Hallo
I have a client application running on Solaris that connects to a server
(also on Solaris) via a MRG - Red Hat broker running on RHEL. The
application is a slightly modified version of the request-response
example programs, changed to use the 'ssl' connection option if the
relevant command line option is set. The program works fine, except when
the ssl option is used.
1.) Does anyone know exactly what environment variables need to be set
for the C++ client using SSL ?
2.) How do I specify which certificate to use ?
3.) What sort of certificate do I need ?
4.) How can I specify which port the client should use for the SSL
authentication ?
Details below.
Thanks for any help you can offer, regards
Warwick
warwick.richard<at>ubs.com
# client
Compiled on Solaris 5.10 from the qpidc-5.0 distribution.
Client sets the SSL option as follows :
...
ConnectionSettings cs;
po::variables_map vm; // from boost_program_options
...
cs.host = vm["host"].as<string>();
cs.port = vm["port"].as<int>();
cs.mechanism = "PLAIN";
cs.username = vm["user"].as<string>();
cs.password = vm["passwd"].as<string>();
if (vm["ssl"].as<bool>())
*cs.protocol = "ssl";*
connection.open(cs);
...
Client program started with these environment variables set :
QPID_LOAD_MODULE=/app/qpid/lib/libsslconnector.so
QPID_SSL_CERT_DB=/var/spool/qpid/auth
/somewhere/myclient --host mybroker.x.y --port 5672 --ssl
*Failed: Unknown NSS error code. [-5938]
(../../src/qpid/sys/ssl/SslSocket.cpp:155)*
I have also tried setting the following, but still get exactly the same
error :
QPID_SSL_PORT=5763
QPID_SSL_CERT_NAME=AMQP-Client-Certificate
QPID_CERT_PASSWORD_FILE=/var/spool/qpid/auth/.passwd
The NSS error code as documented in prerr.c :
{"PR_END_OF_FILE_ERROR", "Encountered end of file"},
It appears to me that the Solaris function sendfilev() is failing in the
NSPR - "pt_SolarisSendFile(7)" function (ptio.c). So I can see that it's
trying to send "something" over the socket - but what exactly is a
mystery. I get the feeling that this error is a bit of a red herring and
that something else needs to be set up for it to work properly.
# broker
The broker was started with the following SSL settings :
# with / without authentication
auth=true
# SSL settings
load-module=/lib64/libssl.so.6
ssl-use-export-policy=true
ssl-cert-password-file=/app/MRG/auth/.passwd
ssl-cert-db=/app/MRG/auth
ssl-cert-name=AMQP-Broker-Certificate
ssl-port=5673
ssl-require-client-authentication=true
# directory for the checkfile with the process id
pid-dir=/app/MRG/data
# spool directory
data-dir=/app/MRG/data
# listener port
# default is 5672, clients must also be told if this changes
port=5672
# ACL options
acl-file=/app/MRG/etc/qpidd.acl
# certificate
# certutil -L -n AMQP-Client-Certificate
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1002 (0x3ea)
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Issuer:
"CN=AMQP-Certificate-Authority,O=UBS,OU=AMQP-Broker,L=Gon,ST=
Zurich,C=CH"
Validity:
Not Before: Fri Nov 06 14:57:41 2009
Not After : Sat Feb 06 14:57:41 2010
Subject:
"CN=svblackwater.flur.zuerich.ubs.ch,O=UBS,OU=AMQP-Client,L=
Flur,ST=Zurich,C=CH"
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
...
Certificate Trust Flags:
SSL Flags:
Valid CA
Trusted CA
User
Trusted Client CA
...
