You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@qpid.apache.org by Dedeepya Tunga <de...@yahoo.in.INVALID> on 2021/03/10 10:57:58 UTC
Qpid proton ssl connectivity issue on windows
Hi folks,
I am trying to connect to a amqp ssl port from qpid proton. below is the piece of code am using to pass the certificate path for SSL domain.
def on_start(self, event): ssl_domain = SSLDomain(SSLDomain.MODE_CLIENT)
#path to CA certificate
ca = "/I/certs/selfsigned.pem"
ssl_domain.set_trusted_ca_db(str(ca))
ssl_domain.set_peer_authentication(SSLDomain.VERIFY_PEER_NAME, str(ca))
#conect to the broker
conn = event.container.connect(url=self.server, user=self.username, password=self.password, virtual_host=self.virtualhost)
This works on linux environment, however it gives the below error on windows machine. Can someone please guide me here.
Error:
File "\proton\_handlers.py", line 792, in on_reactor_init self.on_start(event)File "\helloworld.py", line 27, in on_start ssl.domain.set_trusted_ca_db(str(ca))
File "\proton\_transport.py", line 771, in _check raise exc("SSL failure.")
proton._exceptions.SSLException: SSL failure
Another thing I tried is adding certificates to the windows trusted CAs with no luck!
Regards,Dedeepya.T
Re: Qpid proton ssl connectivity issue on windows
Posted by Gordon Sim <gs...@redhat.com>.
On 25/03/2021 12:29, Dedeepya Tunga wrote:
> Hi Gordon,
>
> I have tried setting the SANs of type DNS set to IP address and FQDN
> something like the below.
>
> [ req_ext]
> subjectAltName = @alt_names
>
> [alt_names]
> DNS.1 = <FQDN>
> DNS.2 = <IP>
>
> It has failed host name verification with the above configuration.
That certainly works for me (on linux). Does the attached example work
for you? Run the tls_server.py in one terminal and the tls_client.py in
the other with -a amqp://localhost:5671 and amqps://127.0.0.1:5671. Both
should connect successfully.
Re: Qpid proton ssl connectivity issue on windows
Posted by Dedeepya Tunga <de...@yahoo.in.INVALID>.
Hi Gordon,
I have tried setting the SANs of type DNS set to IP address and FQDN something like the below.
[ req_ext]subjectAltName = @alt_names
[alt_names]DNS.1 = <FQDN>DNS.2 = <IP>
It has failed host name verification with the above configuration.
Regards,Dedeepya.T
Sent from Yahoo Mail on Android
On Tue, 23 Mar 2021 at 16:56, Gordon Sim<gs...@redhat.com> wrote: On 19/03/2021 16:34, Dedeepya Tunga wrote:
> Hi Gordon,
> Thanks a lot for the hint to use openssl for hostname verification. It helped me to understand why hostname verification didn't work for me.
> In my tests, i have generated various certificates, some of them contained broker IP set in alternate names and others had broker FQDN set as alternate names.It seems that hostname verification only works when connection hostname or connection SNI is explicitly set to the certificate subject CN.
> The alternate names are not taken into consideration on hostname verification.
> For example, when I created a certificate with CN=FQDN and broker IP set as alternate name, the connection to broker using IP would fail unless SNI is set to FQDN.My expectation was that if connection host is either certificate alternate name or certificate CN, the hostname check should pass, but it doesn't pass when alternate names are used.
It looks like proton at present does not accept SANs of type 'IP
Address' rather than 'DNS' hostnames. If you specify SANs of type DNS
that hold IP addresses then they seem to work. You can specify the IP
address as both type IP Address and DNS.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: Qpid proton ssl connectivity issue on windows
Posted by Gordon Sim <gs...@redhat.com>.
On 19/03/2021 16:34, Dedeepya Tunga wrote:
> Hi Gordon,
> Thanks a lot for the hint to use openssl for hostname verification. It helped me to understand why hostname verification didn't work for me.
> In my tests, i have generated various certificates, some of them contained broker IP set in alternate names and others had broker FQDN set as alternate names.It seems that hostname verification only works when connection hostname or connection SNI is explicitly set to the certificate subject CN.
> The alternate names are not taken into consideration on hostname verification.
> For example, when I created a certificate with CN=FQDN and broker IP set as alternate name, the connection to broker using IP would fail unless SNI is set to FQDN.My expectation was that if connection host is either certificate alternate name or certificate CN, the hostname check should pass, but it doesn't pass when alternate names are used.
It looks like proton at present does not accept SANs of type 'IP
Address' rather than 'DNS' hostnames. If you specify SANs of type DNS
that hold IP addresses then they seem to work. You can specify the IP
address as both type IP Address and DNS.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: Qpid proton ssl connectivity issue on windows
Posted by Dedeepya Tunga <de...@yahoo.in.INVALID>.
Hi Gordon,
Thanks a lot for the hint to use openssl for hostname verification. It helped me to understand why hostname verification didn't work for me.
In my tests, i have generated various certificates, some of them contained broker IP set in alternate names and others had broker FQDN set as alternate names.It seems that hostname verification only works when connection hostname or connection SNI is explicitly set to the certificate subject CN.
The alternate names are not taken into consideration on hostname verification.
For example, when I created a certificate with CN=FQDN and broker IP set as alternate name, the connection to broker using IP would fail unless SNI is set to FQDN.My expectation was that if connection host is either certificate alternate name or certificate CN, the hostname check should pass, but it doesn't pass when alternate names are used.
When connection hostname is valid certificate alternate name (but not CN name), I am getting 'amqp:connection:framing-error', ' SSL failure: TLS certificate verification error'.
It seems that work around for this is to set SNI to the certificate CN when connection host name is an alternate name, but that looks like a not partially right approach to me. What do you think?
Regards,Dedeepya.T On Thursday, 18 March, 2021, 08:05:20 pm IST, Gordon Sim <gs...@redhat.com> wrote:
I suggest verifying using the openssl command line tool. E.g.
openssl s_client -connect <hsot:port> -verify_hostname <hostname>
-CAfile <path-to-ca-pem-file>
That helps determine whether the issue is with the CA pem file or with
your proton setup.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: Qpid proton ssl connectivity issue on windows
Posted by Gordon Sim <gs...@redhat.com>.
I suggest verifying using the openssl command line tool. E.g.
openssl s_client -connect <hsot:port> -verify_hostname <hostname>
-CAfile <path-to-ca-pem-file>
That helps determine whether the issue is with the CA pem file or with
your proton setup.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: Qpid proton ssl connectivity issue on windows
Posted by Dedeepya Tunga <de...@yahoo.in.INVALID>.
Hi Gordon,
I performed a number of tests for host name verification with proton client using different self signed certificates created using openssl. I used Qpid Broker-J in the tests.
My tests include the following:- Broker host FQDN set as CN in certificate subject(The host name verification worked with JMS client but didnot work with proton)- Broker host FQDN set as alternate name.(The host name verification worked with JMS client but didnot work with proton)- Broker host IP set as CN in certificate subject(The host name verification didnot work with both JMS client and proton)- Broker host IP set as alternate name.(The host name verification didnot work with both JMS client and proton)
For all the above my sample proton app was reporting the below error on linux environment AMQP:ERROR:amqp:connection:framing-error SSL Failure:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed.
Here is my sample program i used to check host name verification
ssl_domain = SSLDomain(SSLDomain.MODE_CLIENT)ca = "path/to/cert.pem"ssl_domain.set_trusted_ca_db(str(ca))ssl_domain.set_peer_authentication(SSLDomain.VERIFY_PEER_NAME, str(ca))conn = BlockingConnection(url="amqps://<FQDN|IP>:5671", ssl_domain=ssl_domain, user="guest", password="guest", virtual_host="default", sni="<FQDN>)conn.close()
please let me know if i need to amend anything here.
It seems that host verification functionality is not working as expected.
Also I tried to test host name verification on windows using pkcs12 without a password. I got similar error as given hereAMQP:ERROR:amqp:connection:framing-error SSL Failure: TLS certificate verification error.
Is there any way to specify pkcs12 password in proton API?
Regards,Dedeepya.T
On Wednesday, 17 March, 2021, 03:50:39 pm IST, Gordon Sim <gs...@redhat.com> wrote:
On 17/03/2021 09:54, Dedeepya Tunga wrote:
> Yes Gordon using OpenSolaris the self signed certificate is verified and ssl handshake established. On Linux am using it address to connect.
I'm sorry, I don't understand your response.
Does it work when connecting using the ip address not localhost?
Have you tried using the openssl command line tool to verify the
certificate on linux? What was the output from that?
> On Wed, 17 Mar 2021 at 15:21, Gordon Sim<gs...@redhat.com> wrote: On 16/03/2021 13:11, Dedeepya Tunga wrote:
>> Thanks Gordon for the quick solution. It works on windows when i use pkcs certificate.I am generating a self signed certificate with my ip address as CN and hostname and localhost as alternate DNS. However when i try to verify host am getting the below error on both linux and windows. Kindly suggest.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: Qpid proton ssl connectivity issue on windows
Posted by Gordon Sim <gs...@redhat.com>.
On 17/03/2021 09:54, Dedeepya Tunga wrote:
> Yes Gordon using OpenSolaris the self signed certificate is verified and ssl handshake established. On Linux am using it address to connect.
I'm sorry, I don't understand your response.
Does it work when connecting using the ip address not localhost?
Have you tried using the openssl command line tool to verify the
certificate on linux? What was the output from that?
> On Wed, 17 Mar 2021 at 15:21, Gordon Sim<gs...@redhat.com> wrote: On 16/03/2021 13:11, Dedeepya Tunga wrote:
>> Thanks Gordon for the quick solution. It works on windows when i use pkcs certificate.I am generating a self signed certificate with my ip address as CN and hostname and localhost as alternate DNS. However when i try to verify host am getting the below error on both linux and windows. Kindly suggest.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: Qpid proton ssl connectivity issue on windows
Posted by Dedeepya Tunga <de...@yahoo.in.INVALID>.
Yes Gordon using OpenSolaris the self signed certificate is verified and ssl handshake established. On Linux am using it address to connect.
Sent from Yahoo Mail on Android
On Wed, 17 Mar 2021 at 15:21, Gordon Sim<gs...@redhat.com> wrote: On 16/03/2021 13:11, Dedeepya Tunga wrote:
> Thanks Gordon for the quick solution. It works on windows when i use pkcs certificate.I am generating a self signed certificate with my ip address as CN and hostname and localhost as alternate DNS. However when i try to verify host am getting the below error on both linux and windows. Kindly suggest.
Does it work when connecting via the ip address? Have you tried
verifying the certificate using openssl?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: Qpid proton ssl connectivity issue on windows
Posted by Gordon Sim <gs...@redhat.com>.
On 16/03/2021 13:11, Dedeepya Tunga wrote:
> Thanks Gordon for the quick solution. It works on windows when i use pkcs certificate.I am generating a self signed certificate with my ip address as CN and hostname and localhost as alternate DNS. However when i try to verify host am getting the below error on both linux and windows. Kindly suggest.
Does it work when connecting via the ip address? Have you tried
verifying the certificate using openssl?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: Qpid proton ssl connectivity issue on windows
Posted by Dedeepya Tunga <de...@yahoo.in.INVALID>.
Thanks Gordon for the quick solution. It works on windows when i use pkcs certificate.I am generating a self signed certificate with my ip address as CN and hostname and localhost as alternate DNS. However when i try to verify host am getting the below error on both linux and windows. Kindly suggest.
Code to verify host on ssl domain:ssl_domain = SSLDomain(SSLDomain.Mode_Client)ca = "/certs/selfsigned.pem"ssl_domain.set_trusted_ca_db(str(ca))#verify hostnamessl_domain.set_peer_authentication(SSLDomain.VERIFY_PEER_NAME,str(ca))
Error message:
Linux Machine:proton._exceptions.connectionException: connection amqps://localhost:5671 disconnected: condition('amqp:connection:framing-error', 'SSL Failure: error"14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed')
Windows machine:proton._exceptions.connectionException: connection amqps://localhost:5671 disconnected: condition('amqp:connection:framing-error', 'SSL Failure: TLS certificate verification error')
Note:When i comment out the peer authentication, the program runs fine.
Regards,Dedeepya. On Wednesday, 10 March, 2021, 04:42:22 pm IST, Gordon Sim <gs...@redhat.com> wrote:
On 10/03/2021 10:57, Dedeepya Tunga wrote:
> Hi folks,
> I am trying to connect to a amqp ssl port from qpid proton. below is the piece of code am using to pass the certificate path for SSL domain.
> def on_start(self, event): ssl_domain = SSLDomain(SSLDomain.MODE_CLIENT)
> #path to CA certificate
> ca = "/I/certs/selfsigned.pem"
> ssl_domain.set_trusted_ca_db(str(ca))
> ssl_domain.set_peer_authentication(SSLDomain.VERIFY_PEER_NAME, str(ca))
>
> #conect to the broker
> conn = event.container.connect(url=self.server, user=self.username, password=self.password, virtual_host=self.virtualhost)
>
> This works on linux environment, however it gives the below error on windows machine. Can someone please guide me here.
> Error:
> File "\proton\_handlers.py", line 792, in on_reactor_init self.on_start(event)File "\helloworld.py", line 27, in on_start ssl.domain.set_trusted_ca_db(str(ca))
> File "\proton\_transport.py", line 771, in _check raise exc("SSL failure.")
> proton._exceptions.SSLException: SSL failure
> Another thing I tried is adding certificates to the windows trusted CAs with no luck!
You need to convert the pem format certs to pkcs12. See
https://github.com/apache/qpid-proton/blob/master/c/src/ssl/PLATFORM_NOTES.md#schannel
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: Qpid proton ssl connectivity issue on windows
Posted by Gordon Sim <gs...@redhat.com>.
On 10/03/2021 10:57, Dedeepya Tunga wrote:
> Hi folks,
> I am trying to connect to a amqp ssl port from qpid proton. below is the piece of code am using to pass the certificate path for SSL domain.
> def on_start(self, event): ssl_domain = SSLDomain(SSLDomain.MODE_CLIENT)
> #path to CA certificate
> ca = "/I/certs/selfsigned.pem"
> ssl_domain.set_trusted_ca_db(str(ca))
> ssl_domain.set_peer_authentication(SSLDomain.VERIFY_PEER_NAME, str(ca))
>
> #conect to the broker
> conn = event.container.connect(url=self.server, user=self.username, password=self.password, virtual_host=self.virtualhost)
>
> This works on linux environment, however it gives the below error on windows machine. Can someone please guide me here.
> Error:
> File "\proton\_handlers.py", line 792, in on_reactor_init self.on_start(event)File "\helloworld.py", line 27, in on_start ssl.domain.set_trusted_ca_db(str(ca))
> File "\proton\_transport.py", line 771, in _check raise exc("SSL failure.")
> proton._exceptions.SSLException: SSL failure
> Another thing I tried is adding certificates to the windows trusted CAs with no luck!
You need to convert the pem format certs to pkcs12. See
https://github.com/apache/qpid-proton/blob/master/c/src/ssl/PLATFORM_NOTES.md#schannel
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org