C++ client connection fails with SSL and AMQP1.0

[Chris Richardson <cr...@fourc.eu>]

Hi,

It seems that the combination of SSL and AMQP 1.0 does not work in 0.30
beta (connection fails). The issue looks exactly the same as
https://issues.apache.org/jira/browse/QPID-5648, which was reported fixed
in trunk and 0.28.

I'm running a 0.30 beta broker with ssl enabled. Without any QPID_SSL
settings present in my environment, I can successfully send a message like
this:

QPID_SSL_CERT_DB=/var/lib/qpidd/ssl/client-db spout -b localhost:5671
 --content "hello" --connection-options "{transport:ssl}" amq.topic

Notes - /var/lib/qpidd/ssl/client-db holds an NSS database with the CA cert
for the broker. This example uses the default AMQP 0.10.

When I add the extra protocol option to use AMQP 1.0:

QPID_SSL_CERT_DB=/var/lib/qpidd/ssl/client-db spout -b localhost:5671
 --content "hello" --connection-options "{protocol:amqp1.0, transport:ssl}"
amq.topic

I get the error "Connect failed to amqp:ssl:localhost:5671: Reconnect
disabled". If I run this in a debugger I can get some more info on the
error (reported in the callback at
qpid::messaging::amqp::SslTransport::failed()) which is "NSS error
[-12268]". According to the NSS documentation this is "
SSL_ERROR_SSL_DISABLED".

I've done some experimentation and if I call NSS_InitContext() referencing
my NSS db before opening the AMQP connection, the SSL handshake (with
AMQP1.0) is successful.

My first guess would be that there is some difference in the way
qpid::messaging:amqp::ConnectoinHandle (used for AMQP1.0 connections)
and qpid::client::amqp0_10::ConnectionImpl (used for AMQP0.10 connections)
initialise the NSS subsystem. Hopefully that and not an error on my part...


Could you please look into this further?

Many thanks

-- 

*Chris Richardson*, System Architect
cr@fourc.eu


*FourC AS, Vestre Rosten 81, Trekanten, NO-7075 Tiller, Norwaywww.fourc.eu
<http://www.fourc.eu/>*

*Follow us on LinkedIn <http://bit.ly/fourcli>, Facebook
<http://bit.ly/fourcfb>, Google+ <http://bit.ly/fourcgp> and Twitter
<http://bit.ly/fourctw>!*

Re: C++ client connection fails with SSL and AMQP1.0

[Gordon Sim <gs...@redhat.com>]

On 08/27/2014 02:49 PM, Gordon Sim wrote:
> On 08/27/2014 10:29 AM, Chris Richardson wrote:
>> It seems that the combination of SSL and AMQP 1.0 does not work in 0.30
>> beta (connection fails).
>
> Sorry, that is my fault. The fix for
> https://issues.apache.org/jira/browse/QPID-5788 broke the ssl support
> for 1.0. As you surmised the NSS initialisation is not being run for 1.0
> connections.
>
> I've raised https://issues.apache.org/jira/browse/QPID-6049 to track it
> and will get a fix in asap.
>
> Thanks very much for testing the beta and reporting this!

FYI: this is now fixed on trunk and on the 0.30 branch so should be 
included in the next beta/rc for 0.30. I've also added a test case to 
ensure that combination is tested as part of the normal automated 
checks. Thanks again!


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org

Re: C++ client connection fails with SSL and AMQP1.0

[Gordon Sim <gs...@redhat.com>]

On 08/27/2014 10:29 AM, Chris Richardson wrote:
> It seems that the combination of SSL and AMQP 1.0 does not work in 0.30
> beta (connection fails).

Sorry, that is my fault. The fix for 
https://issues.apache.org/jira/browse/QPID-5788 broke the ssl support 
for 1.0. As you surmised the NSS initialisation is not being run for 1.0 
connections.

I've raised https://issues.apache.org/jira/browse/QPID-6049 to track it 
and will get a fix in asap.

Thanks very much for testing the beta and reporting this!

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org