I recently configured our qpid C++ brokers to use SSL encryption via a
self-signed certificate for all connections. We have it working with both
C++ and Java clients without any problems, but all of the qpid-tools
applications fail. Here's how everything is configured:
/etc/qpid/qpidd.conf:
require-encryption=yes
ssl-cert-db=/etc/pki/TGS
ssl-cert-password-file=/etc/pki/TGS/password
ssl-cert-name=infra
ssl-port=5672
ssl-require-client-authentication=yes
/etc/pki/TGScontains cert8.db and key3.db holding the certs and keys, as
well as the java truststore and keystore.
certutil -L -d . in /etc/pki/TEST returns:
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
TGS_RootCA CT,,
infra u,u,u
client u,u,u
That is correct for the CA certificate and the server/client certificates
that I generated.
For the C++ clients some environment variables are set to point to the
certificates:
QPID_SSL_CERT_DB=/etc/pki/TGS/
QPID_SSL_CERT_NAME=client
QPID_SSL_CERT_PASSWORD_FILE=/etc/pki/TGS/password
openssl s_client -connect localhost:5672 finds the certificate correctly
and complains about it being a self-signed cert, which I'm pretty sure is
normal because it is one after all.
CONNECTED(00000003)
depth=1 CN = TGS_RootCA
verify error:num=19:self signed certificate in certificate chain
verify return:0
139681568163656:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad
certificate:s3_pkt.c:1257:SSL alert number 42
ssl handshake
failure:s23_lib.c:177:
Certificate chain
0 s:/CN=infra
i:/CN=TGS_RootCA
1 s:/CN=TGS_RootCA
i:/CN=TGS_RootCA
qpid-stat -q -b amqps://localhost:5672 returns this:
Failed: ConnectError - [Errno 1] _ssl.c:492: error:14094412:SSL
routines:SSL3_READ_BYTES:sslv3 alert bad certificate
which matches the error that openssl threw too. I also tried extracting
the cert and the private key and passing those as arguments to qpid-stat,
but it gave me the same errors. Is this an issue with python not accepting
the certificate because it's self-signed? Does everything look like I have
it set up right?
Tim
self-signed certificate for all connections. We have it working with both
C++ and Java clients without any problems, but all of the qpid-tools
applications fail. Here's how everything is configured:
/etc/qpid/qpidd.conf:
require-encryption=yes
ssl-cert-db=/etc/pki/TGS
ssl-cert-password-file=/etc/pki/TGS/password
ssl-cert-name=infra
ssl-port=5672
ssl-require-client-authentication=yes
/etc/pki/TGScontains cert8.db and key3.db holding the certs and keys, as
well as the java truststore and keystore.
certutil -L -d . in /etc/pki/TEST returns:
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
TGS_RootCA CT,,
infra u,u,u
client u,u,u
That is correct for the CA certificate and the server/client certificates
that I generated.
For the C++ clients some environment variables are set to point to the
certificates:
QPID_SSL_CERT_DB=/etc/pki/TGS/
QPID_SSL_CERT_NAME=client
QPID_SSL_CERT_PASSWORD_FILE=/etc/pki/TGS/password
openssl s_client -connect localhost:5672 finds the certificate correctly
and complains about it being a self-signed cert, which I'm pretty sure is
normal because it is one after all.
CONNECTED(00000003)
depth=1 CN = TGS_RootCA
verify error:num=19:self signed certificate in certificate chain
verify return:0
139681568163656:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad
certificate:s3_pkt.c:1257:SSL alert number 42
ssl handshake
failure:s23_lib.c:177:
Certificate chain
0 s:/CN=infra
i:/CN=TGS_RootCA
1 s:/CN=TGS_RootCA
i:/CN=TGS_RootCA
qpid-stat -q -b amqps://localhost:5672 returns this:
Failed: ConnectError - [Errno 1] _ssl.c:492: error:14094412:SSL
routines:SSL3_READ_BYTES:sslv3 alert bad certificate
which matches the error that openssl threw too. I also tried extracting
the cert and the private key and passing those as arguments to qpid-stat,
but it gave me the same errors. Is this an issue with python not accepting
the certificate because it's self-signed? Does everything look like I have
it set up right?
Tim