[rabbitmq-discuss] facing issues with the SSL implementations with RabbitMQ + Windows + .Net

Abhijit abhijit.sinha at kiprosh.com
Wed Aug 10 13:00:42 BST 2011


Hi sir,

The code worked now. the certificate you provided did work wondering why 
my certificates are not working??

Thanks and Regards,
Abhijit



On 8/10/2011 5:20 PM, Alexandru Scvorţov wrote:
> :(  That seems perfectly fine.
>
> Other ways to get an "unknown ca" error:
>    - forget to add the CA certificate to the Trust store;
>    - have the client use a certificate signed by a different authority
>      than the one given to the server.
>
> I'm out of ideas.  I'm attaching:
>    - cacert.pem and cacert.cer;
>    - keycert.p12 (password is "test");
>    - server's cert.pem, key.pem.
>
> You'll also need to set RemoteCertificateNameMismatch before starting the connection:
>    cf.Ssl.AcceptablePolicyErrors =
>      SslPolicyErrors.RemoteCertificateNameMismatch;
>
> Could you please try with these and see if it works (or if you get a
> different error)?
>
> Cheers,
> Alex
>
> On Wed, Aug 10, 2011 at 04:16:18PM +0530, Abhijit wrote:
>    
>> Ok sir thanks,
>>
>> this is the post for the former command s_client:
>>      
>>> C:\>openssl s_client -connect localhost:5671 -CAfile testca/cacert.pem
>>> -cert cli
>>> ent/cert.pem -key client/key.pem -showcerts
>>> Loading 'screen' into random state - done
>>> CONNECTED(00000160)
>>> depth=1 CN = Kiprosh7
>>> verify return:1
>>> depth=0 CN = Kiprosh7, O = server
>>> verify return:1
>>> ---
>>> Certificate chain
>>>   0 s:/CN=Kiprosh7/O=server
>>>     i:/CN=Kiprosh7
>>> -----BEGIN CERTIFICATE-----
>>> MIIC4TCCAcmgAwIBAgIBATANBgkqhkiG9w0BAQUFADATMREwDwYDVQQDEwhLaXBy
>>> b3NoNzAeFw0xMTA4MTAwODA1NTBaFw0xMjA4MDkwODA1NTBaMCQxETAPBgNVBAMM
>>> CEtpcHJvc2g3MQ8wDQYDVQQKDAZzZXJ2ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
>>> DwAwggEKAoIBAQDTDgQ3/vSBPvy0PAZYwk4H2qlFckaA75YfCYZ+HhIb+JUSrZ4r
>>> NcBEhvrH+7p1yft9IC4pgrgEbjmfQVTi8LGwtMRZmwpbmjqEfOALpra5x7Plb+7y
>>> CTT/iDc8uUwHLn2brXxNRn58IrEeD1X+rBxLNyek0pQu/hH31+REI5Sn1JZfi7gc
>>> 3PJEuaRzVJY4sE0neNWT+K+aD0n382qnziLEGOusXWNpggpoHVFKZR3Yojxj6Bfk
>>> 9lUvfUtIqz2zQ2dF0q6A0QVVlIenKzUK+rjHxQAUSb8P9CmCuRXUih3f61ahquQP
>>> CgSrkNnUV44D/wHfnxNm9QjxlQEGyr0DsTcFAgMBAAGjLzAtMAkGA1UdEwQCMAAw
>>> CwYDVR0PBAQDAgUgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBBQUA
>>> A4IBAQDE+cXjx6uNL/Kf/HmE7FeQ238iN7Gfb+I1QHmbRaR0qbTqcFzp7NCJ62uq
>>> nJ6Anj0+h1IFNMlQrCISSS0fnSj+mXMKDodZzV+cXFjdtoEXyqdDO0zphDMTRd8H
>>> oI79XSm5IK6vcPR+g2UTkhgrX1xfgeqZ8hmw0L0mMMGHXclwwaAF9HRNomFt32gr
>>> 1sVhFkhH/5epmgcl+8yI1E7UaQc91bYkUEuQFNu7irgc+/tvcXa4O4+dIfhnzrog
>>> 8piYUk4dxGME8LknQ213Gow9cgEKzcYadJ4DIr6gChkvAnYpHHHafWj/Ksvxyii6
>>> 8FxuTfgsrOYwkqEcSXeCGUS25nU9
>>> -----END CERTIFICATE-----
>>>   1 s:/CN=Kiprosh7
>>>     i:/CN=Kiprosh7
>>> -----BEGIN CERTIFICATE-----
>>> MIICxjCCAa6gAwIBAgIJANsNRAs/ueOoMA0GCSqGSIb3DQEBBQUAMBMxETAPBgNV
>>> BAMTCEtpcHJvc2g3MB4XDTExMDgxMDA4MDEzMloXDTEyMDgwOTA4MDEzMlowEzER
>>> MA8GA1UEAxMIS2lwcm9zaDcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
>>> AQDorxS4o/H/w7f+VYWkQk3gS7g7gWFd3S4eCVV35a3GEcyP2OS4pUhhZXyB0lN7
>>> xmUHqeixx7aNRnrc130SQ4kke1fuxtdLjKxu+oeASMLCSkF356m8X5FhuTnPkf2W
>>> x64i6nk9SOO+jdQo/kMChy0H7psKS5I2M0nb5WLxN/JOACNnxJOhFy8cGw7l32q6
>>> rEfqLkdnZJR09fiuf0hEbb/UodOt2tXXGN0Pp3X2x4cXnD6E2Va9QSBYIvPAnWEn
>>> FN2Te+Qwg+AxwHIkCjH9bfQ7fOeuGHAoanSnlqS5rW/T5sKKlkBl95WeJoTFjrCt
>>> CVDLilsnLrfmZkg3ICQtPbgNAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0P
>>> BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4IBAQBGtbJQyQ1pWVo+7snqxCOn/KVN++Jo
>>> 8YEB4/MGKgHyoTWRAa3IXOSPtpunW/6yDziwcLZeO09MATeKCCAJf64LXZr7aM6J
>>> ZX6hFFNUyqa5w9AaZ4sAe70QwDYPS6dPqcyTab/DVVRGhJAKhUc2lX+UfcBhHYaz
>>> egKDKyIybHMmcQQm//SO0jo3Ak0565ZAMCdaaO/9RNJpJSxJf+HSVUg4sPLe/sAK
>>> QlXcdt8XlKsEKBzUHzfRvpbU/8gn1HO5G+CTvEW2kO6nssuKX41g5hMfRqu248TT
>>> jbGWMkYFMPDY1m2QWPqzLvaETGOWHwqpVWXuMhu7/T5sduDf2n084ok7
>>> -----END CERTIFICATE-----
>>> ---
>>> Server certificate
>>> subject=/CN=Kiprosh7/O=server
>>> issuer=/CN=Kiprosh7
>>> ---
>>> Acceptable client certificate CA names
>>> /CN=Kiprosh7
>>> ---
>>> SSL handshake has read 1663 bytes and written 2276 bytes
>>> ---
>>> New, TLSv1/SSLv3, Cipher is AES256-SHA
>>> Server public key is 2048 bit
>>> Secure Renegotiation IS supported
>>> Compression: NONE
>>> Expansion: NONE
>>> SSL-Session:
>>>      Protocol  : TLSv1
>>>      Cipher    : AES256-SHA
>>>      Session-ID:
>>> 8703D018C270CC932648333F61FE3C986CB336B7C8074ACF3560E415934E26F2
>>>
>>>      Session-ID-ctx:
>>>      Master-Key:
>>> F5B8C5666355EE6C78910EBB649A65740104537ACEBB28E4A23DF51EA5DE9E6A
>>> FE3AC2C95B1929985DAFC09CDC6BDEAE
>>>      Key-Arg   : None
>>>      PSK identity: None
>>>      PSK identity hint: None
>>>      Start Time: 1312972974
>>>      Timeout   : 300 (sec)
>>>      Verify return code: 0 (ok)
>>> ---
>>>        
>> Thanks and Regards,
>> Abhijit
>>
>>
>> On 8/10/2011 4:10 PM, Alexandru Scvorţov wrote:
>>      
>>>>> AMQP server protocol negotiation failure: server version
>>>>> unknown-unknown, client version 0-9
>>>>>
>>>>>            
>>> That means the client connected successfully but closed the connection
>>> later because it wasn't talking to an AMQP server.
>>>
>>> That means that the client and certificates are fine, so the problem is
>>> configuring the server.
>>>
>>> When you try the other command (the openssl s_client) on the server,
>>> what output do you get?  Could you please post it?
>>>
>>> Alex
>>>
>>> On Wed, Aug 10, 2011 at 04:00:26PM +0530, Abhijit wrote:
>>>
>>>        
>>>> yes sir
>>>> no problem i thought so after looking at client cmd lines i did put
>>>> slash instead of dot, and now am getting this errors:
>>>>
>>>>
>>>>          
>>>>> AMQP server protocol negotiation failure: server version
>>>>> unknown-unknown, client version 0-9
>>>>>
>>>>>            
>>>> Can you tell me what are next steps?
>>>>
>>>> Thanks and Regards,
>>>> Abhijit
>>>>
>>>>
>>>> On 8/10/2011 3:57 PM, Alexandru Scvorţov wrote:
>>>>
>>>>          
>>>>>> Am still getting the same error am using the same config file.
>>>>>>
>>>>>>
>>>>>>              
>>>>> Ok, but are you sure it's actually the file used by the server? (we had
>>>>> some problems earlier about which file the server was using when started
>>>>> from the command prompt or as a service)
>>>>>
>>>>>
>>>>>
>>>>>            
>>>>>>> openssl s_server -accept 5671 -CAfile testca/cacert.pem -cert
>>>>>>> server/cert.pem -key server.key.pem -state
>>>>>>>
>>>>>>>
>>>>>>>                
>>>>> My mistake.  That should be:
>>>>>      openssl s_server -accept 5671 -CAfile testca/cacert.pem -cert
>>>>>      server/cert.pem -key server/key.pem -state
>>>>>
>>>>> (dot instead of slash in server.key.pem)
>>>>>
>>>>> BTW, if they're disposable, could you send the certificates and keys?
>>>>> We've had problems before with the certificates generated by OpenSSL,
>>>>> which were usually solved by using a different version.  Maybe this is
>>>>> happening here.
>>>>>
>>>>> Cheers,
>>>>> Alex
>>>>>
>>>>> On Wed, Aug 10, 2011 at 03:46:39PM +0530, Abhijit wrote:
>>>>>
>>>>>
>>>>>            
>>>>>> hi sir,
>>>>>>
>>>>>> Am still getting the same error am using the same config file.
>>>>>>
>>>>>> But i was not able to run this command you sent me:
>>>>>>
>>>>>>
>>>>>>
>>>>>>              
>>>>>>> openssl s_server -accept 5671 -CAfile testca/cacert.pem -cert
>>>>>>> server/cert.pem -key server.key.pem -state
>>>>>>>
>>>>>>>
>>>>>>>                
>>>>>> was getting an error: unable to load server certificate private key file.
>>>>>>
>>>>>> Thanks and Regards,
>>>>>> Abhijit
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>              
>>>>
>>>>          
>>      



More information about the rabbitmq-discuss mailing list