On 19 October 2015 at 15:37, Gordon Sim <g...@redhat.com> wrote: > On 10/17/2015 01:36 AM, Chris Richardson wrote: > >> Hi, >> >> I'm attempting to set up a broker federation topology using purely SSL >> client authentication and the EXTERNAL SASL mechanism on qpid-cpp 0.34. >> This seems to be within an iota of working but I can't quite get the >> configuration correct for the inter-broker routes. >> >> The point I have arrived at is that I have 2 brokers, both of which are >> configured to accept only connections over SSL with client cert >> authentication. Both python (qpid-stat et al) and c++ (qpid-send/receive) >> clients work perfectly - however the route between the brokers does not >> work because the broker establishing the connection does not use a >> suitable >> certificate. The connection fails with >> Inter-broker link disconnected from broker-2:5671 Failed: SSL peer cannot >> verify your certificate. [-12271] >> > > Was the broker certificate signed by a trusted CA as for the client > certificates? I.e. does the broker accepting the incoming inter-broker > connection trust the other broker?
The short answer to that question is _mostly_ "yes" and it got me thinking along the right lines. I didn't realise that the broker's certificate is the one used as a client certificate in the context of the route (kind of obvious in retrospect). I was using certificates with only the "serverAuth" usage extension on both brokers, which was therefore being rejected by the broker receiving the route connection. Adding clientAuth to the usage list (and extending my ACL to match) fixed the problem. Thanks for the hint! > > > >> I've found I can fix this by setting the QPID_SSL_CERT_DB, >> QPID_SSL_CERT_PASSWORD_FILE and QPID_SSL_CERT_NAME variables in the >> environment of the source broker process, but c++ client connections to >> this broker then fail with >> Failed to connect: Failed: NSS error [-8101] >> >> (/var/tmp/portage/net-misc/qpid-cpp-0.34/work/qpid-cpp-0.34/src/qpid/sys/ssl/SslSocket.cpp:177) >> According to the NSS documentation this error is due to an invalid use of >> an SSL certificate (eg: server auth cert being used for client auth) but >> this is the same certificate which previously worked fine. Python client >> connections are unaffected. >> >> I have a swathe of configuration data and logs which I can share if >> needed, >> but to begin with can you tell me if this is something which should, at >> least in principle, work? >> >> Thanks in advance >> >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org > For additional commands, e-mail: users-h...@qpid.apache.org > > -- *Chris Richardson*, System Architect c...@fourc.eu *FourC AS, Vestre Rosten 81, Trekanten, NO-7075 Tiller, Norwaywww.fourc.eu <http://www.fourc.eu/>* *Follow us on LinkedIn <http://bit.ly/fourcli>, Facebook <http://bit.ly/fourcfb>, Google+ <http://bit.ly/fourcgp> and Twitter <http://bit.ly/fourctw>!*
