On 11/19/2009 09:01 AM, Warwick Richard (00101635) wrote:
Hallo
I have a client application running on Solaris that connects to a server
(also on Solaris) via a MRG - Red Hat broker running on RHEL. The
application is a slightly modified version of the request-response
example programs, changed to use the 'ssl' connection option if the
relevant command line option is set. The program works fine, except when
the ssl option is used.
The ssl_test script in qpid/cpp/src/tests does a simple test run as part
of make check which may be useful as a guide.
1.) Does anyone know exactly what environment variables need to be set
for the C++ client using SSL ?
You need QPID_LOAD_MODULE and QPID_SSL_CERT_DB for a basic SSL
connection. For client certificate authentication you will also need
QPID_CERT_PASSWORD_FILE and QPID_SSL_CERT_NAME.
2.) How do I specify which certificate to use ?
QPID_SSL_CERT_NAME (or ssl-cert-name in conf file).
3.) What sort of certificate do I need ?
4.) How can I specify which port the client should use for the SSL
authentication ?
The client will connect to the port specified in the ConnectionSettings
(or passed in through a url).
[...]
Client program started with these environment variables set :
QPID_LOAD_MODULE=/app/qpid/lib/libsslconnector.so
QPID_SSL_CERT_DB=/var/spool/qpid/auth
/somewhere/myclient --host mybroker.x.y --port 5672 --ssl
*Failed: Unknown NSS error code. [-5938]
(../../src/qpid/sys/ssl/SslSocket.cpp:155)*
The above may just be a typo, but you would need to specify the port on
which SSL connections were being listened for (5673 in your case, based
on the qpidd settings). E.g.
/somewhere/myclient --host mybroker.x.y --port 5673 --ssl
I have also tried setting the following, but still get exactly the same
error :
QPID_SSL_PORT=5763
QPID_SSL_CERT_NAME=AMQP-Client-Certificate
QPID_CERT_PASSWORD_FILE=/var/spool/qpid/auth/.passwd
The NSS error code as documented in prerr.c :
{"PR_END_OF_FILE_ERROR", "Encountered end of file"},
It appears to me that the Solaris function sendfilev() is failing in the
NSPR - "pt_SolarisSendFile(7)" function (ptio.c). So I can see that it's
trying to send "something" over the socket - but what exactly is a
mystery. I get the feeling that this error is a bit of a red herring and
that something else needs to be set up for it to work properly.
# broker
The broker was started with the following SSL settings :
# with / without authentication
auth=true
# SSL settings
load-module=/lib64/libssl.so.6
ssl-use-export-policy=true
ssl-cert-password-file=/app/MRG/auth/.passwd
ssl-cert-db=/app/MRG/auth
ssl-cert-name=AMQP-Broker-Certificate
ssl-port=5673
ssl-require-client-authentication=true
# directory for the checkfile with the process id
pid-dir=/app/MRG/data
# spool directory
data-dir=/app/MRG/data
# listener port
# default is 5672, clients must also be told if this changes
port=5672
# ACL options
acl-file=/app/MRG/etc/qpidd.acl
# certificate
# certutil -L -n AMQP-Client-Certificate
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1002 (0x3ea)
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Issuer: "CN=AMQP-Certificate-Authority,O=UBS,OU=AMQP-Broker,L=Gon,ST=
Zurich,C=CH"
Validity:
Not Before: Fri Nov 06 14:57:41 2009
Not After : Sat Feb 06 14:57:41 2010
Subject: "CN=svblackwater.flur.zuerich.ubs.ch,O=UBS,OU=AMQP-Client,L=
Flur,ST=Zurich,C=CH"
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
...
Certificate Trust Flags:
SSL Flags:
Valid CA
Trusted CA
User
Trusted Client CA
...
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:users-subscr...@qpid.apache.org
