[rabbitmq-discuss] facing issues with the SSL implementations with RabbitMQ + Windows + .Net

Alexandru Scvorţov alexandru at rabbitmq.com
Wed Aug 10 12:50:56 BST 2011


:(  That seems perfectly fine.

Other ways to get an "unknown ca" error:
  - forget to add the CA certificate to the Trust store;
  - have the client use a certificate signed by a different authority
    than the one given to the server.

I'm out of ideas.  I'm attaching:
  - cacert.pem and cacert.cer;
  - keycert.p12 (password is "test");
  - server's cert.pem, key.pem.

You'll also need to set RemoteCertificateNameMismatch before starting the connection:
  cf.Ssl.AcceptablePolicyErrors =
    SslPolicyErrors.RemoteCertificateNameMismatch;

Could you please try with these and see if it works (or if you get a
different error)?

Cheers,
Alex

On Wed, Aug 10, 2011 at 04:16:18PM +0530, Abhijit wrote:
> Ok sir thanks,
> 
> this is the post for the former command s_client:
> > C:\>openssl s_client -connect localhost:5671 -CAfile testca/cacert.pem 
> > -cert cli
> > ent/cert.pem -key client/key.pem -showcerts
> > Loading 'screen' into random state - done
> > CONNECTED(00000160)
> > depth=1 CN = Kiprosh7
> > verify return:1
> > depth=0 CN = Kiprosh7, O = server
> > verify return:1
> > ---
> > Certificate chain
> >  0 s:/CN=Kiprosh7/O=server
> >    i:/CN=Kiprosh7
> > -----BEGIN CERTIFICATE-----
> > MIIC4TCCAcmgAwIBAgIBATANBgkqhkiG9w0BAQUFADATMREwDwYDVQQDEwhLaXBy
> > b3NoNzAeFw0xMTA4MTAwODA1NTBaFw0xMjA4MDkwODA1NTBaMCQxETAPBgNVBAMM
> > CEtpcHJvc2g3MQ8wDQYDVQQKDAZzZXJ2ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
> > DwAwggEKAoIBAQDTDgQ3/vSBPvy0PAZYwk4H2qlFckaA75YfCYZ+HhIb+JUSrZ4r
> > NcBEhvrH+7p1yft9IC4pgrgEbjmfQVTi8LGwtMRZmwpbmjqEfOALpra5x7Plb+7y
> > CTT/iDc8uUwHLn2brXxNRn58IrEeD1X+rBxLNyek0pQu/hH31+REI5Sn1JZfi7gc
> > 3PJEuaRzVJY4sE0neNWT+K+aD0n382qnziLEGOusXWNpggpoHVFKZR3Yojxj6Bfk
> > 9lUvfUtIqz2zQ2dF0q6A0QVVlIenKzUK+rjHxQAUSb8P9CmCuRXUih3f61ahquQP
> > CgSrkNnUV44D/wHfnxNm9QjxlQEGyr0DsTcFAgMBAAGjLzAtMAkGA1UdEwQCMAAw
> > CwYDVR0PBAQDAgUgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBBQUA
> > A4IBAQDE+cXjx6uNL/Kf/HmE7FeQ238iN7Gfb+I1QHmbRaR0qbTqcFzp7NCJ62uq
> > nJ6Anj0+h1IFNMlQrCISSS0fnSj+mXMKDodZzV+cXFjdtoEXyqdDO0zphDMTRd8H
> > oI79XSm5IK6vcPR+g2UTkhgrX1xfgeqZ8hmw0L0mMMGHXclwwaAF9HRNomFt32gr
> > 1sVhFkhH/5epmgcl+8yI1E7UaQc91bYkUEuQFNu7irgc+/tvcXa4O4+dIfhnzrog
> > 8piYUk4dxGME8LknQ213Gow9cgEKzcYadJ4DIr6gChkvAnYpHHHafWj/Ksvxyii6
> > 8FxuTfgsrOYwkqEcSXeCGUS25nU9
> > -----END CERTIFICATE-----
> >  1 s:/CN=Kiprosh7
> >    i:/CN=Kiprosh7
> > -----BEGIN CERTIFICATE-----
> > MIICxjCCAa6gAwIBAgIJANsNRAs/ueOoMA0GCSqGSIb3DQEBBQUAMBMxETAPBgNV
> > BAMTCEtpcHJvc2g3MB4XDTExMDgxMDA4MDEzMloXDTEyMDgwOTA4MDEzMlowEzER
> > MA8GA1UEAxMIS2lwcm9zaDcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
> > AQDorxS4o/H/w7f+VYWkQk3gS7g7gWFd3S4eCVV35a3GEcyP2OS4pUhhZXyB0lN7
> > xmUHqeixx7aNRnrc130SQ4kke1fuxtdLjKxu+oeASMLCSkF356m8X5FhuTnPkf2W
> > x64i6nk9SOO+jdQo/kMChy0H7psKS5I2M0nb5WLxN/JOACNnxJOhFy8cGw7l32q6
> > rEfqLkdnZJR09fiuf0hEbb/UodOt2tXXGN0Pp3X2x4cXnD6E2Va9QSBYIvPAnWEn
> > FN2Te+Qwg+AxwHIkCjH9bfQ7fOeuGHAoanSnlqS5rW/T5sKKlkBl95WeJoTFjrCt
> > CVDLilsnLrfmZkg3ICQtPbgNAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0P
> > BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4IBAQBGtbJQyQ1pWVo+7snqxCOn/KVN++Jo
> > 8YEB4/MGKgHyoTWRAa3IXOSPtpunW/6yDziwcLZeO09MATeKCCAJf64LXZr7aM6J
> > ZX6hFFNUyqa5w9AaZ4sAe70QwDYPS6dPqcyTab/DVVRGhJAKhUc2lX+UfcBhHYaz
> > egKDKyIybHMmcQQm//SO0jo3Ak0565ZAMCdaaO/9RNJpJSxJf+HSVUg4sPLe/sAK
> > QlXcdt8XlKsEKBzUHzfRvpbU/8gn1HO5G+CTvEW2kO6nssuKX41g5hMfRqu248TT
> > jbGWMkYFMPDY1m2QWPqzLvaETGOWHwqpVWXuMhu7/T5sduDf2n084ok7
> > -----END CERTIFICATE-----
> > ---
> > Server certificate
> > subject=/CN=Kiprosh7/O=server
> > issuer=/CN=Kiprosh7
> > ---
> > Acceptable client certificate CA names
> > /CN=Kiprosh7
> > ---
> > SSL handshake has read 1663 bytes and written 2276 bytes
> > ---
> > New, TLSv1/SSLv3, Cipher is AES256-SHA
> > Server public key is 2048 bit
> > Secure Renegotiation IS supported
> > Compression: NONE
> > Expansion: NONE
> > SSL-Session:
> >     Protocol  : TLSv1
> >     Cipher    : AES256-SHA
> >     Session-ID: 
> > 8703D018C270CC932648333F61FE3C986CB336B7C8074ACF3560E415934E26F2
> >
> >     Session-ID-ctx:
> >     Master-Key: 
> > F5B8C5666355EE6C78910EBB649A65740104537ACEBB28E4A23DF51EA5DE9E6A
> > FE3AC2C95B1929985DAFC09CDC6BDEAE
> >     Key-Arg   : None
> >     PSK identity: None
> >     PSK identity hint: None
> >     Start Time: 1312972974
> >     Timeout   : 300 (sec)
> >     Verify return code: 0 (ok)
> > ---
> 
> Thanks and Regards,
> Abhijit
> 
> 
> On 8/10/2011 4:10 PM, Alexandru Scvorţov wrote:
> >>> AMQP server protocol negotiation failure: server version
> >>> unknown-unknown, client version 0-9
> >>>        
> > That means the client connected successfully but closed the connection
> > later because it wasn't talking to an AMQP server.
> >
> > That means that the client and certificates are fine, so the problem is
> > configuring the server.
> >
> > When you try the other command (the openssl s_client) on the server,
> > what output do you get?  Could you please post it?
> >
> > Alex
> >
> > On Wed, Aug 10, 2011 at 04:00:26PM +0530, Abhijit wrote:
> >    
> >> yes sir
> >> no problem i thought so after looking at client cmd lines i did put
> >> slash instead of dot, and now am getting this errors:
> >>
> >>      
> >>> AMQP server protocol negotiation failure: server version
> >>> unknown-unknown, client version 0-9
> >>>        
> >> Can you tell me what are next steps?
> >>
> >> Thanks and Regards,
> >> Abhijit
> >>
> >>
> >> On 8/10/2011 3:57 PM, Alexandru Scvorţov wrote:
> >>      
> >>>> Am still getting the same error am using the same config file.
> >>>>
> >>>>          
> >>> Ok, but are you sure it's actually the file used by the server? (we had
> >>> some problems earlier about which file the server was using when started
> >>> from the command prompt or as a service)
> >>>
> >>>
> >>>        
> >>>>> openssl s_server -accept 5671 -CAfile testca/cacert.pem -cert
> >>>>> server/cert.pem -key server.key.pem -state
> >>>>>
> >>>>>            
> >>> My mistake.  That should be:
> >>>     openssl s_server -accept 5671 -CAfile testca/cacert.pem -cert
> >>>     server/cert.pem -key server/key.pem -state
> >>>
> >>> (dot instead of slash in server.key.pem)
> >>>
> >>> BTW, if they're disposable, could you send the certificates and keys?
> >>> We've had problems before with the certificates generated by OpenSSL,
> >>> which were usually solved by using a different version.  Maybe this is
> >>> happening here.
> >>>
> >>> Cheers,
> >>> Alex
> >>>
> >>> On Wed, Aug 10, 2011 at 03:46:39PM +0530, Abhijit wrote:
> >>>
> >>>        
> >>>> hi sir,
> >>>>
> >>>> Am still getting the same error am using the same config file.
> >>>>
> >>>> But i was not able to run this command you sent me:
> >>>>
> >>>>
> >>>>          
> >>>>> openssl s_server -accept 5671 -CAfile testca/cacert.pem -cert
> >>>>> server/cert.pem -key server.key.pem -state
> >>>>>
> >>>>>            
> >>>> was getting an error: unable to load server certificate private key file.
> >>>>
> >>>> Thanks and Regards,
> >>>> Abhijit
> >>>>
> >>>>
> >>>>
> >>>>          
> >>      
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: keycert.p12
Type: application/x-pkcs12
Size: 2357 bytes
Desc: not available
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20110810/2eb7b0d4/attachment.p12>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cacert.cer
Type: application/pkix-cert
Size: 746 bytes
Desc: not available
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20110810/2eb7b0d4/attachment.bin>
-------------- next part --------------
-----BEGIN CERTIFICATE-----
MIIC5jCCAc6gAwIBAgIJAL3Z+zQ26lqZMA0GCSqGSIb3DQEBBQUAMCMxETAPBgNV
BAMTCE15VGVzdENBMQ4wDAYDVQQHEwUxNzY5NDAeFw0xMTA3MTMxMDQ3MTJaFw0x
MjA3MTIxMDQ3MTJaMCMxETAPBgNVBAMTCE15VGVzdENBMQ4wDAYDVQQHEwUxNzY5
NDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMdYkpUlz0S02FrGgPQW
nl759SkeDvRSdfNIOzjSPx805oCfG5zPyVHVZes/GPaFyj8siqbLpTxDAL3cb08g
2yfVoQQnoM+Dz510Du4IJvhb+eWCL8bcLXO/STCZUz2ICj8zNnO/kUm3p7M23aAN
kPJoVG6mqcqR5zG5sCTIBp4T3ALQlWMJjRxhKgVfDj7ZQsO4U2/AsMvEeOjvN32x
Dd0b2CHYifJw4h2RXcQ5G1gCiFWNhmV9bos5EfE/HTf5gGUODvO0U8tn4TBIFhSV
NmOt0Rjo3mXZWnsNs4gVXQCV+oNg7yOuL3MWx21TntNWb98ZQcvTxbFon1ML5n3c
R6sCAwEAAaMdMBswDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcN
AQEFBQADggEBAL5tDd6ROWMsIdCgvao1c4frZSbXPr4QC2nEK3Dbpb0nCKj7Cza4
hcUC0szfEv3AcQfTao9V+vk/IbzxUsKcIlOBq5nLQUT3q0tRxYsONiL8PfetsFWe
SKMY+wQChTFVW7/NRnpLx8tAHtw5locK2f4N1bwog9ZquYQxTdPWDxNIO/y5lWFs
DoaHkCb3J7TYJKSnT8IJDvOz2BmWbbw2hPkIE9UDrJL/QjcYIoz4A740NEXvFqkC
ZeXQJbQnuJOsFR3W0HHgMYps3tqrL/tKo83yyee3lPQNFaMabtvm/+zzU9J6RqQJ
lc6FTn+VLWyqHe8qtXjLSD71RzjwEA5aXGE=
-----END CERTIFICATE-----
-------------- next part --------------
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAr6F8Lc6tyghJrLJfKXq2lRUUAaUBvCVUnQWlaMXWGSM9OboS
z5tXw00rLJhk3aurVcKbEAtuZ86q6P4M9AdxARA16VAd/XWR8AeYrPi1ImzNBeZO
MZMFfGXRAkTYN7MuET3DcPIwmiz5/eOXAhgqmNhP77opfFScTZl8iwTWQ5lbw20B
teTYNgJ11g4G68qK5omKPr3W0Za8VlZlYxNfIfEUdRxPMI/lGCClvikW7vcblyaB
VQ5K1q13eNXd2LjKnrF6078LVrYzdxPKVyinxreifblOTdH3FmIwd5dDtrbvSUUo
TbhyoGIGiPyzQi5ZTzN/TsDW1+lB153aYMyTAQIDAQABAoIBAGZhwL4DSZQImMov
gQHxIxZtHyiGRCilqlmOvQoCqfglbr+EFQspB1Q2XAC3JbWDKXHo6/PCdi3VcBQ6
ZNqsq9du176WkaT7MIO4KexLX2wd+LaDtvl3Ny95OwoTj+eIcEZkttXUmTiHF4RF
c/YomExZbN/WqfBscmFaJBv2SeFFQXCnkC5mrxFStkO8UQmyRY48qiR+0OlCYjL3
3vvRyjBKNsqBpjj3C3gjPrLPgz0IYYK1iBqP+xDPZmOFLfRZMzMTOQi+/Ui6pLI+
lCi2DFwkTVZMElx/CmetpQjRXGTVls75iMVwulnuoJunK2ccqTxvyvAg/NmDFjqU
4LXif0ECgYEA4NYAph+N3m3BpfGexY757oaXBYSCbZ91NrTcbbQP28MA5k6Zsejt
zM1XT+TLeuv0b2Q/VuVMG/McBVWO+DumsgtVIvm02l7LzMviZ9wWIsMk1H63Rsmd
qB2fS4+B24at2GK8Am16sBIItMIlfYbpljEC2vmwmtMMQ5MK6Y8emAUCgYEAx/mB
QkWI7XPdKNYvRS6VYVLFnr7xbITZ6B/eJVUAobmqT00vRwkXmTIOM4bgZYse/KRl
NCOHZGkBkfX0hRxdti2gEyeVBQoWwFIFyUACbimoIV1ELQmYiLcJ8gYWY/3Ymrdb
/F0+HB2Npkyy3uZXY2U2WvHkG/+3qGDbjln0K80CgYEAk0IW8rdACCsC5lk2kFZw
xBVK3MZJVttVvhr/NKr2qA00jaN1bt0Mw1LKmP1VeJEKa9rQ0W0lSDkWZTgAh/0p
1PsvK9U46r2j5eKzyyqPJP2DJdpI2Ag9RlsAdlDr0IiJXGxuj3h9Hszw/tMaEvlG
DKTVJe7cCMuqAKhSQV8HvrECgYB9PqFcNly6C3UaXHsiozhfyg2HjSN7ygEIRt1F
GGXa5IPsQvU3UlR7WERYtULZljaEGRphe1cS5klbd2X78HYo4Y5+MK4+h8EUFssU
7ogXIvPwYY+PfZERH0KVWIaxfY0p6WktN+Dsjv3mh+cHf9B/qiZO82zgtFn8lR0t
nN02iQKBgQCyNCuvnej3/26maZzMT1x7U1UNp6pVmhQtOXImbhMVG7cb889mEvNp
pA/p7Gus6anL63A5pGm+wjSTGdC4AXPQNlQjkrgHL4YPGuWAlAAehEtEAIv7vtpj
P4k2dU7oLmoOQdqHy1nmqzTXiNZap4hoZK0PN8K6xMlzexu9JTE4PA==
-----END RSA PRIVATE KEY-----
-------------- next part --------------
-----BEGIN CERTIFICATE-----
MIIC8DCCAdigAwIBAgIBAzANBgkqhkiG9w0BAQUFADAjMREwDwYDVQQDEwhNeVRl
c3RDQTEOMAwGA1UEBxMFMTc2OTQwHhcNMTEwODA5MTM0MzE0WhcNMTIwODA4MTM0
MzE0WjAjMRAwDgYDVQQDEwdXSU5IT1NUMQ8wDQYDVQQKEwZzZXJ2ZXIwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvoXwtzq3KCEmssl8peraVFRQBpQG8
JVSdBaVoxdYZIz05uhLPm1fDTSssmGTdq6tVwpsQC25nzqro/gz0B3EBEDXpUB39
dZHwB5is+LUibM0F5k4xkwV8ZdECRNg3sy4RPcNw8jCaLPn945cCGCqY2E/vuil8
VJxNmXyLBNZDmVvDbQG15Ng2AnXWDgbryormiYo+vdbRlrxWVmVjE18h8RR1HE8w
j+UYIKW+KRbu9xuXJoFVDkrWrXd41d3YuMqesXrTvwtWtjN3E8pXKKfGt6J9uU5N
0fcWYjB3l0O2tu9JRShNuHKgYgaI/LNCLllPM39OwNbX6UHXndpgzJMBAgMBAAGj
LzAtMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgUgMBMGA1UdJQQMMAoGCCsGAQUFBwMB
MA0GCSqGSIb3DQEBBQUAA4IBAQCwmhVuvZqCfKGjmm+nU24eleFFSQa0qucR79JM
exTD+w1/h+XeQQAtvkHR0NJrFBN5IJ2qYbXZ1rVb8dLBmjpEFlo3XkqANm/Xnxc8
6Ko5JrjUFRhsz+YD1njLHojYWr5sLnENozCN6x1fiPzwhfWf5pe0xhaX7Z7nC6BD
McM4zZ9j/zcNUwBR7kqJR88tb6M2srHTdRjr69Uz48J6eFPu5sWDG3PzbKazIL6v
eTnDDP0P7+5OEngU+IqiMqIH1ODCbh81soQrq+6INC3kK7XsMA/fDVMPwKmeWPnK
JJBo/g5zO4nUxZ4Dp4rW0hm3JY+DF1UTQ0FVUlWqhoqpJQef
-----END CERTIFICATE-----


More information about the rabbitmq-discuss mailing list