You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@qpid.apache.org by Trevor Vaughan <tv...@onyxpoint.com> on 2013/10/22 18:49:38 UTC
QPid Ruby client and SSL
All,
I've been trying to get the Ruby (cqpid) libraries to play well with the
Qpid server without much success.
I've tried setting the QPID_SSL_USE_EXPORT_POLICY and QPID_SSL_CERT_DB
environment variables but the SSL negotiation is not completing.
Testing with Openssl s_server and am getting the following error:
SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate:s3_pkt.c:1193:SSL
alert number 42
I'm not trying to use a client certificate, simply an SSL encrypted session
and I've verified that my NSS database has the appropriate CA entries.
The error remains whether or not I try to provide a client certificate per
the C++ environment variables.
Has anyone gotten this type of setup to work successfully?
Thanks,
Trevor
--
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699
tvaughan@onyxpoint.com
-- This account not approved for unencrypted proprietary information --
Re: QPid Ruby client and SSL
Posted by Jakub Scholz <ja...@scholz.cz>.
In the Java client, the SSL issues are very easy to analyse using the SSL
debugging mode which can be switched on using the system property
"javax.net.debug=ssl". It would be great to have something similar in the
C++ client (and in the scripting languages clients build on top of the C++
client). But to my understanding the C++ client is for the SSL negotiation
using the NSS library for which I never found such a nice debugging option.
Regards
Jakub
On Wed, Oct 23, 2013 at 6:15 PM, Trevor Vaughan <tv...@onyxpoint.com>wrote:
> No errors on the client side and adding trace to the QPID log didn't show
> anything except for dropped connections.
>
> That's when I started using openssl s_server to debug the SSL portion.
>
> We're using 0.14-22 currently.
>
>
> On Wed, Oct 23, 2013 at 11:46 AM, Gordon Sim <gs...@redhat.com> wrote:
>
> > On 10/23/2013 04:02 PM, Trevor Vaughan wrote:
> >
> >> amqp:ssl:myhost.mydomain:5671
> >> options << transport => 'ssl'
> >>
> >> But, no dice :-/
> >>
> >> Thanks for the help though!
> >>
> >
> > Do you get any errors on the client side? What if you export
> > QPID_LOG_ENABLE=trace+ before trying to run the ruby client, does that
> show
> > up anything unusual looking? (I'm wondering if the sslconnector.so module
> > is loaded, however if not then attempting to use ssl in the url should
> > result in an error not a hang).
> >
> > What version of the client are you using? (I ran a simple test from ruby
> > on trunk without a problem, so its either a different version or
> different
> > config in some way I think).
> >
> >
> > ------------------------------**------------------------------**---------
> > To unsubscribe, e-mail: users-unsubscribe@qpid.apache.**org<
> users-unsubscribe@qpid.apache.org>
> > For additional commands, e-mail: users-help@qpid.apache.org
> >
> >
>
>
> --
> Trevor Vaughan
> Vice President, Onyx Point, Inc
> (410) 541-6699
> tvaughan@onyxpoint.com
>
> -- This account not approved for unencrypted proprietary information --
>
Re: QPid Ruby client and SSL
Posted by Trevor Vaughan <tv...@onyxpoint.com>.
No errors on the client side and adding trace to the QPID log didn't show
anything except for dropped connections.
That's when I started using openssl s_server to debug the SSL portion.
We're using 0.14-22 currently.
On Wed, Oct 23, 2013 at 11:46 AM, Gordon Sim <gs...@redhat.com> wrote:
> On 10/23/2013 04:02 PM, Trevor Vaughan wrote:
>
>> amqp:ssl:myhost.mydomain:5671
>> options << transport => 'ssl'
>>
>> But, no dice :-/
>>
>> Thanks for the help though!
>>
>
> Do you get any errors on the client side? What if you export
> QPID_LOG_ENABLE=trace+ before trying to run the ruby client, does that show
> up anything unusual looking? (I'm wondering if the sslconnector.so module
> is loaded, however if not then attempting to use ssl in the url should
> result in an error not a hang).
>
> What version of the client are you using? (I ran a simple test from ruby
> on trunk without a problem, so its either a different version or different
> config in some way I think).
>
>
> ------------------------------**------------------------------**---------
> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.**org<us...@qpid.apache.org>
> For additional commands, e-mail: users-help@qpid.apache.org
>
>
--
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699
tvaughan@onyxpoint.com
-- This account not approved for unencrypted proprietary information --
Re: QPid Ruby client and SSL
Posted by Gordon Sim <gs...@redhat.com>.
On 10/23/2013 04:02 PM, Trevor Vaughan wrote:
> amqp:ssl:myhost.mydomain:5671
> options << transport => 'ssl'
>
> But, no dice :-/
>
> Thanks for the help though!
Do you get any errors on the client side? What if you export
QPID_LOG_ENABLE=trace+ before trying to run the ruby client, does that
show up anything unusual looking? (I'm wondering if the sslconnector.so
module is loaded, however if not then attempting to use ssl in the url
should result in an error not a hang).
What version of the client are you using? (I ran a simple test from ruby
on trunk without a problem, so its either a different version or
different config in some way I think).
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: QPid Ruby client and SSL
Posted by Trevor Vaughan <tv...@onyxpoint.com>.
amqp:ssl:myhost.mydomain:5671
options << transport => 'ssl'
But, no dice :-/
Thanks for the help though!
Trevor
On Wed, Oct 23, 2013 at 10:01 AM, Gordon Sim <gs...@redhat.com> wrote:
> On 10/23/2013 01:36 PM, Trevor Vaughan wrote:
>
>> Thanks for getting back to me.
>>
>> The C++ broker is working fine, I can use the Python code to connect to
>> the
>> broker over SSL with no issues whatsoever.
>>
>> Unfortunately, the Ruby client code isn't behaving so well.
>>
>> The client DB only has the list of trusted CA's with the TC flags set
>> since
>> I'm not trying to use client certificates.
>>
>> I did use the FQDN, DNS works properly, and I am going to port 5671.
>>
>
> Sorry for all the stupid questions then ;-) Just one more...
>
> What url are you giving to the ruby client to tell it to use ssl? It
> doesn't recognise the 'amqps' scheme the python client uses. However you
> can use ssl:myhost.mydomain:5671 to indicate that ssl should be used, or
> indeed set a connection level option for 'transport' to 'ssl' (not exactly
> sure how you do that in ruby).
>
>
> ------------------------------**------------------------------**---------
> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.**org<us...@qpid.apache.org>
> For additional commands, e-mail: users-help@qpid.apache.org
>
>
--
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699
tvaughan@onyxpoint.com
-- This account not approved for unencrypted proprietary information --
Re: QPid Ruby client and SSL
Posted by Gordon Sim <gs...@redhat.com>.
On 10/23/2013 01:36 PM, Trevor Vaughan wrote:
> Thanks for getting back to me.
>
> The C++ broker is working fine, I can use the Python code to connect to the
> broker over SSL with no issues whatsoever.
>
> Unfortunately, the Ruby client code isn't behaving so well.
>
> The client DB only has the list of trusted CA's with the TC flags set since
> I'm not trying to use client certificates.
>
> I did use the FQDN, DNS works properly, and I am going to port 5671.
Sorry for all the stupid questions then ;-) Just one more...
What url are you giving to the ruby client to tell it to use ssl? It
doesn't recognise the 'amqps' scheme the python client uses. However you
can use ssl:myhost.mydomain:5671 to indicate that ssl should be used, or
indeed set a connection level option for 'transport' to 'ssl' (not
exactly sure how you do that in ruby).
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: QPid Ruby client and SSL
Posted by Trevor Vaughan <tv...@onyxpoint.com>.
Thanks for getting back to me.
The C++ broker is working fine, I can use the Python code to connect to the
broker over SSL with no issues whatsoever.
Unfortunately, the Ruby client code isn't behaving so well.
The client DB only has the list of trusted CA's with the TC flags set since
I'm not trying to use client certificates.
I did use the FQDN, DNS works properly, and I am going to port 5671.
Thanks,
Trevor
On Wed, Oct 23, 2013 at 6:12 AM, Gordon Sim <gs...@redhat.com> wrote:
> On 10/22/2013 05:49 PM, Trevor Vaughan wrote:
>
>> All,
>>
>> I've been trying to get the Ruby (cqpid) libraries to play well with the
>> Qpid server without much success.
>>
>> I've tried setting the QPID_SSL_USE_EXPORT_POLICY and QPID_SSL_CERT_DB
>> environment variables but the SSL negotiation is not completing.
>>
>> Testing with Openssl s_server and am getting the following error:
>>
>> SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate:s3_pkt.c:1193:SSL
>> alert number 42
>>
>> I'm not trying to use a client certificate, simply an SSL encrypted
>> session
>> and I've verified that my NSS database has the appropriate CA entries.
>>
>> The error remains whether or not I try to provide a client certificate per
>> the C++ environment variables.
>>
>> Has anyone gotten this type of setup to work successfully?
>>
>
> Can you give a bit more detail on what your setup is? How did you start
> the broker (and just to be sure, which broker are you using)? What do the
> brokers and clients certificate dbs have in them (certutil -L -d
> <db-name>)? Did you use the fully qualified domain name when connecting?
> Did you specify port 5671?
>
> I can certainly connect from the cqpid based ruby wrapper to the c++
> broker (i.e. qpidd) over SSL using a cert for the server that is signed by
> a test CA whose certificate is imported into the clients cert db, with or
> without the export policy turned on.
>
>
> ------------------------------**------------------------------**---------
> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.**org<us...@qpid.apache.org>
> For additional commands, e-mail: users-help@qpid.apache.org
>
>
--
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699
tvaughan@onyxpoint.com
-- This account not approved for unencrypted proprietary information --
Re: QPid Ruby client and SSL
Posted by Gordon Sim <gs...@redhat.com>.
On 10/22/2013 05:49 PM, Trevor Vaughan wrote:
> All,
>
> I've been trying to get the Ruby (cqpid) libraries to play well with the
> Qpid server without much success.
>
> I've tried setting the QPID_SSL_USE_EXPORT_POLICY and QPID_SSL_CERT_DB
> environment variables but the SSL negotiation is not completing.
>
> Testing with Openssl s_server and am getting the following error:
>
> SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate:s3_pkt.c:1193:SSL
> alert number 42
>
> I'm not trying to use a client certificate, simply an SSL encrypted session
> and I've verified that my NSS database has the appropriate CA entries.
>
> The error remains whether or not I try to provide a client certificate per
> the C++ environment variables.
>
> Has anyone gotten this type of setup to work successfully?
Can you give a bit more detail on what your setup is? How did you start
the broker (and just to be sure, which broker are you using)? What do
the brokers and clients certificate dbs have in them (certutil -L -d
<db-name>)? Did you use the fully qualified domain name when connecting?
Did you specify port 5671?
I can certainly connect from the cqpid based ruby wrapper to the c++
broker (i.e. qpidd) over SSL using a cert for the server that is signed
by a test CA whose certificate is imported into the clients cert db,
with or without the export policy turned on.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org