Re: Does Messenger API supports SSL?
No. I've got an error SASL header mismatch Maybe I have to configure messenger fo ssl? -- View this message in context: http://qpid.2158936.n2.nabble.com/Does-Messenger-API-supports-SSL-tp7593987p7593989.html Sent from the Apache Qpid Proton mailing list archive at Nabble.com.
Re: Does Messenger API supports SSL?
On Tue, Jun 11, 2013 at 01:16:17AM -0700, atarutin wrote: No. I've got an error SASL header mismatch Maybe I have to configure messenger fo ssl? Are both ends Proton, and are both ends using SSL? -- Darryl L. Pierce, Sr. Software Engineer @ Red Hat, Inc. Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ pgpmrG8sm9k6j.pgp Description: PGP signature
Re: Does Messenger API supports SSL?
I've just found the problem. Earlier, I compiled proton without SSL support. It was my fail, sorry. But now, I've recompiled proton dll and I've got another error: http://qpid.2158936.n2.nabble.com/file/n7594003/ssl_error.png As for server, I use activemq. While trying to connect to it I see the warning in the server log: WARN | Transport Connection to: tcp://127.0.0.1:1632 failed: javax.net.ssl.SSLHandshakeException: no cipher suites in common. Any ideas? -- View this message in context: http://qpid.2158936.n2.nabble.com/Does-Messenger-API-supports-SSL-tp7593987p7594003.html Sent from the Apache Qpid Proton mailing list archive at Nabble.com.
Re: Does Messenger API supports SSL?
Hi, Although I've never seen this error before, I suspect that the server requires some stronger level of encryption than the client is providing. This may depend on several factors, including what ciphers your server and your OpenSSL library support (client). You may want to try the openssl test client and see if you can connect to your server using that: openssl s_client -connect host:port that should dump some info regarding what the server is requesting. - Original Message - From: atarutin tarutin_and...@mail.ru To: proton@qpid.apache.org Sent: Tuesday, June 11, 2013 9:24:02 AM Subject: Re: Does Messenger API supports SSL? I've just found the problem. Earlier, I compiled proton without SSL support. It was my fail, sorry. But now, I've recompiled proton dll and I've got another error: http://qpid.2158936.n2.nabble.com/file/n7594003/ssl_error.png As for server, I use activemq. While trying to connect to it I see the warning in the server log: WARN | Transport Connection to: tcp://127.0.0.1:1632 failed: javax.net.ssl.SSLHandshakeException: no cipher suites in common. Any ideas? -- View this message in context: http://qpid.2158936.n2.nabble.com/Does-Messenger-API-supports-SSL-tp7593987p7594003.html Sent from the Apache Qpid Proton mailing list archive at Nabble.com. -- -K
Re: Does Messenger API supports SSL?
It doesn't appear that an SSL handshake is being done. Can you add a '-debug'
to get a raw trace of the protocol? Is the server responding at all?
For example, when I run openssl s_client against my server, I see the
certificate exchange. I would expect the same for your server - you should see
something like this:
$ openssl s_client -connect 127.0.0.1:5671
CONNECTED(0003)
depth=0 CN = A1.Good.Server.domain.com, O = Server
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = A1.Good.Server.domain.com, O = Server
verify error:num=27:certificate not trusted
verify return:1
depth=0 CN = A1.Good.Server.domain.com, O = Server
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=A1.Good.Server.domain.com/O=Server
i:/CN=Trusted.CA.com/O=Trust Me Inc.
---
Server certificate
-BEGIN CERTIFICATE-
MIIC5TCCAqOgAwIBAgIEGK67vDALBgcqhkjOOAQDBQAwMTEXMBUGA1UEAxMOVHJ1
c3RlZC5DQS5jb20xFjAUBgNVBAoTDVRydXN0IE1lIEluYy4wIBcNMTMwMzIwMTU0
NzAzWhgPMjI4NzAxMDIxNTQ3MDNaMDUxIjAgBgNVBAMTGUExLkdvb2QuU2VydmVy
LmRvbWFpbi5jb20xDzANBgNVBAoTBlNlcnZlcjCCAbcwggEsBgcqhkjOOAQBMIIB
HwKBgQD9f1OBHXUSKVLfSpwu7OTn9hG3UjzvRADDHj+AtlEmaUVdQCJR+1k9jVj6
v8X1ujD2y5tVbNeBO4AdNG/yZmC3a5lQpaSfn+gEexAiwk+7qdf+t8Yb+DtX58ao
phUPBPuD9tPFHsMCNVQTWhaRMvZ1864rYdcq7/IiAxmd0UgBxwIVAJdgUI8VIwvM
spK5gqLrhAvwWBz1AoGBAPfhoIXWmz3ey7yrXDa4V7l5lK+7+jrqgvlXTAs9B4Jn
UVlXjrrUWU/mcQcQgYC0SRZxI+hMKBYTt88JMozIpuE8FnqLVHyNKOCjrh4rs6Z1
kW6jfwv6ITVi8ftiegEkO8yk8b6oUZCJqIPf4VrlnwaSi2ZegHtVJWQBTDv+z0kq
A4GEAAKBgGd51fWwKIVM6wIsVk0vo86Hq3q2gxlP0STl/EzEBew9buSMXPCqQvQI
hw/Ud6/f/Q0KxctPn8MqO++jCCSYMYH5d1ME85X9QM2mh4/xejYWQdUlqJKkHPo6
MbLgEfQY7UxXxMq9Ekij/T6MyS1Rd9xwCCf2wJhjV6Jq35KplnWMo0IwQDAdBgNV
HQ4EFgQUlZgov7xbp4kcuwMI7d7AAz4DH8YwHwYDVR0jBBgwFoAUqxC+jvigfpiR
6M3fb6XppgGxFJYwCwYHKoZIzjgEAwUAAy8AMCwCFBTG8MXcRKCTW6gBKIjp23BG
WJfIAhRLFMZ4oYLsdCImFOl7/Hi3NdK9cw==
-END CERTIFICATE-
subject=/CN=A1.Good.Server.domain.com/O=Server
issuer=/CN=Trusted.CA.com/O=Trust Me Inc.
---
No client certificate CA names sent
---
SSL handshake has read 1637 bytes and written 438 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-DSS-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher: DHE-DSS-AES256-SHA
Session-ID: 9C60527D31390057F3EA7C275BBEAA379D2AAAB6EED495E2540F245DC6AF7618
Session-ID-ctx:
Master-Key:
32FD8391E0F19C12CF34A258442BD6BFFC7DF3A78DE8DACE6F64910D6651B2FAB98ADB6ED4AA99F15BFC3F6D511DF24B
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket:
- f7 ce 3f 50 5e a1 4d 63-ab e7 b7 67 ac d4 ca 26 ..?P^.Mc...g...
0010 - f1 f4 28 4c 1f 07 fb 8c-df 69 43 51 db 7b 48 3a ..(L.iCQ.{H:
0020 - 6f fd 21 71 f1 fd 89 4a-a2 8f 68 a4 80 af 94 90 o.!q...J..h.
0030 - 77 c7 85 a4 0d f7 f6 1a-42 9f cc 90 21 82 55 03 w...B...!.U.
0040 - d7 e0 47 48 bf 8e d5 03-fc 45 ce 0c c7 3d ce 92 ..GH.E...=..
0050 - bf 3d 5f 2c 0a e0 78 78-17 38 8b 03 05 a0 d1 d0 .=_,..xx.8..
0060 - fc b8 e9 4d 16 c5 1f b1-d8 7f 37 dd 48 47 40 14 ...M..7.HG@.
0070 - 9c 8d 55 0f d3 34 eb cb-b7 b0 02 67 1e bb 41 1d ..U..4.g..A.
0080 - fc 97 1c cb df 11 7e 24-3c 6d de 07 cc cc a8 df ..~$m..
0090 - f6 b9 77 72 2d 58 2a 80-bc 1f ae eb 5a d9 52 1f ..wr-X*.Z.R.
Start Time: 1370961460
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
- Original Message -
From: atarutin tarutin_and...@mail.ru
To: proton@qpid.apache.org
Sent: Tuesday, June 11, 2013 10:23:29 AM
Subject: Re: Does Messenger API supports SSL?
That is dump:
CONNECTED(04E4)
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 321 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
Could you please help me to understand this information?
--
View this message in context:
http://qpid.2158936.n2.nabble.com/Does-Messenger-API-supports-SSL-tp7593987p7594013.html
Sent from the Apache Qpid Proton mailing list archive at Nabble.com.
--
-K
Re: Does Messenger API supports SSL?
Here it is: CONNECTED(04E4) write to 0x1ec28a0 [0x1ef26a0] (321 bytes = 321 (0x141)) - 16 03 01 01 3c 01 00 01-38 03 03 51 b7 37 bc 04 ...8..Q.7.. 0010 - 28 3c bd 2c 32 55 20 98-ad ef d8 de a2 33 57 30 (.,2U ..3W0 0020 - 81 b0 91 d2 91 a4 ba 10-b7 97 34 00 00 a0 c0 30 ..40 0030 - c0 2c c0 28 c0 24 c0 14-c0 0a c0 22 c0 21 00 a3 .,.(.$..!.. 0040 - 00 9f 00 6b 00 6a 00 39-00 38 00 88 00 87 c0 32 ...k.j.9.8.2 0050 - c0 2e c0 2a c0 26 c0 0f-c0 05 00 9d 00 3d 00 35 ...*=.5 0060 - 00 84 c0 12 c0 08 c0 1c-c0 1b 00 16 00 13 c0 0d 0070 - c0 03 00 0a c0 2f c0 2b-c0 27 c0 23 c0 13 c0 09 ./.+.'.# 0080 - c0 1f c0 1e 00 a2 00 9e-00 67 00 40 00 33 00 32 .g.@.3.2 0090 - 00 9a 00 99 00 45 00 44-c0 31 c0 2d c0 29 c0 25 .E.D.1.-.).% 00a0 - c0 0e c0 04 00 9c 00 3c-00 2f 00 96 00 41 00 07 /...A.. 00b0 - c0 11 c0 07 c0 0c c0 02-00 05 00 04 00 15 00 12 00c0 - 00 09 00 14 00 11 00 08-00 06 00 03 00 ff 01 00 00d0 - 00 6f 00 0b 00 04 03 00-01 02 00 0a 00 34 00 32 .o...4.2 00e0 - 00 0e 00 0d 00 19 00 0b-00 0c 00 18 00 09 00 0a 00f0 - 00 16 00 17 00 08 00 06-00 07 00 14 00 15 00 04 0100 - 00 05 00 12 00 13 00 01-00 02 00 03 00 0f 00 10 0110 - 00 11 00 23 00 00 00 0d-00 22 00 20 06 01 06 02 ...#.. 0120 - 06 03 05 01 05 02 05 03-04 01 04 02 04 03 03 01 0130 - 03 02 03 03 02 01 02 02-02 03 01 01 00 0f 00 01 0140 - 01. read from 0x1ec28a0 [0x1ef7c00] (7 bytes = 7 (0x7)) - 15 03 03 00 02 02 28 ..( --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 321 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE --- Thanks for help. -- View this message in context: http://qpid.2158936.n2.nabble.com/Does-Messenger-API-supports-SSL-tp7593987p7594015.html Sent from the Apache Qpid Proton mailing list archive at Nabble.com.
Re: Does Messenger API supports SSL?
The server isn't following through with the rest of the handshake, but I can't tell why from the dump, sorry. When you do this (run openssl s_client), does the broker log anything? BTW, what version OpenSSL are you running on the client side? openssl version will give you that. thanks, -K - Original Message - From: atarutin tarutin_and...@mail.ru To: proton@qpid.apache.org Sent: Tuesday, June 11, 2013 10:44:42 AM Subject: Re: Does Messenger API supports SSL? Here it is: CONNECTED(04E4) write to 0x1ec28a0 [0x1ef26a0] (321 bytes = 321 (0x141)) - 16 03 01 01 3c 01 00 01-38 03 03 51 b7 37 bc 04 ...8..Q.7.. 0010 - 28 3c bd 2c 32 55 20 98-ad ef d8 de a2 33 57 30 (.,2U ..3W0 0020 - 81 b0 91 d2 91 a4 ba 10-b7 97 34 00 00 a0 c0 30 ..40 0030 - c0 2c c0 28 c0 24 c0 14-c0 0a c0 22 c0 21 00 a3 .,.(.$..!.. 0040 - 00 9f 00 6b 00 6a 00 39-00 38 00 88 00 87 c0 32 ...k.j.9.8.2 0050 - c0 2e c0 2a c0 26 c0 0f-c0 05 00 9d 00 3d 00 35 ...*=.5 0060 - 00 84 c0 12 c0 08 c0 1c-c0 1b 00 16 00 13 c0 0d 0070 - c0 03 00 0a c0 2f c0 2b-c0 27 c0 23 c0 13 c0 09 ./.+.'.# 0080 - c0 1f c0 1e 00 a2 00 9e-00 67 00 40 00 33 00 32 .g.@.3.2 0090 - 00 9a 00 99 00 45 00 44-c0 31 c0 2d c0 29 c0 25 .E.D.1.-.).% 00a0 - c0 0e c0 04 00 9c 00 3c-00 2f 00 96 00 41 00 07 /...A.. 00b0 - c0 11 c0 07 c0 0c c0 02-00 05 00 04 00 15 00 12 00c0 - 00 09 00 14 00 11 00 08-00 06 00 03 00 ff 01 00 00d0 - 00 6f 00 0b 00 04 03 00-01 02 00 0a 00 34 00 32 .o...4.2 00e0 - 00 0e 00 0d 00 19 00 0b-00 0c 00 18 00 09 00 0a 00f0 - 00 16 00 17 00 08 00 06-00 07 00 14 00 15 00 04 0100 - 00 05 00 12 00 13 00 01-00 02 00 03 00 0f 00 10 0110 - 00 11 00 23 00 00 00 0d-00 22 00 20 06 01 06 02 ...#.. 0120 - 06 03 05 01 05 02 05 03-04 01 04 02 04 03 03 01 0130 - 03 02 03 03 02 01 02 02-02 03 01 01 00 0f 00 01 0140 - 01. read from 0x1ec28a0 [0x1ef7c00] (7 bytes = 7 (0x7)) - 15 03 03 00 02 02 28 ..( --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 321 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE --- Thanks for help. -- View this message in context: http://qpid.2158936.n2.nabble.com/Does-Messenger-API-supports-SSL-tp7593987p7594015.html Sent from the Apache Qpid Proton mailing list archive at Nabble.com. -- -K
