You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@qpid.apache.org by "Hamid.Shahid" <ha...@hotmail.com> on 2012/01/27 16:36:34 UTC
warning Connect failed
Hi,
I am getting the following error when I try to connect via my client code.
After placing all the certificates in the "Third-Party Root Certification
Authorities"
2012-01-25 18:08:09 notice SSL negotiation failed to <server-ip>:10170: The
target principal name is incorrect.
2012-01-25 18:08:09 warning Connect failed: The target principal name is
incorrect.
(..\..\..\..\..\..\..\..\qpidc-0.12\src\qpid\client\windows\SslConnector.cpp:111)
Please let me know, what does it mean and how can it be rectified.
Thank you.
regards,
Hamid.
--
View this message in context: http://qpid.2158936.n2.nabble.com/warning-Connect-failed-tp7229984p7229984.html
Sent from the Apache Qpid users mailing list archive at Nabble.com.
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:users-subscribe@qpid.apache.org
Re: warning Connect failed
Posted by "Hamid.Shahid" <ha...@hotmail.com>.
Hi Gordon,
Yes, I have supplied the fully qualified name of the certificate. I also
tired to hard code the name in the
function"/ClientSslAsynchIO::negotiateStep(BufferBase* buff)/", but I am
getting the same error.
Which is generated from the following line of code in SslAsynchIO.cpp for
the client.
ECURITY_STATUS status = ::InitializeSecurityContext(&credHandle,
&ctxtHandle,
host,
ctxtRequested,
0,
0,
&tokenBuffDesc,
0,
NULL,
&sendBuffDesc,
&ctxtAttrs,
NULL);
regards,
Hamid.
--
View this message in context: http://qpid.2158936.n2.nabble.com/warning-Connect-failed-tp7229984p7237109.html
Sent from the Apache Qpid users mailing list archive at Nabble.com.
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:users-subscribe@qpid.apache.org
Re: warning Connect failed
Posted by Gordon Sim <gs...@redhat.com>.
On 01/27/2012 03:36 PM, Hamid.Shahid wrote:
> Hi,
>
>
> I am getting the following error when I try to connect via my client code.
> After placing all the certificates in the "Third-Party Root Certification
> Authorities"
>
> 2012-01-25 18:08:09 notice SSL negotiation failed to<server-ip>:10170: The
> target principal name is incorrect.
> 2012-01-25 18:08:09 warning Connect failed: The target principal name is
> incorrect.
> (..\..\..\..\..\..\..\..\qpidc-0.12\src\qpid\client\windows\SslConnector.cpp:111)
>
> Please let me know, what does it mean and how can it be rectified.
Are you using the correct hostname (likely fully qualified), as defined
in the servers certificate?
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:users-subscribe@qpid.apache.org
Re: warning Connect failed
Posted by "Hamid.Shahid" <ha...@hotmail.com>.
Hi Cliff,
Yes, actually I am also tyring to create a separate C++ program to test this
connection problem using SChannel but that is also not working.
I am also thinking to contact Steve abou this, but I think he is very busy
to reply.
Thank you for the suggestions.
- Hamid
--
View this message in context: http://qpid.2158936.n2.nabble.com/warning-Connect-failed-tp7229984p7247024.html
Sent from the Apache Qpid users mailing list archive at Nabble.com.
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:users-subscribe@qpid.apache.org
Re: warning Connect failed
Posted by Cliff Jansen <cl...@gmail.com>.
Hi Hamid,
If I were in your position, I would not try to debug two pieces of
complex code at the same time.
I would recommend first trying to get the Windows ssl/tls calls
working in a simple C program, completely separated from Qpid code.
When that is working with your server and client certificates, you can
concentrate on the integration with Qpid code.
If you are pressed for time, I note that Steve Huston offered to help
you on a consulting basis in a previous thread you started. He has
done excellent work for the Qpid community and just happens to be the
author of the code you are wading through.
Cliff
On Wed, Feb 1, 2012 at 10:03 AM, Hamid.Shahid <ha...@hotmail.com> wrote:
> P.S. I have also tried it with the host name and get the following error;
>
> 2012-01-25 18:08:09 notice SSL negotiation failed to <host.name.com>:10170:
> The target principal name is incorrect.
>
> Best Regards,
> - Hamid
>
> --
> View this message in context: http://qpid.2158936.n2.nabble.com/warning-Connect-failed-tp7229984p7243260.html
> Sent from the Apache Qpid users mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> Apache Qpid - AMQP Messaging Implementation
> Project: http://qpid.apache.org
> Use/Interact: mailto:users-subscribe@qpid.apache.org
>
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:users-subscribe@qpid.apache.org
Re: warning Connect failed
Posted by "Hamid.Shahid" <ha...@hotmail.com>.
P.S. I have also tried it with the host name and get the following error;
2012-01-25 18:08:09 notice SSL negotiation failed to <host.name.com>:10170:
The target principal name is incorrect.
Best Regards,
- Hamid
--
View this message in context: http://qpid.2158936.n2.nabble.com/warning-Connect-failed-tp7229984p7243260.html
Sent from the Apache Qpid users mailing list archive at Nabble.com.
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:users-subscribe@qpid.apache.org
Re: warning Connect failed
Posted by "Hamid.Shahid" <ha...@hotmail.com>.
*Hi Jakub,*
Thank you for explaining the chrome related issue. Basically, my application
will run as a console application rather like a service but I will discuss
with the server/broker side regarding the CA and Trusted Peer thing you
mentioned.
*Hi Cliff, *
Unfortunately, the server (broker) side is not developed by us and I guess
it is not even developed in windows. I also know that the client certificate
support is not implemented in Windows implementation of the Qpid client.
Therefore, I am trying to modify the API code to add this client certificate
support. I am doing this by looking at the server/broker implementation.
Uptil now, I have modified the ctor of the /"SslConnector"/ class to open
certificate store /"CertOpenStore"/ and to find the certificate
/"CertFindCertificateInStore"/ before it tries to
/"AcquireCredentialsHandle"/ in /"SSLConnector.cpp"/. It can open the store
successfully and finds the certificate as well and even goes to
/"ClientSslAsynchIO::startNegotiate()"/ but when it comes to
/"ClientSslAsynchIO::negotiateStep(BufferBase* buff)"/ it fails while trying
to /"InitializeSecurityContext"/ and goes to/ "negotiationFailed"/ and gives
the following error;
/2012-01-25 18:08:09 notice SSL negotiation failed to <server-ip>:10170: The
target principal name is incorrect./
Please let me know, if I have missed anything to modify or if this is not
the right way to add the certificate support for the client side.
Many thanks.
-Hamid.
--
View this message in context: http://qpid.2158936.n2.nabble.com/warning-Connect-failed-tp7229984p7242637.html
Sent from the Apache Qpid users mailing list archive at Nabble.com.
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:users-subscribe@qpid.apache.org
Re: warning Connect failed
Posted by Cliff Jansen <cl...@gmail.com>.
Hi Hamid,
I am confused. It was explained to you in November that client side
certificates were not yet implemented in the Windows implementation.
Yet here it looks like your server will not negotiate the ssl
connection without a client certificate. Am I misunderstanding what
you are trying to do?
Cliff
>> I have a public key of the certificate (signed by verisign) provided by the
>> server side and I also have a self-signed certificate (including
>> public/private key). I have imported all these things in the windows
>> "Third-Party Root Certification Authority" and I have provided the public
>>key of self-signed certificate to the server side.>
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:users-subscribe@qpid.apache.org
Re: warning Connect failed
Posted by Jakub Scholz <ja...@scholz.cz>.
Hi Hamid,
The error you get in Chrome is caused by your certificate being loaded
only as a trusted peer on the broker. This is an issue we had with
Java applications - when you use signed certificates, the broker gives
you a list of supported certification authorities and the application
selects a suitable private key to be used. But since your self-signed
key is loaded in the broker only as trusted peer, chrome doesn't find
out which certificate to use and that causes the error you got. If the
certificate on the broker would be loaded as trusted CA instead of
trusted peer, Chrome would ask you whether it should use the private
key from the certificate database and eventually download a file with
the AMQP "handshake". Unfortunately for you, the use of the trusted
peer certificates is necessary for the use of self-signed
certificates, so your broker provider cannot change this just like
that.
In Qpid Java API, you can instruct the application to use a specific
certificate (ssl_cert_alias). You specify the certificate also in the
C++ API on Linux using an environment variable. I'm not sure how you
can do something like that in Chrome or Windows in general.
PS: I have no idea whether this problem is in any way related to the
original problem you had ... I just explained the Chrome error ...
Regards
Jakub
> *@ Cliff :*
> """"""""""
> I tried using Internet Explorer on my windows machine with the address
> format you mentioned, both with the hostname and ip address. But in both
> cases I am getting "Internet Explorer cannot display the webpage". However,
> when I tried in google-chrome I got the following error;
>
> /SSL connection error
> Unable to make a secure connection to the server. This may be a problem with
> the server, or it may be requiring a client authentication certificate that
> you don't have.
> Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error./
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:users-subscribe@qpid.apache.org
Re: warning Connect failed
Posted by "Hamid.Shahid" <ha...@hotmail.com>.
Hi,
Thank you for the valueable suggestions;
*@ Jakub :*
"""""""""""""
I have a public key of the certificate (signed by verisign) provided by the
server side and I also have a self-signed certificate (including
public/private key). I have imported all these things in the windows
"Third-Party Root Certification Authority" and I have provided the public
key of self-signed certificate to the server side.
Also, I have modified the host file to map the hostname with the IP address
of the server, and when I do "telnet", it works with both hostname and ip of
the sever.
*@ Cliff :*
""""""""""
I tried using Internet Explorer on my windows machine with the address
format you mentioned, both with the hostname and ip address. But in both
cases I am getting "Internet Explorer cannot display the webpage". However,
when I tried in google-chrome I got the following error;
/SSL connection error
Unable to make a secure connection to the server. This may be a problem with
the server, or it may be requiring a client authentication certificate that
you don't have.
Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error./
@Everyone :
""""""""""""""
I have also tried to create a test program using OpenSSL which simply loads
the self-signed certifcate with its key (both in .pem format) and connects
to the same server and I was able to establish the connection with the
server which shows the certificates are fine with SSL. But when it comes to
the QPID and SChannel then I am getting these errors.
-Hamid.
--
View this message in context: http://qpid.2158936.n2.nabble.com/warning-Connect-failed-tp7229984p7240335.html
Sent from the Apache Qpid users mailing list archive at Nabble.com.
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:users-subscribe@qpid.apache.org
Re: warning Connect failed
Posted by Cliff Jansen <cl...@gmail.com>.
Hi Hamid,
What happens if you try to connect using Internet Explorer on your
Windows machine? Using the following in the address bar:
https://amqserver.rest.com:10170
where "amqpserver.rest.com" is the name of the server as it appears in
the certificate.
Usually if I have a certificate related problem, I try to make IE
happy first. Even though you don't get an interesting web page
(obviously), if you get anything at all, without an intervening error
mesage about the certificate, you are past initial hurdles. You need
this to work first.
However, I note several things. If I have a certificate problem my
error message resembles:
2012-01-30 18:47:36 notice SSL negotiation failed to
test1.foo.bar:6789: The certificate chain was issued by an authority
that is not trusted.
In particular "test1.foo.bar" is not an ip address as in your case.
The fact that you see an ip address is suspicious (hence Gordon's
initial query).
Also a web search of your particular error message "The target
principal name is incorrect" seems associated with kerberos
authentication or other complex domain setups that are probably beyond
anything Qpid developers have tried yet. Are you able to bypass DNS
altogether and put the server's name in your host file?
If none of the above helps you out, are you able to post the server's
certificate?
Cliff
On Mon, Jan 30, 2012 at 10:28 AM, Jakub Scholz <ja...@scholz.cz> wrote:
> Hi Hamid,
>
> Are you actually using a "Third-Party Root Certification Authority"
> certificate - e.g. Verisign? Or do you have only a public key of a
> signed or self-signed certificate? Couldn't that be the problem?
>
> I also agree with Gordon that you should not use the IP address to
> connect to, but the hostname as mentioned in the certificate used by
> the broker. You may need to change your hosts file to get the hostname
> routed to the IP address ...
>
> Regards
> Jakub
>
> On Fri, Jan 27, 2012 at 16:36, Hamid.Shahid <ha...@hotmail.com> wrote:
>> Hi,
>>
>>
>> I am getting the following error when I try to connect via my client code.
>> After placing all the certificates in the "Third-Party Root Certification
>> Authorities"
>>
>> 2012-01-25 18:08:09 notice SSL negotiation failed to <server-ip>:10170: The
>> target principal name is incorrect.
>> 2012-01-25 18:08:09 warning Connect failed: The target principal name is
>> incorrect.
>> (..\..\..\..\..\..\..\..\qpidc-0.12\src\qpid\client\windows\SslConnector.cpp:111)
>>
>> Please let me know, what does it mean and how can it be rectified.
>>
>> Thank you.
>>
>> regards,
>> Hamid.
>>
>> --
>> View this message in context: http://qpid.2158936.n2.nabble.com/warning-Connect-failed-tp7229984p7229984.html
>> Sent from the Apache Qpid users mailing list archive at Nabble.com.
>>
>> ---------------------------------------------------------------------
>> Apache Qpid - AMQP Messaging Implementation
>> Project: http://qpid.apache.org
>> Use/Interact: mailto:users-subscribe@qpid.apache.org
>>
>
> ---------------------------------------------------------------------
> Apache Qpid - AMQP Messaging Implementation
> Project: http://qpid.apache.org
> Use/Interact: mailto:users-subscribe@qpid.apache.org
>
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:users-subscribe@qpid.apache.org
Re: warning Connect failed
Posted by Jakub Scholz <ja...@scholz.cz>.
Hi Hamid,
Are you actually using a "Third-Party Root Certification Authority"
certificate - e.g. Verisign? Or do you have only a public key of a
signed or self-signed certificate? Couldn't that be the problem?
I also agree with Gordon that you should not use the IP address to
connect to, but the hostname as mentioned in the certificate used by
the broker. You may need to change your hosts file to get the hostname
routed to the IP address ...
Regards
Jakub
On Fri, Jan 27, 2012 at 16:36, Hamid.Shahid <ha...@hotmail.com> wrote:
> Hi,
>
>
> I am getting the following error when I try to connect via my client code.
> After placing all the certificates in the "Third-Party Root Certification
> Authorities"
>
> 2012-01-25 18:08:09 notice SSL negotiation failed to <server-ip>:10170: The
> target principal name is incorrect.
> 2012-01-25 18:08:09 warning Connect failed: The target principal name is
> incorrect.
> (..\..\..\..\..\..\..\..\qpidc-0.12\src\qpid\client\windows\SslConnector.cpp:111)
>
> Please let me know, what does it mean and how can it be rectified.
>
> Thank you.
>
> regards,
> Hamid.
>
> --
> View this message in context: http://qpid.2158936.n2.nabble.com/warning-Connect-failed-tp7229984p7229984.html
> Sent from the Apache Qpid users mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> Apache Qpid - AMQP Messaging Implementation
> Project: http://qpid.apache.org
> Use/Interact: mailto:users-subscribe@qpid.apache.org
>
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:users-subscribe@qpid.apache.org