[rabbitmq-discuss] ssl handshake failure
Smithnosky, Jesse
Jesse.Smithnosky at emc.com
Tue Apr 29 01:37:35 BST 2014
Hi All,
I am trying to connect from one broker to another using SSL. I am using these instructions<https://www.rabbitmq.com/ssl.html> as my primary guide. I have three certificates/keys involved:
(1) client_ec_cert.pem (the client's public key)
(2) client_ec_pri_key.pem(the client's private key)
(3) root_ec_cert.pm (the authoritative certificate)
First of all, note that we are using Elliptic curve<http://en.wikipedia.org/wiki/Elliptic_curve_cryptography> certs and keys. I wouldn't have thought that would be a problem, but at this point I am not ruling anything out.
I converted the .pem files from (1) and (3) to .der format using a command from this guide<https://www.sslshopper.com/ssl-converter.html> of the following form:
Convert PEM to DER
openssl x509 -outform der -in certificate.pem -out certificate.der
I then successfully imported these two .der files into my keystore using a command that looks like this (except with the correct file names and paths, etc).
# keytool -import -alias server1 -file /path/to/server/cert.der -keystore /path/to/rabbitstore
This completed with no errors.
For some reason, however, I was unable to convert the private key in (2) in such fashion, and had to do something like this:
openssl pkcs12 -export -in client_ec_cert.pem -inkey client_ec_pri_key.pem > client.p12
I tried several versions of this conversion, and successfully imported a few of the results into my keystore. Each time, however, my java code results in a javax.net.ssl.SSLHandshakeException.
public final boolean declareBrmExchangesAndQueuesSSL(String brmHostname)
{
try
{
char [] keyPassphrase = "password".toCharArray();
KeyStore ks = KeyStore.getInstance("PKCS12");
ks.load(new FileInputStream("/etc/rabbitmq/client.p12"), keyPassphrase);
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
kmf.init(ks, keyPassphrase);
char[] trustPassphrase = keyPassphrase;
KeyStore tks = KeyStore.getInstance("JKS");
tks.load(new FileInputStream("/usr/local/avamar/lib/avamar_keystore"), trustPassphrase);
TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
tmf.init(tks);
SSLContext context = SSLContext.getInstance("SSLv3");
context.init(kmf.getKeyManagers(), tmf.getTrustManagers(), new SecureRandom());
ConnectionFactory factory = new ConnectionFactory();
factory.setHost(brmHostname);
factory.setPort(5671);
factory.useSslProtocol(context);
Connection conn = factory.newConnection();
Channel channel = conn.createChannel();
//rest of code omitted...failure happens right here.
}
catch (IOException e)
{
e.printStackTrace();
log.log(Level.WARNING, e.getMessage());
return false;
}
catch (KeyManagementException e)
{
e.printStackTrace();
log.log(Level.WARNING, e.getMessage());
return false;
}
catch (NoSuchAlgorithmException e)
{
e.printStackTrace();
log.log(Level.WARNING, e.getMessage());
return false;
}
catch (CertificateException e)
{
e.printStackTrace();
log.log(Level.WARNING, e.getMessage());
return false;
}
catch (KeyStoreException e)
{
e.printStackTrace();
log.log(Level.WARNING, e.getMessage());
return false;
} catch (UnrecoverableKeyException e)
{
e.printStackTrace();
log.log(Level.WARNING, e.getMessage());
return false;
}
return true;
}
Am I doing anything obviously incorrectly? I also attempted adding the server's public key to my client's keystore, but the result was the same. Any help would be greatly appreciated.
Thanks,
Jesse Smithnosky
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20140428/fb53a658/attachment.html>
More information about the rabbitmq-discuss
mailing list