On 10/17/2015 01:36 AM, Chris Richardson wrote:
Hi,
I'm attempting to set up a broker federation topology using purely SSL
client authentication and the EXTERNAL SASL mechanism on qpid-cpp 0.34.
This seems to be within an iota of working but I can't quite get the
configuration correct for the inter-broker routes.
The point I have arrived at is that I have 2 brokers, both of which are
configured to accept only connections over SSL with client cert
authentication. Both python (qpid-stat et al) and c++ (qpid-send/receive)
clients work perfectly - however the route between the brokers does not
work because the broker establishing the connection does not use a suitable
certificate. The connection fails with
Inter-broker link disconnected from broker-2:5671 Failed: SSL peer cannot
verify your certificate. [-12271]
Was the broker certificate signed by a trusted CA as for the client
certificates? I.e. does the broker accepting the incoming inter-broker
connection trust the other broker?
I've found I can fix this by setting the QPID_SSL_CERT_DB,
QPID_SSL_CERT_PASSWORD_FILE and QPID_SSL_CERT_NAME variables in the
environment of the source broker process, but c++ client connections to
this broker then fail with
Failed to connect: Failed: NSS error [-8101]
(/var/tmp/portage/net-misc/qpid-cpp-0.34/work/qpid-cpp-0.34/src/qpid/sys/ssl/SslSocket.cpp:177)
According to the NSS documentation this error is due to an invalid use of
an SSL certificate (eg: server auth cert being used for client auth) but
this is the same certificate which previously worked fine. Python client
connections are unaffected.
I have a swathe of configuration data and logs which I can share if needed,
but to begin with can you tell me if this is something which should, at
least in principle, work?
Thanks in advance
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org
For additional commands, e-mail: users-h...@qpid.apache.org
