Hi Alex, You may be running into https://issues.apache.org/jira/browse/QPID-6966.
There is a prospective patch: https://reviews.apache.org/r/41800 Also note that the qpid cpp client uses NSS libraries for TLS/SSL, not OpenSSL. Regards, Cliff On Tue, Dec 29, 2015 at 5:21 AM, Oleksandr Rudyy <oru...@gmail.com> wrote: > Hi, > > I tried cpp client with openssl 1.0.2e-fips > $ openssl version > OpenSSL 1.0.2e-fips 3 Dec 2015 > > The connectivity was established successfully. cpp client sends *** > ClientHello, TLSv1.2. > > It seems that it is an issue with openssl 1.0.1e-fips or my environment. > > Is there any way to force cpp client to use TLSv1.2/TLSv1.1 with > openssl 1.0.1e-fips? > > Thanks, > Alex > > On 29 December 2015 at 12:40, Oleksandr Rudyy <oru...@gmail.com> wrote: >> Hi, >> >> TLSv1 was disabled on Java Broker as part of QPID-6938. >> >> After that trunk cpp client fails to establish TLS connection with Java >> Broker. >> >> $ openssl version >> OpenSSL 1.0.1e-fips 11 Feb 2013 >> >> On client side I see the following in the logs: >> >> ./hello_world localhost:35671 'hello-world ; { create: always }' >> '{username:guest,password:guest,transport:ssl}' >> 2015-12-29 10:54:53 [Unspecified] debug Config file not read: >> /usr/local/etc/qpid/qpidc.conf >> 2015-12-29 10:54:53 [Unspecified] debug Config file not read: >> /usr/local/etc/qpid/qpidc.conf >> 2015-12-29 10:54:53 [Unspecified] debug Config file not read: >> /usr/local/etc/qpid/qpidc.conf >> 2015-12-29 10:54:53 [Unspecified] debug Config file not read: >> /usr/local/etc/qpid/qpidc.conf >> 2015-12-29 10:54:53 [Messaging] debug Protocol defaults: >> 2015-12-29 10:54:53 [Messaging] debug Trying versions amqp0-10 >> 2015-12-29 10:54:53 [Unspecified] debug Config file not read: >> /usr/local/etc/qpid/qpidc.conf >> 2015-12-29 10:54:53 [Unspecified] debug Config file not read: >> /usr/local/etc/qpid/qpidc.conf >> 2015-12-29 10:54:53 [Client] debug Starting connection, >> urls=[localhost:35671] >> 2015-12-29 10:54:53 [Client] info Trying to connect to localhost:35671... >> 2015-12-29 10:54:53 [Client] debug Created IO thread: 0 >> 2015-12-29 10:54:53 [Unspecified] debug Config file not read: >> /usr/local/etc/qpid/qpidc.conf >> 2015-12-29 10:54:53 [Unspecified] debug Config file not read: >> /usr/local/etc/qpid/qpidc.conf >> 2015-12-29 10:54:53 [Security] debug SslConnector created for 0-10 >> 2015-12-29 10:54:53 [System] info Connecting: ZZZ.ZZZ.ZZZ.ZZZ:35671 >> 2015-12-29 10:54:53 [System] debug Exception constructed: Failed: >> Cannot communicate securely with peer: no common encryption >> algorithm(s). [-12286] >> (/apps/qpid/jenkins/workspace/Apache-Qpid-Cpp/qpid/cpp/src/qpid/sys/ssl/SslSocket.cpp:175) >> 2015-12-29 10:54:53 [Security] warning Connect failed: Failed: Cannot >> communicate securely with peer: no common encryption algorithm(s). >> [-12286] >> (/apps/qpid/jenkins/workspace/Apache-Qpid-Cpp/qpid/cpp/src/qpid/sys/ssl/SslSocket.cpp:175) >> 2015-12-29 10:54:53 [Client] debug Connection closed >> 2015-12-29 10:54:53 [System] debug Exception constructed: Connection closed >> 2015-12-29 10:54:53 [Client] info Failed to connect to >> localhost:35671: Connection closed >> Failed to connect (reconnect disabled) >> >> >> On broker side, JVM ssl logging looks like the one below: >> >> trigger seeding of SecureRandom >> done seeding SecureRandom >> Using SSLEngineImpl. >> Allow unsafe renegotiation: false >> Allow legacy hello messages: true >> Is initial handshake: true >> Is secure renegotiation: false >> [Raw read]: length = 5 >> 0000: 16 03 01 00 73 ....s >> [Raw read]: length = 115 >> 0000: 01 00 00 6F 03 01 8C 7B 92 93 EB 12 B3 E2 4A AC ...o..........J. >> 0010: B8 53 DB 2E C0 A0 47 4B 6E FF 87 23 13 F9 4E C2 .S....GKn..#..N. >> 0020: 1C 95 62 D9 DF 3D 00 00 16 00 33 00 32 00 39 00 ..b..=....3.2.9. >> 0030: 38 00 16 00 13 00 2F 00 35 00 0A 00 05 00 04 01 8...../.5....... >> 0040: 00 00 30 00 00 00 27 00 25 00 00 22 66 61 73 74 ..0...'.%.."XXXX >> 0050: 64 65 76 6C 30 34 30 30 2E 73 76 72 2E 65 6D 65 XXXXXXXX.XXX.XXX >> 0060: 61 2E 6A 70 6D 63 68 61 73 65 2E 6E 65 74 FF 01 X.XXXX.XXX.. >> 0070: 00 01 00 ... >> IO-/ZZZ.ZZZ.ZZZ.ZZZ:52076, READ: TLSv1 Handshake, length = 115 >> *** ClientHello, TLSv1 >> RandomCookie: GMT: -1938124397 bytes = { 235, 18, 179, 226, 74, 172, >> 184, 83, 219, 46, 192, 160, 71, 75, 110, 255, 135, 35, 19, 249, 78, >> 194, 28, 149, 98, 217, 223, 61 } >> Session ID: {} >> Cipher Suites: [TLS_DHE_RSA_WITH_AES_128_CBC_SHA, >> TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, >> TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, >> SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, >> TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, >> SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5] >> Compression Methods: { 0 } >> Extension server_name, server_name: [host_name: XXXXXXX.XXX.XXXXX.XXXXX.XXX] >> Extension renegotiation_info, renegotiated_connection: <empty> >> *** >> [read] MD5 and SHA1 hashes: len = 115 >> 0000: 01 00 00 6F 03 01 8C 7B 92 93 EB 12 B3 E2 4A AC ...o..........J. >> 0010: B8 53 DB 2E C0 A0 47 4B 6E FF 87 23 13 F9 4E C2 .S....GKn..#..N. >> 0020: 1C 95 62 D9 DF 3D 00 00 16 00 33 00 32 00 39 00 ..b..=....3.2.9. >> 0030: 38 00 16 00 13 00 2F 00 35 00 0A 00 05 00 04 01 8...../.5....... >> 0040: 00 00 30 00 00 00 27 00 25 00 00 22 66 61 73 74 ..0...'.%.."XXXX >> 0050: 64 65 76 6C 30 34 30 30 2E 73 76 72 2E 65 6D 65 XXXXX.XXX.XXX >> 0060: 61 2E 6A 70 6D 63 68 61 73 65 2E 6E 65 74 FF 01 XXXXXXXX.XXXX.. >> 0070: 00 01 00 ... >> IO-/ZZZ.ZZZ.ZZZ.ZZZ:52076, fatal error: 40: Client requested protocol >> TLSv1 not enabled or not supported >> javax.net.ssl.SSLHandshakeException: Client requested protocol TLSv1 >> not enabled or not supported >> IO-/ZZZ.ZZZ.ZZZ.ZZZ:52076, SEND TLSv1 ALERT: fatal, description = >> handshake_failure >> IO-/ZZZ.ZZZ.ZZZ.ZZZ:52076, WRITE: TLSv1 Alert, length = 2 >> IO-/ZZZ.ZZZ.ZZZ.ZZZ:52076, fatal: engine already closed. Rethrowing >> javax.net.ssl.SSLHandshakeException: Client requested protocol TLSv1 >> not enabled or not supported >> [Raw write]: length = 7 >> 0000: 15 03 01 00 02 02 28 ......( >> IO-/ZZZ.ZZZ.ZZZ.ZZZ:52076, called closeOutbound() >> IO-/ZZZ.ZZZ.ZZZ.ZZZ:52076, closeOutboundInternal() >> IO-/ZZZ.ZZZ.ZZZ.ZZZ:52076, called closeInbound() >> IO-/ZZZ.ZZZ.ZZZ.ZZZ:52076, fatal: engine already closed. Rethrowing >> javax.net.ssl.SSLException: Inbound closed before receiving peer's >> close_notify: possible truncation attack? >> >> What is interesting SSL handshake looks successful when using openssl >> s_client with tls1_2 and tls1_1: >> >> $ openssl s_client -connect localhost:35671 -tls1_2 >> CONNECTED(00000003) >> ... snip... >> --- >> No client certificate CA names sent >> Server Temp Key: ECDH, secp521r1, 521 bits >> --- >> SSL handshake has read 4487 bytes and written 499 bytes >> --- >> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384 >> Server public key is 2048 bit >> Secure Renegotiation IS supported >> Compression: NONE >> Expansion: NONE >> SSL-Session: >> Protocol : TLSv1.2 >> Cipher : ECDHE-RSA-AES256-SHA384 >> Session-ID: >> 56827A91D1B2DA88C54CF3CF09A3D0C339E7AA9FF089315AFFD9996B33773886 >> Session-ID-ctx: >> Master-Key: YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY >> Key-Arg : None >> Krb5 Principal: None >> PSK identity: None >> PSK identity hint: None >> Start Time: 1451391633 >> Timeout : 7200 (sec) >> Verify return code: 0 (ok) >> --- >> read:errno=0 >> >> I am not sure whether it is a cpp client issue or issue with openssl >> and my environment. >> >> Is it possible to establish TLS1.2/TLS1.1 connectivity from cpp client >> using OpenSSL 1.0.1e-fips? >> >> I have not tried other openssl versions yet. I'll do that as next step >> in my investigation of the issue. >> >> Kind Regards, >> Alex > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org > For additional commands, e-mail: users-h...@qpid.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org For additional commands, e-mail: users-h...@qpid.apache.org
