[rabbitmq-discuss] facing issues with the SSL implementations with RabbitMQ + Windows + .Net
Abhijit
abhijit.sinha at kiprosh.com
Thu Aug 11 08:24:00 BST 2011
Hi Sir,
Am sending you the new set of certificates i made today morning which
were still giving same errors. Can you please inspect them and let me
know what are the errors.
Thanks and Regards,
Abhijit
On 8/10/2011 8:15 PM, Alexandru Scvorţov wrote:
>> can you tell me did you create your certificates on windows?
>> or on linux machine?
>>
> I generated the certificates on Windows Server 2008.
>
>
>> openssl req -x509 -config openssl.cnf -newkey rsa:2048 -days 365 \
>> -out cacert.pem -outform PEM -subj /CN=MyTestCA/ -nodes
>>
>> i executed above as
>> openssl req -x509 -config openssl.cnf -newkey rsa:2048 -days 365 -out cacert.pem -outform PEM -subj /CN=MyTestCA/ -nodes
>>
> I did the same thing.
>
> Could you send the certificates you're using? (same files I sent
> earlier) I'll see if I can find anything wrong with them.
>
> Alex
>
> On Wed, Aug 10, 2011 at 07:56:51PM +0530, Abhijit wrote:
>
>> OK Sir
>>
>> can you tell me did you create your certificates on windows?
>> or on linux machine?
>>
>> openssl req -x509 -config openssl.cnf -newkey rsa:2048 -days 365 \
>> -out cacert.pem -outform PEM -subj /CN=MyTestCA/ -nodes
>>
>> i executed above as
>> openssl req -x509 -config openssl.cnf -newkey rsa:2048 -days 365 -out cacert.pem -outform PEM -subj /CN=MyTestCA/ -nodes
>>
>> because as you told me that i need to do it similarly as in the website i skipped the '\' since it wasn't a valid element in openssl.
>>
>> does that caused the error?
>>
>> Thanks and Regards,
>> Abhijit
>>
>>
>>
>> On 8/10/2011 7:38 PM, Alexandru Scvorţov wrote:
>>
>>>> but with no luck, do i need something more.
>>>>
>>>>
>>> Not that I can think of, no.
>>>
>>> If you're using OpenSSL 1.0.0, could you try with OpenSSL 0.9.8?
>>>
>>> Cheers,
>>> Alex
>>>
>>> On Wed, Aug 10, 2011 at 07:24:54PM +0530, Abhijit wrote:
>>>
>>>
>>>> Hi sir,
>>>>
>>>> i went through all the steps again to make certificates in this link:
>>>>
>>>>
>>>>> http://www.rabbitmq.com/ssl.html#keys-and-certs
>>>>>
>>>>>
>>>> but with no luck, do i need something more.
>>>>
>>>> Thanking you,
>>>>
>>>> Regards,
>>>> Abhijit
>>>>
>>>>
>>>> On 8/10/2011 5:48 PM, Alexandru Scvorţov wrote:
>>>>
>>>>
>>>>>> The code worked now. the certificate you provided did work
>>>>>>
>>>>>>
>>>>>>
>>>>> Great to hear that.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> wondering why
>>>>>> my certificates are not working??
>>>>>>
>>>>>>
>>>>>>
>>>>> I suspect you got some step in the certificate generation wrong (I
>>>>> generated the certificates following the instructions on the website).
>>>>> It's ridiculously easy to get something wrong.
>>>>>
>>>>> I'd delete all the certificates, and CA you generated and try again.
>>>>> The website instructions are right. You might want to try without
>>>>> changing anything (the CA's name, for instance) just to see that it
>>>>> works.
>>>>>
>>>>> You could also try a different version of OpenSSL, but I'd be quite
>>>>> surprised if that were the problem.
>>>>>
>>>>> Let us how it goes.
>>>>>
>>>>> Cheers,
>>>>> Alex
>>>>>
>>>>>
>>>>> On Wed, Aug 10, 2011 at 05:30:42PM +0530, Abhijit wrote:
>>>>>
>>>>>
>>>>>
>>>>>> Hi sir,
>>>>>>
>>>>>> The code worked now. the certificate you provided did work wondering why
>>>>>> my certificates are not working??
>>>>>>
>>>>>> Thanks and Regards,
>>>>>> Abhijit
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 8/10/2011 5:20 PM, Alexandru Scvorţov wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>> :( That seems perfectly fine.
>>>>>>>
>>>>>>> Other ways to get an "unknown ca" error:
>>>>>>> - forget to add the CA certificate to the Trust store;
>>>>>>> - have the client use a certificate signed by a different authority
>>>>>>> than the one given to the server.
>>>>>>>
>>>>>>> I'm out of ideas. I'm attaching:
>>>>>>> - cacert.pem and cacert.cer;
>>>>>>> - keycert.p12 (password is "test");
>>>>>>> - server's cert.pem, key.pem.
>>>>>>>
>>>>>>> You'll also need to set RemoteCertificateNameMismatch before starting the connection:
>>>>>>> cf.Ssl.AcceptablePolicyErrors =
>>>>>>> SslPolicyErrors.RemoteCertificateNameMismatch;
>>>>>>>
>>>>>>> Could you please try with these and see if it works (or if you get a
>>>>>>> different error)?
>>>>>>>
>>>>>>> Cheers,
>>>>>>> Alex
>>>>>>>
>>>>>>> On Wed, Aug 10, 2011 at 04:16:18PM +0530, Abhijit wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> Ok sir thanks,
>>>>>>>>
>>>>>>>> this is the post for the former command s_client:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>> C:\>openssl s_client -connect localhost:5671 -CAfile testca/cacert.pem
>>>>>>>>> -cert cli
>>>>>>>>> ent/cert.pem -key client/key.pem -showcerts
>>>>>>>>> Loading 'screen' into random state - done
>>>>>>>>> CONNECTED(00000160)
>>>>>>>>> depth=1 CN = Kiprosh7
>>>>>>>>> verify return:1
>>>>>>>>> depth=0 CN = Kiprosh7, O = server
>>>>>>>>> verify return:1
>>>>>>>>> ---
>>>>>>>>> Certificate chain
>>>>>>>>> 0 s:/CN=Kiprosh7/O=server
>>>>>>>>> i:/CN=Kiprosh7
>>>>>>>>> -----BEGIN CERTIFICATE-----
>>>>>>>>> MIIC4TCCAcmgAwIBAgIBATANBgkqhkiG9w0BAQUFADATMREwDwYDVQQDEwhLaXBy
>>>>>>>>> b3NoNzAeFw0xMTA4MTAwODA1NTBaFw0xMjA4MDkwODA1NTBaMCQxETAPBgNVBAMM
>>>>>>>>> CEtpcHJvc2g3MQ8wDQYDVQQKDAZzZXJ2ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
>>>>>>>>> DwAwggEKAoIBAQDTDgQ3/vSBPvy0PAZYwk4H2qlFckaA75YfCYZ+HhIb+JUSrZ4r
>>>>>>>>> NcBEhvrH+7p1yft9IC4pgrgEbjmfQVTi8LGwtMRZmwpbmjqEfOALpra5x7Plb+7y
>>>>>>>>> CTT/iDc8uUwHLn2brXxNRn58IrEeD1X+rBxLNyek0pQu/hH31+REI5Sn1JZfi7gc
>>>>>>>>> 3PJEuaRzVJY4sE0neNWT+K+aD0n382qnziLEGOusXWNpggpoHVFKZR3Yojxj6Bfk
>>>>>>>>> 9lUvfUtIqz2zQ2dF0q6A0QVVlIenKzUK+rjHxQAUSb8P9CmCuRXUih3f61ahquQP
>>>>>>>>> CgSrkNnUV44D/wHfnxNm9QjxlQEGyr0DsTcFAgMBAAGjLzAtMAkGA1UdEwQCMAAw
>>>>>>>>> CwYDVR0PBAQDAgUgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBBQUA
>>>>>>>>> A4IBAQDE+cXjx6uNL/Kf/HmE7FeQ238iN7Gfb+I1QHmbRaR0qbTqcFzp7NCJ62uq
>>>>>>>>> nJ6Anj0+h1IFNMlQrCISSS0fnSj+mXMKDodZzV+cXFjdtoEXyqdDO0zphDMTRd8H
>>>>>>>>> oI79XSm5IK6vcPR+g2UTkhgrX1xfgeqZ8hmw0L0mMMGHXclwwaAF9HRNomFt32gr
>>>>>>>>> 1sVhFkhH/5epmgcl+8yI1E7UaQc91bYkUEuQFNu7irgc+/tvcXa4O4+dIfhnzrog
>>>>>>>>> 8piYUk4dxGME8LknQ213Gow9cgEKzcYadJ4DIr6gChkvAnYpHHHafWj/Ksvxyii6
>>>>>>>>> 8FxuTfgsrOYwkqEcSXeCGUS25nU9
>>>>>>>>> -----END CERTIFICATE-----
>>>>>>>>> 1 s:/CN=Kiprosh7
>>>>>>>>> i:/CN=Kiprosh7
>>>>>>>>> -----BEGIN CERTIFICATE-----
>>>>>>>>> MIICxjCCAa6gAwIBAgIJANsNRAs/ueOoMA0GCSqGSIb3DQEBBQUAMBMxETAPBgNV
>>>>>>>>> BAMTCEtpcHJvc2g3MB4XDTExMDgxMDA4MDEzMloXDTEyMDgwOTA4MDEzMlowEzER
>>>>>>>>> MA8GA1UEAxMIS2lwcm9zaDcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
>>>>>>>>> AQDorxS4o/H/w7f+VYWkQk3gS7g7gWFd3S4eCVV35a3GEcyP2OS4pUhhZXyB0lN7
>>>>>>>>> xmUHqeixx7aNRnrc130SQ4kke1fuxtdLjKxu+oeASMLCSkF356m8X5FhuTnPkf2W
>>>>>>>>> x64i6nk9SOO+jdQo/kMChy0H7psKS5I2M0nb5WLxN/JOACNnxJOhFy8cGw7l32q6
>>>>>>>>> rEfqLkdnZJR09fiuf0hEbb/UodOt2tXXGN0Pp3X2x4cXnD6E2Va9QSBYIvPAnWEn
>>>>>>>>> FN2Te+Qwg+AxwHIkCjH9bfQ7fOeuGHAoanSnlqS5rW/T5sKKlkBl95WeJoTFjrCt
>>>>>>>>> CVDLilsnLrfmZkg3ICQtPbgNAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0P
>>>>>>>>> BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4IBAQBGtbJQyQ1pWVo+7snqxCOn/KVN++Jo
>>>>>>>>> 8YEB4/MGKgHyoTWRAa3IXOSPtpunW/6yDziwcLZeO09MATeKCCAJf64LXZr7aM6J
>>>>>>>>> ZX6hFFNUyqa5w9AaZ4sAe70QwDYPS6dPqcyTab/DVVRGhJAKhUc2lX+UfcBhHYaz
>>>>>>>>> egKDKyIybHMmcQQm//SO0jo3Ak0565ZAMCdaaO/9RNJpJSxJf+HSVUg4sPLe/sAK
>>>>>>>>> QlXcdt8XlKsEKBzUHzfRvpbU/8gn1HO5G+CTvEW2kO6nssuKX41g5hMfRqu248TT
>>>>>>>>> jbGWMkYFMPDY1m2QWPqzLvaETGOWHwqpVWXuMhu7/T5sduDf2n084ok7
>>>>>>>>> -----END CERTIFICATE-----
>>>>>>>>> ---
>>>>>>>>> Server certificate
>>>>>>>>> subject=/CN=Kiprosh7/O=server
>>>>>>>>> issuer=/CN=Kiprosh7
>>>>>>>>> ---
>>>>>>>>> Acceptable client certificate CA names
>>>>>>>>> /CN=Kiprosh7
>>>>>>>>> ---
>>>>>>>>> SSL handshake has read 1663 bytes and written 2276 bytes
>>>>>>>>> ---
>>>>>>>>> New, TLSv1/SSLv3, Cipher is AES256-SHA
>>>>>>>>> Server public key is 2048 bit
>>>>>>>>> Secure Renegotiation IS supported
>>>>>>>>> Compression: NONE
>>>>>>>>> Expansion: NONE
>>>>>>>>> SSL-Session:
>>>>>>>>> Protocol : TLSv1
>>>>>>>>> Cipher : AES256-SHA
>>>>>>>>> Session-ID:
>>>>>>>>> 8703D018C270CC932648333F61FE3C986CB336B7C8074ACF3560E415934E26F2
>>>>>>>>>
>>>>>>>>> Session-ID-ctx:
>>>>>>>>> Master-Key:
>>>>>>>>> F5B8C5666355EE6C78910EBB649A65740104537ACEBB28E4A23DF51EA5DE9E6A
>>>>>>>>> FE3AC2C95B1929985DAFC09CDC6BDEAE
>>>>>>>>> Key-Arg : None
>>>>>>>>> PSK identity: None
>>>>>>>>> PSK identity hint: None
>>>>>>>>> Start Time: 1312972974
>>>>>>>>> Timeout : 300 (sec)
>>>>>>>>> Verify return code: 0 (ok)
>>>>>>>>> ---
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>> Thanks and Regards,
>>>>>>>> Abhijit
>>>>>>>>
>>>>>>>>
>>>>>>>> On 8/10/2011 4:10 PM, Alexandru Scvorţov wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>>>> AMQP server protocol negotiation failure: server version
>>>>>>>>>>> unknown-unknown, client version 0-9
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>> That means the client connected successfully but closed the connection
>>>>>>>>> later because it wasn't talking to an AMQP server.
>>>>>>>>>
>>>>>>>>> That means that the client and certificates are fine, so the problem is
>>>>>>>>> configuring the server.
>>>>>>>>>
>>>>>>>>> When you try the other command (the openssl s_client) on the server,
>>>>>>>>> what output do you get? Could you please post it?
>>>>>>>>>
>>>>>>>>> Alex
>>>>>>>>>
>>>>>>>>> On Wed, Aug 10, 2011 at 04:00:26PM +0530, Abhijit wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> yes sir
>>>>>>>>>> no problem i thought so after looking at client cmd lines i did put
>>>>>>>>>> slash instead of dot, and now am getting this errors:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>> AMQP server protocol negotiation failure: server version
>>>>>>>>>>> unknown-unknown, client version 0-9
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>> Can you tell me what are next steps?
>>>>>>>>>>
>>>>>>>>>> Thanks and Regards,
>>>>>>>>>> Abhijit
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On 8/10/2011 3:57 PM, Alexandru Scvorţov wrote:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>>> Am still getting the same error am using the same config file.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>> Ok, but are you sure it's actually the file used by the server? (we had
>>>>>>>>>>> some problems earlier about which file the server was using when started
>>>>>>>>>>> from the command prompt or as a service)
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>>> openssl s_server -accept 5671 -CAfile testca/cacert.pem -cert
>>>>>>>>>>>>> server/cert.pem -key server.key.pem -state
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>> My mistake. That should be:
>>>>>>>>>>> openssl s_server -accept 5671 -CAfile testca/cacert.pem -cert
>>>>>>>>>>> server/cert.pem -key server/key.pem -state
>>>>>>>>>>>
>>>>>>>>>>> (dot instead of slash in server.key.pem)
>>>>>>>>>>>
>>>>>>>>>>> BTW, if they're disposable, could you send the certificates and keys?
>>>>>>>>>>> We've had problems before with the certificates generated by OpenSSL,
>>>>>>>>>>> which were usually solved by using a different version. Maybe this is
>>>>>>>>>>> happening here.
>>>>>>>>>>>
>>>>>>>>>>> Cheers,
>>>>>>>>>>> Alex
>>>>>>>>>>>
>>>>>>>>>>> On Wed, Aug 10, 2011 at 03:46:39PM +0530, Abhijit wrote:
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>> hi sir,
>>>>>>>>>>>>
>>>>>>>>>>>> Am still getting the same error am using the same config file.
>>>>>>>>>>>>
>>>>>>>>>>>> But i was not able to run this command you sent me:
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>> openssl s_server -accept 5671 -CAfile testca/cacert.pem -cert
>>>>>>>>>>>>> server/cert.pem -key server.key.pem -state
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>> was getting an error: unable to load server certificate private key file.
>>>>>>>>>>>>
>>>>>>>>>>>> Thanks and Regards,
>>>>>>>>>>>> Abhijit
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>
>>>>>>
>>>>
>>>>
>>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: key.pem
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20110811/39130f2e/attachment.txt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: keycert.p12
Type: application/octet-stream
Size: 2341 bytes
Desc: not available
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20110811/39130f2e/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cacert.cer
Type: application/octet-stream
Size: 714 bytes
Desc: not available
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20110811/39130f2e/attachment-0001.obj>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: cacert.pem
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20110811/39130f2e/attachment.asc>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: cert.pem
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20110811/39130f2e/attachment-0001.txt>
More information about the rabbitmq-discuss
mailing list