Broker federation with SSL client auth and SASL EXTERNAL

[Chris Richardson <cr...@fourc.eu>]

Hi,

I'm attempting to set up a broker federation topology using purely SSL
client authentication and the EXTERNAL SASL mechanism on qpid-cpp 0.34.
This seems to be within an iota of working but I can't quite get the
configuration correct for the inter-broker routes.

The point I have arrived at is that I have 2 brokers, both of which are
configured to accept only connections over SSL with client cert
authentication. Both python (qpid-stat et al) and c++ (qpid-send/receive)
clients work perfectly - however the route between the brokers does not
work because the broker establishing the connection does not use a suitable
certificate. The connection fails with
Inter-broker link disconnected from broker-2:5671 Failed: SSL peer cannot
verify your certificate. [-12271]

I've found I can fix this by setting the QPID_SSL_CERT_DB,
QPID_SSL_CERT_PASSWORD_FILE and QPID_SSL_CERT_NAME variables in the
environment of the source broker process, but c++ client connections to
this broker then fail with
Failed to connect: Failed: NSS error [-8101]
(/var/tmp/portage/net-misc/qpid-cpp-0.34/work/qpid-cpp-0.34/src/qpid/sys/ssl/SslSocket.cpp:177)
According to the NSS documentation this error is due to an invalid use of
an SSL certificate (eg: server auth cert being used for client auth) but
this is the same certificate which previously worked fine. Python client
connections are unaffected.

I have a swathe of configuration data and logs which I can share if needed,
but to begin with can you tell me if this is something which should, at
least in principle, work?

Thanks in advance

-- 

*Chris Richardson*, System Architect
cr@fourc.eu


*FourC AS, Vestre Rosten 81, Trekanten, NO-7075 Tiller, Norwaywww.fourc.eu
<http://www.fourc.eu/>*

*Follow us on LinkedIn <http://bit.ly/fourcli>, Facebook
<http://bit.ly/fourcfb>, Google+ <http://bit.ly/fourcgp> and Twitter
<http://bit.ly/fourctw>!*

Re: Broker federation with SSL client auth and SASL EXTERNAL

[Chris Richardson <cr...@fourc.eu>]

On 19 October 2015 at 15:37, Gordon Sim <gs...@redhat.com> wrote:

> On 10/17/2015 01:36 AM, Chris Richardson wrote:
>
>> Hi,
>>
>> I'm attempting to set up a broker federation topology using purely SSL
>> client authentication and the EXTERNAL SASL mechanism on qpid-cpp 0.34.
>> This seems to be within an iota of working but I can't quite get the
>> configuration correct for the inter-broker routes.
>>
>> The point I have arrived at is that I have 2 brokers, both of which are
>> configured to accept only connections over SSL with client cert
>> authentication. Both python (qpid-stat et al) and c++ (qpid-send/receive)
>> clients work perfectly - however the route between the brokers does not
>> work because the broker establishing the connection does not use a
>> suitable
>> certificate. The connection fails with
>> Inter-broker link disconnected from broker-2:5671 Failed: SSL peer cannot
>> verify your certificate. [-12271]
>>
>
> Was the broker certificate signed by a trusted CA as for the client
> certificates? I.e. does the broker accepting the incoming inter-broker
> connection trust the other broker?


The short answer to that question is _mostly_ "yes" and it got me thinking
along the right lines. I didn't realise that the broker's certificate is
the one used as a client certificate in the context of the route (kind of
obvious in retrospect). I was using certificates with only the "serverAuth"
usage extension on both brokers, which was therefore being rejected by the
broker receiving the route connection. Adding clientAuth to the usage list
(and extending my ACL to match) fixed the problem.

Thanks for the hint!


>
>
>
>> I've found I can fix this by setting the QPID_SSL_CERT_DB,
>> QPID_SSL_CERT_PASSWORD_FILE and QPID_SSL_CERT_NAME variables in the
>> environment of the source broker process, but c++ client connections to
>> this broker then fail with
>> Failed to connect: Failed: NSS error [-8101]
>>
>> (/var/tmp/portage/net-misc/qpid-cpp-0.34/work/qpid-cpp-0.34/src/qpid/sys/ssl/SslSocket.cpp:177)
>> According to the NSS documentation this error is due to an invalid use of
>> an SSL certificate (eg: server auth cert being used for client auth) but
>> this is the same certificate which previously worked fine. Python client
>> connections are unaffected.
>>
>> I have a swathe of configuration data and logs which I can share if
>> needed,
>> but to begin with can you tell me if this is something which should, at
>> least in principle, work?
>>
>> Thanks in advance
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
> For additional commands, e-mail: users-help@qpid.apache.org
>
>


-- 

*Chris Richardson*, System Architect
cr@fourc.eu


*FourC AS, Vestre Rosten 81, Trekanten, NO-7075 Tiller, Norwaywww.fourc.eu
<http://www.fourc.eu/>*

*Follow us on LinkedIn <http://bit.ly/fourcli>, Facebook
<http://bit.ly/fourcfb>, Google+ <http://bit.ly/fourcgp> and Twitter
<http://bit.ly/fourctw>!*

Re: Broker federation with SSL client auth and SASL EXTERNAL

[Gordon Sim <gs...@redhat.com>]

On 10/17/2015 01:36 AM, Chris Richardson wrote:
> Hi,
>
> I'm attempting to set up a broker federation topology using purely SSL
> client authentication and the EXTERNAL SASL mechanism on qpid-cpp 0.34.
> This seems to be within an iota of working but I can't quite get the
> configuration correct for the inter-broker routes.
>
> The point I have arrived at is that I have 2 brokers, both of which are
> configured to accept only connections over SSL with client cert
> authentication. Both python (qpid-stat et al) and c++ (qpid-send/receive)
> clients work perfectly - however the route between the brokers does not
> work because the broker establishing the connection does not use a suitable
> certificate. The connection fails with
> Inter-broker link disconnected from broker-2:5671 Failed: SSL peer cannot
> verify your certificate. [-12271]

Was the broker certificate signed by a trusted CA as for the client 
certificates? I.e. does the broker accepting the incoming inter-broker 
connection trust the other broker?

>
> I've found I can fix this by setting the QPID_SSL_CERT_DB,
> QPID_SSL_CERT_PASSWORD_FILE and QPID_SSL_CERT_NAME variables in the
> environment of the source broker process, but c++ client connections to
> this broker then fail with
> Failed to connect: Failed: NSS error [-8101]
> (/var/tmp/portage/net-misc/qpid-cpp-0.34/work/qpid-cpp-0.34/src/qpid/sys/ssl/SslSocket.cpp:177)
> According to the NSS documentation this error is due to an invalid use of
> an SSL certificate (eg: server auth cert being used for client auth) but
> this is the same certificate which previously worked fine. Python client
> connections are unaffected.
>
> I have a swathe of configuration data and logs which I can share if needed,
> but to begin with can you tell me if this is something which should, at
> least in principle, work?
>
> Thanks in advance
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org