile=/home/vsharda/protected/generic_cert.pem, identity=listener/0.0.0.0:20009, idleTimeoutSeconds=16, keyFile=/home/vsharda/protected/generic_key.pem, maxFrameSize=65536, name=listener/0.0.0.0:20009, password=pn2.GmdXmkKv.X7fPq.oYDFj8Cs, port=20009, requireEncryption=True, requireSsl=True, role=normal, saslMechanisms=EXTERNAL, stripAnnotations=both, type=org.apache.qpid.dispatch.listener)
> Wed Mar 30 12:00:47 2016 CONN_MGR (info) Configured Listener: 0.0.0.0:20009 proto=any role=normal
> Wed Mar 30 12:00:47 2016 SERVER (trace) Listening on 0.0.0.0:20009
> Wed Mar 30 12:00:47 2016 AGENT (debug) Add entity: ConsoleEntity(identity=console/0, name=console/0, type=org.apache.qpid.dispatch.console, wsport=5673)
> Wed Mar 30 12:00:47 2016 SERVER (info) Operational, 4 Threads Running
> Wed Mar 30 12:01:06 2016 SERVER (debug) Accepting incoming connection from 10.225.90.106:51196 to 0.0.0.0:20009
> Wed Mar 30 12:01:06 2016 SERVER (trace) Configuring SSL on incoming connection from 10.225.90.106:51196 to 0.0.0.0:20009
> Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:Server SSL socket created.
> Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:SSL/TLS connection detected
> Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:process_input_ssl( data size=162 )
> Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:Wrote 162 bytes to BIO Layer, 0 left over
> Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:Detected read-blocked
> Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:process_input_ssl() returning 162
> Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:Read 3651 bytes from BIO Layer
> Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:process_output_ssl() returning 3651
> Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:process_output_ssl() returning 0
> Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:process_output_ssl() returning 0
> Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:process_output_ssl() returning 0
> Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:process_output_ssl() returning 0
> Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:process_input_ssl( data size=205 )
> Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:Wrote 205 bytes to BIO Layer, 0 left over
> Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:ERROR amqp:connection:framing-error SSL Failure: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
> Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:  <- EOS
> Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:  -> EOS
> Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:SSL socket freed.
> For your reference please find the attached client/server code which is written using the proton C where the 2 way SSL worked fine. (send_with_ssl.c & recv_with_ssl.c)



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org