On Fri, 21 Aug 2020 at 10:18, Gordon Sim <[email protected]> wrote: > > On 20/08/2020 11:32 pm, cgh467 wrote: > > Hi, > > > > I ran into the same issue now. When I run qpid C++ client to connect > > remote Java sever, I got below error: > > 2020-08-20 18:25:33 [System] debug Exception constructed: Failed: Cannot > > communicate securely with peer: no common encryption algorithm(s). [-12286] > > (/development/fxgtla/qpid/qpid-cpp-1.39.0/src/qpid/sys/ssl/SslSocket.cpp:205) > > 2020-08-20 18:25:33 [Security] warning Connect failed: Failed: Cannot > > communicate securely with peer: no common encryption algorithm(s). [-12286] > > (/development/fxgtla/qpid/qpid-cpp-1.39.0/src/qpid/sys/ssl/SslSocket.cpp:205) > > 2020-08-20 18:25:33 [Client] debug Connection closed > > > > However, I was able to connect to remote server with openssl as below: > > openssl s_client -connect lab4.engineering:5673 -tls1_2 > > > > Is there any way to force cpp client to use TLSv1.2/TLSv1.1? > > The qpid::messaging client does not use openssl, it use nss. There is no > support explicitly in the client to enable more detailed configuration > of versions and algorithms. There may be some generic way to do it > through options/configuration in the nss db, but I can't find anything > on that. > > (However assuming you have a relatively recent nss library, I would be > surprised if TLSv1.2 is not supported. The error sounds like it is the > particular ciphers used that there is no match for.) > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] >
I ran the qpid-cpp 1.39.0 client against Broker-J 8.0.0, and it connected using TLS 1.2. (I passed -Djavax.net.debug=all via QPID_OPTS env variable to have Java log the activity). I configured the broker using a broker keystore file from the qpid-jms test suite, and then created a certdb containing the CA cert used to sign that key. The steps I used for the latter were: mkdir certdir certutil -N -d certdir certutil -A -n cacert -t "CT,," -i ca.crt -d certdir Creating the certdb asks for a password. The client requires that to be provided in a file later, so I created one: echo "yourpassword" > certdir_password_file I used a URL for the client of "amqp:ssl:localhost:5671" to enable SSL. I then passed the certdb config and ran the application with: QPID_CERT_PASSWORD_FILE=/path.to/certdir_password_file QPID_SSL_CERT_DB=/path.to/certdir ./your_application --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
