Re: Broker SSL Config

Wed, 19 Sep 2012 08:30:26 -0700 

On Windows machines, the broker looks for a certificate with the FQDN of
the server machine, by default in the "my" store under the LocalSystem
account.  If the machine is on a domain, this will include the full domain
name.  The clients MUST use this same FQDN to connect to the broker (as the
underlying Microsoft SSL validates that the hostname connected to matches
the CN of the server certificate.

Interestingly, we are seeing one machine (out of ~ 60) where SSL has
stopped working.

On the broker we see:
  C:\Dev\qpid-0.12\cpp\build\src\Release>qpidd --auth=no --no-data-dir
  2012-09-13 15:00:16 notice SASL disabled: No Authentication Performed
  2012-09-13 15:00:16 notice Listening for SSL connections on TCP port 5671
  2012-09-13 15:00:16 notice Listening on TCP port 5672
  5672
  2012-09-13 15:00:16 notice Broker running
  2012-09-13 15:00:16 notice SSL negotiation failed to 10.2.100.42:53251:
The specified data could not be decrypted.
  2012-09-13 15:00:22 notice Shut down

In the Windows Event Log (on the broker), I see this:
=====
Cryptographic operation.

Subject:
    Security ID:        PHOBOS\Administrator
    Account Name:        Administrator
    Account Domain:        PHOBOS
    Logon ID:        0x856e9

Cryptographic Parameters:
    Provider Name:    Microsoft Software Key Storage Provider
    Algorithm Name:    RSA
    Key Name:    key_container:PHOBOS.longhorn.atx
    Key Type:    User key.

Cryptographic Operation:
    Operation:    Decrypt.
    Return Code:    0xc000000d
=====

This seems to suggest that Windows can no longer decrypt the (unencrypted)
RSA private key stored with the server cert.  Reinstalling the certificates
doesn't help.  I'm still looking under the covers at the lsass process
activity to try and figure out this strange failure.

And we're still tracking down a small memory leak on SSL connections, as
well as a rarer 'my messages are taking longer to deliver' issue.

Kerry


On Tue, Sep 18, 2012 at 2:28 PM, walshp <peter.wa...@jackpinetech.com>wrote:

> The name is the same for the cert (-n), the hostname and the params.
>
>
>
> --
> View this message in context:
> http://qpid.2158936.n2.nabble.com/Broker-SSL-Config-tp7582284p7582291.html
> Sent from the Apache Qpid users mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org
> For additional commands, e-mail: users-h...@qpid.apache.org
>
>

Reply via email to