Hi Gordon, Thanks a lot for the hint to use openssl for hostname verification. It helped me to understand why hostname verification didn't work for me. In my tests, i have generated various certificates, some of them contained broker IP set in alternate names and others had broker FQDN set as alternate names.It seems that hostname verification only works when connection hostname or connection SNI is explicitly set to the certificate subject CN. The alternate names are not taken into consideration on hostname verification. For example, when I created a certificate with CN=FQDN and broker IP set as alternate name, the connection to broker using IP would fail unless SNI is set to FQDN.My expectation was that if connection host is either certificate alternate name or certificate CN, the hostname check should pass, but it doesn't pass when alternate names are used. When connection hostname is valid certificate alternate name (but not CN name), I am getting 'amqp:connection:framing-error', ' SSL failure: TLS certificate verification error'. It seems that work around for this is to set SNI to the certificate CN when connection host name is an alternate name, but that looks like a not partially right approach to me. What do you think? Regards,Dedeepya.T On Thursday, 18 March, 2021, 08:05:20 pm IST, Gordon Sim <[email protected]> wrote: I suggest verifying using the openssl command line tool. E.g.
openssl s_client -connect <hsot:port> -verify_hostname <hostname> -CAfile <path-to-ca-pem-file> That helps determine whether the issue is with the CA pem file or with your proton setup. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
