You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@activemq.apache.org by adongare <ad...@plsemail.com> on 2019/11/04 20:44:18 UTC
Getting error "the client and server cannot communicate, because
they do not possess a common algorithm" on .Net Framework 4.0 with TLS 1.2
settings and using Apache.NMS 1.7.1 and Apache.NMS.ActiveMQ 1.7.2 Nuget
packages
Hi team,
Getting error "the client and server cannot communicate, because they do not
possess a common algorithm" on .Net Framework 4.0 with TLS 1.2 settings and
using Apache.NMS 1.7.1 and Apache.NMS.ActiveMQ 1.7.2 Nuget packages.
I am trying to connect ActiveMQ server after migrating my code to TLS 1.2
and getting below error while creating the session. Below line is erroring
out.
this.Session = this.Connection.CreateSession(acknowledgementMode);
Below is my c# code:
protected virtual void CreateSession(AcknowledgementMode
acknowledgementMode)
{
ServicePointManager.SecurityProtocol =
(SecurityProtocolType)3072 | SecurityProtocolType.Tls;
var connectionFactory = new
NMSConnectionFactory(this.BrokerUri);
this.Connection =
connectionFactory.CreateConnection();
this.Session =
this.Connection.CreateSession(acknowledgementMode);
this.Destination =
this.Session.GetDestination(this.DestinationName,
this.DestinationType);
}
Below is Error stack trace:
System.Security.Authentication.AuthenticationException: A call to SSPI
failed, see inner exception. ---> System.ComponentModel.Win32Exception: The
client and server cannot communicate, because they do not possess a common
algorithm
--- End of inner exception stack trace ---
at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken
message, AsyncProtocolRequest asyncRequest, Exception exception)
at
System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken
message, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32
count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst,
Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult
lazyResult)
at System.Net.Security.SslStream.AuthenticateAsClient(String targetHost,
X509CertificateCollection clientCertificates, SslProtocols
enabledSslProtocols, Boolean checkCertificateRevocation)
at Apache.NMS.ActiveMQ.Transport.Tcp.SslTransport.CreateSocketStream()
the attached image has TLS 1.2 setting on my development machine:
<http://activemq.2283324.n4.nabble.com/file/t379703/TLS-settings.png>
I tried many solutions by searcing online but nothing worked. Could you
please help me?
--
Sent from: http://activemq.2283324.n4.nabble.com/ActiveMQ-User-f2341805.html
Re: Getting error "the client and server cannot communicate, because
they do not possess a common algorithm" on .Net Framework 4.0 with TLS 1.2
settings and using Apache.NMS 1.7.1 and Apache.NMS.ActiveMQ 1.7.2 Nuget packages
Posted by Tim Bain <tb...@alumni.duke.edu>.
I'm glad you found the right set of settings, and thank you for sharing
them back here. When time permits, I will update the documentation at the
links I provided to capture this information.
For future readers, only the transport.SslProtocol portion is necessary to
enable TLS 1.2. The transport.acceptInvalidBrokerCert=true option is to
disable certificate validation in the case where the cert is self-signed,
is expired, doesn't have subjectAlternateNames configured correctly, etc.
This option is not recommended for production environments since it
introduces a security vulnerability, and per Tim Bish's answer at
https://stackoverflow.com/questions/10504676/activemq-over-ssl-acceptinvalidbrokercert-true-not-working
it is only applicable to NMS clients.
Tim
On Wed, Nov 20, 2019, 4:02 PM adongare <ad...@plsemail.com> wrote:
> The documentation you shared did not solve my issue, however, I have
> resolved
> this issue. Below is the resolution for me for the people who will be
> facing
> this problem in the future.
>
> We need to add some query string parameters in broker URL to enable TLS 1.2
> and SHA cipher support for .Net Framework 4 applications:
>
> Change Broker URI to
>
>
> activemq:ssl://servername:port?transport.acceptInvalidBrokerCert=true&transport.SslProtocol=Tls12
>
> and it should work
>
>
>
> --
> Sent from:
> http://activemq.2283324.n4.nabble.com/ActiveMQ-User-f2341805.html
>
Re: Getting error "the client and server cannot communicate,
because they do not possess a common algorithm" on .Net Framework 4.0 with
TLS 1.2 settings and using Apache.NMS 1.7.1 and Apache.NMS.ActiveMQ 1.7.2
Nuget packages
Posted by adongare <ad...@plsemail.com>.
The documentation you shared did not solve my issue, however, I have resolved
this issue. Below is the resolution for me for the people who will be facing
this problem in the future.
We need to add some query string parameters in broker URL to enable TLS 1.2
and SHA cipher support for .Net Framework 4 applications:
Change Broker URI to
activemq:ssl://servername:port?transport.acceptInvalidBrokerCert=true&transport.SslProtocol=Tls12
and it should work
--
Sent from: http://activemq.2283324.n4.nabble.com/ActiveMQ-User-f2341805.html
Re: Getting error "the client and server cannot communicate, because
they do not possess a common algorithm" on .Net Framework 4.0 with TLS 1.2
settings and using Apache.NMS 1.7.1 and Apache.NMS.ActiveMQ 1.7.2 Nuget packages
Posted by Tim Bain <tb...@alumni.duke.edu>.
Near the bottom of the second link there's information about how to turn on
SSL debug on the broker, which the page says will let you "see what goes
wrong and why you get connections closed." If you didn't already try that,
I'd start there.
But ultimately the question is which SSL ciphers your version of the JVM
supports, which ciphers the .NET 4.0 runtime supports, and making that
there's overlap between the two. If you're running an old version of either
one and that old version only supports ciphers that are disabled in the
other runtime, an upgrade may be in order.
Tim
On Tue, Nov 5, 2019, 12:57 PM adongare <ad...@plsemail.com> wrote:
> I have gone through these links but it doesn't tell may anything related to
> TLS 1.2 settings in my C# code or Active MQ server.
> This issue is happening while creating the session.
>
> If I am keeping SHA cipher in the request then it's working fine but
> without
> SHA it is showing the same error.
>
> Would you like to share a piece of code or any property for example which I
> can try for troubleshooting?
> Do I need to use a different connection factory?
>
> Thank you in advance!
>
>
>
>
> --
> Sent from:
> http://activemq.2283324.n4.nabble.com/ActiveMQ-User-f2341805.html
>
Re: Getting error "the client and server cannot communicate,
because they do not possess a common algorithm" on .Net Framework 4.0 with
TLS 1.2 settings and using Apache.NMS 1.7.1 and Apache.NMS.ActiveMQ 1.7.2
Nuget packages
Posted by adongare <ad...@plsemail.com>.
I have gone through these links but it doesn't tell may anything related to
TLS 1.2 settings in my C# code or Active MQ server.
This issue is happening while creating the session.
If I am keeping SHA cipher in the request then it's working fine but without
SHA it is showing the same error.
Would you like to share a piece of code or any property for example which I
can try for troubleshooting?
Do I need to use a different connection factory?
Thank you in advance!
--
Sent from: http://activemq.2283324.n4.nabble.com/ActiveMQ-User-f2341805.html
Re: Getting error "the client and server cannot communicate, because
they do not possess a common algorithm" on .Net Framework 4.0 with TLS 1.2
settings and using Apache.NMS 1.7.1 and Apache.NMS.ActiveMQ 1.7.2 Nuget packages
Posted by Tim Bain <tb...@alumni.duke.edu>.
What matters is the TLS configuration of the ActiveMQ broker. IIS is
irrelevant.
https://activemq.apache.org/how-do-i-use-ssl has some details on how to
configure both the broker and the client.
https://activemq.apache.org/ssl-transport-reference also has information
about some troubleshooting techniques you can use, though they're focused
on Java clients so the client-side tips may not be as relevant to you
(though you can look for a .NET equivalent for each setting).
Tim
On Mon, Nov 4, 2019, 2:35 PM adongare <ad...@plsemail.com> wrote:
> Hi team,
>
> Getting error "the client and server cannot communicate, because they do
> not
> possess a common algorithm" on .Net Framework 4.0 with TLS 1.2 settings and
> using Apache.NMS 1.7.1 and Apache.NMS.ActiveMQ 1.7.2 Nuget packages.
>
> I am trying to connect ActiveMQ server after migrating my code to TLS 1.2
> and getting below error while creating the session. Below line is erroring
> out.
>
> this.Session = this.Connection.CreateSession(acknowledgementMode);
>
> Below is my c# code:
>
> protected virtual void CreateSession(AcknowledgementMode
> acknowledgementMode)
> {
> ServicePointManager.SecurityProtocol =
> (SecurityProtocolType)3072 | SecurityProtocolType.Tls;
>
> var connectionFactory = new
> NMSConnectionFactory(this.BrokerUri);
>
> this.Connection =
> connectionFactory.CreateConnection();
> this.Session =
> this.Connection.CreateSession(acknowledgementMode);
> this.Destination =
> this.Session.GetDestination(this.DestinationName,
> this.DestinationType);
> }
>
> Below is Error stack trace:
>
> System.Security.Authentication.AuthenticationException: A call to SSPI
> failed, see inner exception. ---> System.ComponentModel.Win32Exception: The
> client and server cannot communicate, because they do not possess a common
> algorithm
> --- End of inner exception stack trace ---
> at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken
> message, AsyncProtocolRequest asyncRequest, Exception exception)
> at
> System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken
> message, AsyncProtocolRequest asyncRequest)
> at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32
> count, AsyncProtocolRequest asyncRequest)
> at System.Net.Security.SslState.ForceAuthentication(Boolean
> receiveFirst,
> Byte[] buffer, AsyncProtocolRequest asyncRequest)
> at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult
> lazyResult)
> at System.Net.Security.SslStream.AuthenticateAsClient(String targetHost,
> X509CertificateCollection clientCertificates, SslProtocols
> enabledSslProtocols, Boolean checkCertificateRevocation)
> at Apache.NMS.ActiveMQ.Transport.Tcp.SslTransport.CreateSocketStream()
>
> the attached image has TLS 1.2 setting on my development machine:
>
> <http://activemq.2283324.n4.nabble.com/file/t379703/TLS-settings.png>
> I tried many solutions by searcing online but nothing worked. Could you
> please help me?
>
>
>
> --
> Sent from:
> http://activemq.2283324.n4.nabble.com/ActiveMQ-User-f2341805.html
>