[rabbitmq-discuss] facing issues with the SSL implementations with RabbitMQ + Windows + .Net

Alexandru Scvorţov alexandru at rabbitmq.com
Wed Aug 10 15:45:46 BST 2011


> can you tell me did you create your certificates on windows?
> or on linux machine?

I generated the certificates on Windows Server 2008.

> openssl req -x509 -config openssl.cnf -newkey rsa:2048 -days 365 \
>      -out cacert.pem -outform PEM -subj /CN=MyTestCA/ -nodes
> 
> i executed above as
> openssl req -x509 -config openssl.cnf -newkey rsa:2048 -days 365 -out cacert.pem -outform PEM -subj /CN=MyTestCA/ -nodes

I did the same thing.

Could you send the certificates you're using? (same files I sent
earlier)  I'll see if I can find anything wrong with them.

Alex

On Wed, Aug 10, 2011 at 07:56:51PM +0530, Abhijit wrote:
> OK Sir
> 
> can you tell me did you create your certificates on windows?
> or on linux machine?
> 
> openssl req -x509 -config openssl.cnf -newkey rsa:2048 -days 365 \
>      -out cacert.pem -outform PEM -subj /CN=MyTestCA/ -nodes
> 
> i executed above as
> openssl req -x509 -config openssl.cnf -newkey rsa:2048 -days 365 -out cacert.pem -outform PEM -subj /CN=MyTestCA/ -nodes
> 
> because as you told me that i need to do it similarly as in the website i skipped the '\' since it wasn't a valid element in openssl.
> 
> does that caused the error?
> 
> Thanks and Regards,
> Abhijit
> 
> 
> 
> On 8/10/2011 7:38 PM, Alexandru Scvorţov wrote:
> >> but with no luck, do i need something more.
> >>      
> > Not that I can think of, no.
> >
> > If you're using OpenSSL 1.0.0, could you try with OpenSSL 0.9.8?
> >
> > Cheers,
> > Alex
> >
> > On Wed, Aug 10, 2011 at 07:24:54PM +0530, Abhijit wrote:
> >    
> >> Hi sir,
> >>
> >> i went through all the steps again to make certificates in this link:
> >>      
> >>> http://www.rabbitmq.com/ssl.html#keys-and-certs
> >>>        
> >> but with no luck, do i need something more.
> >>
> >> Thanking you,
> >>
> >> Regards,
> >> Abhijit
> >>
> >>
> >> On 8/10/2011 5:48 PM, Alexandru Scvorţov wrote:
> >>      
> >>>> The code worked now. the certificate you provided did work
> >>>>
> >>>>          
> >>> Great to hear that.
> >>>
> >>>
> >>>        
> >>>>    wondering why
> >>>> my certificates are not working??
> >>>>
> >>>>          
> >>> I suspect you got some step in the certificate generation wrong (I
> >>> generated the certificates following the instructions on the website).
> >>> It's ridiculously easy to get something wrong.
> >>>
> >>> I'd delete all the certificates, and CA you generated and try again.
> >>> The website instructions are right.  You might want to try without
> >>> changing anything (the CA's name, for instance) just to see that it
> >>> works.
> >>>
> >>> You could also try a different version of OpenSSL, but I'd be quite
> >>> surprised if that were the problem.
> >>>
> >>> Let us how it goes.
> >>>
> >>> Cheers,
> >>> Alex
> >>>
> >>>
> >>> On Wed, Aug 10, 2011 at 05:30:42PM +0530, Abhijit wrote:
> >>>
> >>>        
> >>>> Hi sir,
> >>>>
> >>>> The code worked now. the certificate you provided did work wondering why
> >>>> my certificates are not working??
> >>>>
> >>>> Thanks and Regards,
> >>>> Abhijit
> >>>>
> >>>>
> >>>>
> >>>> On 8/10/2011 5:20 PM, Alexandru Scvorţov wrote:
> >>>>
> >>>>          
> >>>>> :(  That seems perfectly fine.
> >>>>>
> >>>>> Other ways to get an "unknown ca" error:
> >>>>>      - forget to add the CA certificate to the Trust store;
> >>>>>      - have the client use a certificate signed by a different authority
> >>>>>        than the one given to the server.
> >>>>>
> >>>>> I'm out of ideas.  I'm attaching:
> >>>>>      - cacert.pem and cacert.cer;
> >>>>>      - keycert.p12 (password is "test");
> >>>>>      - server's cert.pem, key.pem.
> >>>>>
> >>>>> You'll also need to set RemoteCertificateNameMismatch before starting the connection:
> >>>>>      cf.Ssl.AcceptablePolicyErrors =
> >>>>>        SslPolicyErrors.RemoteCertificateNameMismatch;
> >>>>>
> >>>>> Could you please try with these and see if it works (or if you get a
> >>>>> different error)?
> >>>>>
> >>>>> Cheers,
> >>>>> Alex
> >>>>>
> >>>>> On Wed, Aug 10, 2011 at 04:16:18PM +0530, Abhijit wrote:
> >>>>>
> >>>>>
> >>>>>            
> >>>>>> Ok sir thanks,
> >>>>>>
> >>>>>> this is the post for the former command s_client:
> >>>>>>
> >>>>>>
> >>>>>>              
> >>>>>>> C:\>openssl s_client -connect localhost:5671 -CAfile testca/cacert.pem
> >>>>>>> -cert cli
> >>>>>>> ent/cert.pem -key client/key.pem -showcerts
> >>>>>>> Loading 'screen' into random state - done
> >>>>>>> CONNECTED(00000160)
> >>>>>>> depth=1 CN = Kiprosh7
> >>>>>>> verify return:1
> >>>>>>> depth=0 CN = Kiprosh7, O = server
> >>>>>>> verify return:1
> >>>>>>> ---
> >>>>>>> Certificate chain
> >>>>>>>     0 s:/CN=Kiprosh7/O=server
> >>>>>>>       i:/CN=Kiprosh7
> >>>>>>> -----BEGIN CERTIFICATE-----
> >>>>>>> MIIC4TCCAcmgAwIBAgIBATANBgkqhkiG9w0BAQUFADATMREwDwYDVQQDEwhLaXBy
> >>>>>>> b3NoNzAeFw0xMTA4MTAwODA1NTBaFw0xMjA4MDkwODA1NTBaMCQxETAPBgNVBAMM
> >>>>>>> CEtpcHJvc2g3MQ8wDQYDVQQKDAZzZXJ2ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
> >>>>>>> DwAwggEKAoIBAQDTDgQ3/vSBPvy0PAZYwk4H2qlFckaA75YfCYZ+HhIb+JUSrZ4r
> >>>>>>> NcBEhvrH+7p1yft9IC4pgrgEbjmfQVTi8LGwtMRZmwpbmjqEfOALpra5x7Plb+7y
> >>>>>>> CTT/iDc8uUwHLn2brXxNRn58IrEeD1X+rBxLNyek0pQu/hH31+REI5Sn1JZfi7gc
> >>>>>>> 3PJEuaRzVJY4sE0neNWT+K+aD0n382qnziLEGOusXWNpggpoHVFKZR3Yojxj6Bfk
> >>>>>>> 9lUvfUtIqz2zQ2dF0q6A0QVVlIenKzUK+rjHxQAUSb8P9CmCuRXUih3f61ahquQP
> >>>>>>> CgSrkNnUV44D/wHfnxNm9QjxlQEGyr0DsTcFAgMBAAGjLzAtMAkGA1UdEwQCMAAw
> >>>>>>> CwYDVR0PBAQDAgUgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBBQUA
> >>>>>>> A4IBAQDE+cXjx6uNL/Kf/HmE7FeQ238iN7Gfb+I1QHmbRaR0qbTqcFzp7NCJ62uq
> >>>>>>> nJ6Anj0+h1IFNMlQrCISSS0fnSj+mXMKDodZzV+cXFjdtoEXyqdDO0zphDMTRd8H
> >>>>>>> oI79XSm5IK6vcPR+g2UTkhgrX1xfgeqZ8hmw0L0mMMGHXclwwaAF9HRNomFt32gr
> >>>>>>> 1sVhFkhH/5epmgcl+8yI1E7UaQc91bYkUEuQFNu7irgc+/tvcXa4O4+dIfhnzrog
> >>>>>>> 8piYUk4dxGME8LknQ213Gow9cgEKzcYadJ4DIr6gChkvAnYpHHHafWj/Ksvxyii6
> >>>>>>> 8FxuTfgsrOYwkqEcSXeCGUS25nU9
> >>>>>>> -----END CERTIFICATE-----
> >>>>>>>     1 s:/CN=Kiprosh7
> >>>>>>>       i:/CN=Kiprosh7
> >>>>>>> -----BEGIN CERTIFICATE-----
> >>>>>>> MIICxjCCAa6gAwIBAgIJANsNRAs/ueOoMA0GCSqGSIb3DQEBBQUAMBMxETAPBgNV
> >>>>>>> BAMTCEtpcHJvc2g3MB4XDTExMDgxMDA4MDEzMloXDTEyMDgwOTA4MDEzMlowEzER
> >>>>>>> MA8GA1UEAxMIS2lwcm9zaDcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
> >>>>>>> AQDorxS4o/H/w7f+VYWkQk3gS7g7gWFd3S4eCVV35a3GEcyP2OS4pUhhZXyB0lN7
> >>>>>>> xmUHqeixx7aNRnrc130SQ4kke1fuxtdLjKxu+oeASMLCSkF356m8X5FhuTnPkf2W
> >>>>>>> x64i6nk9SOO+jdQo/kMChy0H7psKS5I2M0nb5WLxN/JOACNnxJOhFy8cGw7l32q6
> >>>>>>> rEfqLkdnZJR09fiuf0hEbb/UodOt2tXXGN0Pp3X2x4cXnD6E2Va9QSBYIvPAnWEn
> >>>>>>> FN2Te+Qwg+AxwHIkCjH9bfQ7fOeuGHAoanSnlqS5rW/T5sKKlkBl95WeJoTFjrCt
> >>>>>>> CVDLilsnLrfmZkg3ICQtPbgNAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0P
> >>>>>>> BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4IBAQBGtbJQyQ1pWVo+7snqxCOn/KVN++Jo
> >>>>>>> 8YEB4/MGKgHyoTWRAa3IXOSPtpunW/6yDziwcLZeO09MATeKCCAJf64LXZr7aM6J
> >>>>>>> ZX6hFFNUyqa5w9AaZ4sAe70QwDYPS6dPqcyTab/DVVRGhJAKhUc2lX+UfcBhHYaz
> >>>>>>> egKDKyIybHMmcQQm//SO0jo3Ak0565ZAMCdaaO/9RNJpJSxJf+HSVUg4sPLe/sAK
> >>>>>>> QlXcdt8XlKsEKBzUHzfRvpbU/8gn1HO5G+CTvEW2kO6nssuKX41g5hMfRqu248TT
> >>>>>>> jbGWMkYFMPDY1m2QWPqzLvaETGOWHwqpVWXuMhu7/T5sduDf2n084ok7
> >>>>>>> -----END CERTIFICATE-----
> >>>>>>> ---
> >>>>>>> Server certificate
> >>>>>>> subject=/CN=Kiprosh7/O=server
> >>>>>>> issuer=/CN=Kiprosh7
> >>>>>>> ---
> >>>>>>> Acceptable client certificate CA names
> >>>>>>> /CN=Kiprosh7
> >>>>>>> ---
> >>>>>>> SSL handshake has read 1663 bytes and written 2276 bytes
> >>>>>>> ---
> >>>>>>> New, TLSv1/SSLv3, Cipher is AES256-SHA
> >>>>>>> Server public key is 2048 bit
> >>>>>>> Secure Renegotiation IS supported
> >>>>>>> Compression: NONE
> >>>>>>> Expansion: NONE
> >>>>>>> SSL-Session:
> >>>>>>>        Protocol  : TLSv1
> >>>>>>>        Cipher    : AES256-SHA
> >>>>>>>        Session-ID:
> >>>>>>> 8703D018C270CC932648333F61FE3C986CB336B7C8074ACF3560E415934E26F2
> >>>>>>>
> >>>>>>>        Session-ID-ctx:
> >>>>>>>        Master-Key:
> >>>>>>> F5B8C5666355EE6C78910EBB649A65740104537ACEBB28E4A23DF51EA5DE9E6A
> >>>>>>> FE3AC2C95B1929985DAFC09CDC6BDEAE
> >>>>>>>        Key-Arg   : None
> >>>>>>>        PSK identity: None
> >>>>>>>        PSK identity hint: None
> >>>>>>>        Start Time: 1312972974
> >>>>>>>        Timeout   : 300 (sec)
> >>>>>>>        Verify return code: 0 (ok)
> >>>>>>> ---
> >>>>>>>
> >>>>>>>
> >>>>>>>                
> >>>>>> Thanks and Regards,
> >>>>>> Abhijit
> >>>>>>
> >>>>>>
> >>>>>> On 8/10/2011 4:10 PM, Alexandru Scvorţov wrote:
> >>>>>>
> >>>>>>
> >>>>>>              
> >>>>>>>>> AMQP server protocol negotiation failure: server version
> >>>>>>>>> unknown-unknown, client version 0-9
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>                    
> >>>>>>> That means the client connected successfully but closed the connection
> >>>>>>> later because it wasn't talking to an AMQP server.
> >>>>>>>
> >>>>>>> That means that the client and certificates are fine, so the problem is
> >>>>>>> configuring the server.
> >>>>>>>
> >>>>>>> When you try the other command (the openssl s_client) on the server,
> >>>>>>> what output do you get?  Could you please post it?
> >>>>>>>
> >>>>>>> Alex
> >>>>>>>
> >>>>>>> On Wed, Aug 10, 2011 at 04:00:26PM +0530, Abhijit wrote:
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>                
> >>>>>>>> yes sir
> >>>>>>>> no problem i thought so after looking at client cmd lines i did put
> >>>>>>>> slash instead of dot, and now am getting this errors:
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>                  
> >>>>>>>>> AMQP server protocol negotiation failure: server version
> >>>>>>>>> unknown-unknown, client version 0-9
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>                    
> >>>>>>>> Can you tell me what are next steps?
> >>>>>>>>
> >>>>>>>> Thanks and Regards,
> >>>>>>>> Abhijit
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> On 8/10/2011 3:57 PM, Alexandru Scvorţov wrote:
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>                  
> >>>>>>>>>> Am still getting the same error am using the same config file.
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>                      
> >>>>>>>>> Ok, but are you sure it's actually the file used by the server? (we had
> >>>>>>>>> some problems earlier about which file the server was using when started
> >>>>>>>>> from the command prompt or as a service)
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>                    
> >>>>>>>>>>> openssl s_server -accept 5671 -CAfile testca/cacert.pem -cert
> >>>>>>>>>>> server/cert.pem -key server.key.pem -state
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>                        
> >>>>>>>>> My mistake.  That should be:
> >>>>>>>>>        openssl s_server -accept 5671 -CAfile testca/cacert.pem -cert
> >>>>>>>>>        server/cert.pem -key server/key.pem -state
> >>>>>>>>>
> >>>>>>>>> (dot instead of slash in server.key.pem)
> >>>>>>>>>
> >>>>>>>>> BTW, if they're disposable, could you send the certificates and keys?
> >>>>>>>>> We've had problems before with the certificates generated by OpenSSL,
> >>>>>>>>> which were usually solved by using a different version.  Maybe this is
> >>>>>>>>> happening here.
> >>>>>>>>>
> >>>>>>>>> Cheers,
> >>>>>>>>> Alex
> >>>>>>>>>
> >>>>>>>>> On Wed, Aug 10, 2011 at 03:46:39PM +0530, Abhijit wrote:
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>                    
> >>>>>>>>>> hi sir,
> >>>>>>>>>>
> >>>>>>>>>> Am still getting the same error am using the same config file.
> >>>>>>>>>>
> >>>>>>>>>> But i was not able to run this command you sent me:
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>                      
> >>>>>>>>>>> openssl s_server -accept 5671 -CAfile testca/cacert.pem -cert
> >>>>>>>>>>> server/cert.pem -key server.key.pem -state
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>                        
> >>>>>>>>>> was getting an error: unable to load server certificate private key file.
> >>>>>>>>>>
> >>>>>>>>>> Thanks and Regards,
> >>>>>>>>>> Abhijit
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>                      
> >>>>>>>>
> >>>>>>>>                  
> >>>>>>
> >>>>>>              
> >>>>
> >>>>          
> >>      
> 


More information about the rabbitmq-discuss mailing list