[rabbitmq-discuss] rabbitmq-c - "SSL peer cert verification failed"

Dan Berger dberger at fiveringscapital.com
Fri May 30 16:23:12 BST 2014


When I run amqps_listenq it fails at the amqp_socket_open step, which returns AMQP_STATUS_SSL_PEER_VERIFY_FAILED = -0x0202.

Further digging shows that the call to SSL_get_verify_result is returning X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN (https://www.openssl.org/docs/apps/verify.html#item_19).


From: rabbitmq-discuss [mailto:rabbitmq-discuss-bounces at lists.rabbitmq.com] On Behalf Of Alan Antonuk
Sent: Friday, May 30, 2014 1:00 AM
To: Discussions about RabbitMQ
Subject: Re: [rabbitmq-discuss] rabbitmq-c - "SSL peer cert verification failed"

Hmm.  Do you get any other information when you try running one of the amqps_* example programs that can be built with rabbitmq-c?

-Alan

On Thu May 29 2014 at 1:41:06 PM, Dan Berger <dberger at fiveringscapital.com<mailto:dberger at fiveringscapital.com>> wrote:
The .p12 file I started with does require a password (which I provide to the java and c# clients). For rabbitmq-c I’ve converted the p12 to pem while removing the password and then broken the file down into the 3 components.

From: rabbitmq-discuss [mailto:rabbitmq-discuss-bounces at lists.rabbitmq.com<mailto:rabbitmq-discuss-bounces at lists.rabbitmq.com>] On Behalf Of alan.antonuk at gmail.com<mailto:alan.antonuk at gmail.com>
Sent: Thursday, May 29, 2014 2:44 PM
To: Discussions about RabbitMQ
Subject: Re: [rabbitmq-discuss] rabbitmq-c - "SSL peer cert verification failed"

Does your private key require a password to decrypt it? (rabbitmq-c doesn't provide any hooks to unlock private keys).

-Alan
On Thu May 29 2014 at 8:42:12 AM, Dan Berger <dberger at fiveringscapital.com<mailto:dberger at fiveringscapital.com>> wrote:
I used openssl to extract the CA cert, the certificate chain and the private key into 3 separate file and now I’m running:

   openssl s_client -connect myhost.com:50010<http://myhost.com:50010> -key test.key -cert test.crt -CAfile test.cac -verify 10

and I get “Verify return code: 0 (ok)” which I think means success. I still get the same error when running my app with those 3 files.

Any other thoughts?


On Thursday, May 29, 2014 12:10 AM, Dan alan.antonuk at gmail.com<mailto:alan.antonuk at gmail.com> wrote:

You need to provide both the certificate chain file and the private key file (they're not the same file).

To debug this with the openssl s_client command, you'll need to pass in the -verify, -key and -cert flags with appropriate values.

HTH
-Alan

On Wed May 28 2014 at 7:45:52 AM, Dan Berger <dberger at fiveringscapital.com<mailto:dberger at fiveringscapital.com>> wrote:
I’m just starting development on a c++ client app to connect to a vendor’s server.

I’m trying the SimpleAmqpClient library which is built on top of rabbitmq-c.

The provided a self-signed client certificate in .p12 format that I’ve converted to .pem. This contains a public and private key and also a CA public key.

I’m now trying to connect while providing the .pem file as the CA cert, client cert and client private key.

While connecting, I get:
'AmqpClient::AmqpLibraryException'
  what():  Error setting client certificate for socket: SSL peer cert verification failed

Digging into rabbitmq-c, I see this is due to the call to amqp_ssl_socket_set_key failing.

Running openssl s_client seems to work fine, so I’m not sure what I’m doing wrong. Any ideas?

-Dan
_______________________________________________
rabbitmq-discuss mailing list
rabbitmq-discuss at lists.rabbitmq.com<mailto:rabbitmq-discuss at lists.rabbitmq.com>
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
_______________________________________________
rabbitmq-discuss mailing list
rabbitmq-discuss at lists.rabbitmq.com<mailto:rabbitmq-discuss at lists.rabbitmq.com>
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
_______________________________________________
rabbitmq-discuss mailing list
rabbitmq-discuss at lists.rabbitmq.com<mailto:rabbitmq-discuss at lists.rabbitmq.com>
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20140530/64449afd/attachment.html>


More information about the rabbitmq-discuss mailing list