[rabbitmq-discuss] ssl handshake failure

Smithnosky, Jesse Jesse.Smithnosky at emc.com
Tue Apr 29 01:37:35 BST 2014


Hi All,

I am trying to connect from one broker to another using SSL.  I am using these instructions<https://www.rabbitmq.com/ssl.html> as my primary guide.  I have three certificates/keys involved:


(1)    client_ec_cert.pem (the client's public key)

(2)    client_ec_pri_key.pem(the client's private key)

(3)    root_ec_cert.pm (the authoritative certificate)

First of all, note that we are using Elliptic curve<http://en.wikipedia.org/wiki/Elliptic_curve_cryptography> certs and keys.  I wouldn't have thought that would be a problem, but at this point I am not ruling anything out.

I converted the .pem files from (1) and (3) to .der format using a command from this guide<https://www.sslshopper.com/ssl-converter.html> of the following form:

Convert PEM to DER

openssl x509 -outform der -in certificate.pem -out certificate.der
I then successfully imported these two .der files into my keystore using a command that looks like this (except with the correct file names and paths, etc).

# keytool -import -alias server1 -file /path/to/server/cert.der -keystore /path/to/rabbitstore

This completed with no errors.

For some reason, however, I was unable to convert the private key in (2) in such fashion, and had to do something like this:

openssl pkcs12 -export -in client_ec_cert.pem -inkey client_ec_pri_key.pem > client.p12

I tried several versions of this conversion, and successfully imported a few of the results into my keystore.  Each time, however, my java code results in a javax.net.ssl.SSLHandshakeException.

public final boolean declareBrmExchangesAndQueuesSSL(String brmHostname)
  {
    try
    {
      char [] keyPassphrase = "password".toCharArray();
      KeyStore ks = KeyStore.getInstance("PKCS12");
      ks.load(new FileInputStream("/etc/rabbitmq/client.p12"), keyPassphrase);
      KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
      kmf.init(ks, keyPassphrase);

      char[] trustPassphrase = keyPassphrase;
      KeyStore tks = KeyStore.getInstance("JKS");
      tks.load(new FileInputStream("/usr/local/avamar/lib/avamar_keystore"), trustPassphrase);
      TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
      tmf.init(tks);

      SSLContext context = SSLContext.getInstance("SSLv3");
      context.init(kmf.getKeyManagers(), tmf.getTrustManagers(), new SecureRandom());

      ConnectionFactory factory = new ConnectionFactory();
      factory.setHost(brmHostname);
      factory.setPort(5671);
      factory.useSslProtocol(context);

      Connection conn = factory.newConnection();
      Channel channel = conn.createChannel();

      //rest of code omitted...failure happens right here.

    }
    catch (IOException e)
    {
      e.printStackTrace();
      log.log(Level.WARNING, e.getMessage());
      return false;
    }
    catch (KeyManagementException e)
    {
      e.printStackTrace();
      log.log(Level.WARNING, e.getMessage());
      return false;
    }
    catch (NoSuchAlgorithmException e)
    {
      e.printStackTrace();
      log.log(Level.WARNING, e.getMessage());
      return false;
    }
    catch (CertificateException e)
    {
      e.printStackTrace();
      log.log(Level.WARNING, e.getMessage());
      return false;
    }
    catch (KeyStoreException e)
    {
      e.printStackTrace();
      log.log(Level.WARNING, e.getMessage());
      return false;
    } catch (UnrecoverableKeyException e)
    {
      e.printStackTrace();
      log.log(Level.WARNING, e.getMessage());
      return false;
    }
    return true;
  }

Am I doing anything obviously incorrectly?  I also attempted adding the server's public key to my client's keystore, but the result was the same.  Any help would be greatly appreciated.

Thanks,
Jesse Smithnosky

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20140428/fb53a658/attachment.html>


More information about the rabbitmq-discuss mailing list