[rabbitmq-discuss] facing issues with the SSL implementations with RabbitMQ + Windows + .Net

Alexandru Scvorţov alexandru at rabbitmq.com
Wed Aug 10 13:18:24 BST 2011


> The code worked now. the certificate you provided did work
Great to hear that.  

>  wondering why 
> my certificates are not working??

I suspect you got some step in the certificate generation wrong (I
generated the certificates following the instructions on the website).
It's ridiculously easy to get something wrong.

I'd delete all the certificates, and CA you generated and try again.
The website instructions are right.  You might want to try without
changing anything (the CA's name, for instance) just to see that it
works.

You could also try a different version of OpenSSL, but I'd be quite
surprised if that were the problem.

Let us how it goes.

Cheers,
Alex


On Wed, Aug 10, 2011 at 05:30:42PM +0530, Abhijit wrote:
> Hi sir,
> 
> The code worked now. the certificate you provided did work wondering why 
> my certificates are not working??
> 
> Thanks and Regards,
> Abhijit
> 
> 
> 
> On 8/10/2011 5:20 PM, Alexandru Scvorţov wrote:
> > :(  That seems perfectly fine.
> >
> > Other ways to get an "unknown ca" error:
> >    - forget to add the CA certificate to the Trust store;
> >    - have the client use a certificate signed by a different authority
> >      than the one given to the server.
> >
> > I'm out of ideas.  I'm attaching:
> >    - cacert.pem and cacert.cer;
> >    - keycert.p12 (password is "test");
> >    - server's cert.pem, key.pem.
> >
> > You'll also need to set RemoteCertificateNameMismatch before starting the connection:
> >    cf.Ssl.AcceptablePolicyErrors =
> >      SslPolicyErrors.RemoteCertificateNameMismatch;
> >
> > Could you please try with these and see if it works (or if you get a
> > different error)?
> >
> > Cheers,
> > Alex
> >
> > On Wed, Aug 10, 2011 at 04:16:18PM +0530, Abhijit wrote:
> >    
> >> Ok sir thanks,
> >>
> >> this is the post for the former command s_client:
> >>      
> >>> C:\>openssl s_client -connect localhost:5671 -CAfile testca/cacert.pem
> >>> -cert cli
> >>> ent/cert.pem -key client/key.pem -showcerts
> >>> Loading 'screen' into random state - done
> >>> CONNECTED(00000160)
> >>> depth=1 CN = Kiprosh7
> >>> verify return:1
> >>> depth=0 CN = Kiprosh7, O = server
> >>> verify return:1
> >>> ---
> >>> Certificate chain
> >>>   0 s:/CN=Kiprosh7/O=server
> >>>     i:/CN=Kiprosh7
> >>> -----BEGIN CERTIFICATE-----
> >>> MIIC4TCCAcmgAwIBAgIBATANBgkqhkiG9w0BAQUFADATMREwDwYDVQQDEwhLaXBy
> >>> b3NoNzAeFw0xMTA4MTAwODA1NTBaFw0xMjA4MDkwODA1NTBaMCQxETAPBgNVBAMM
> >>> CEtpcHJvc2g3MQ8wDQYDVQQKDAZzZXJ2ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
> >>> DwAwggEKAoIBAQDTDgQ3/vSBPvy0PAZYwk4H2qlFckaA75YfCYZ+HhIb+JUSrZ4r
> >>> NcBEhvrH+7p1yft9IC4pgrgEbjmfQVTi8LGwtMRZmwpbmjqEfOALpra5x7Plb+7y
> >>> CTT/iDc8uUwHLn2brXxNRn58IrEeD1X+rBxLNyek0pQu/hH31+REI5Sn1JZfi7gc
> >>> 3PJEuaRzVJY4sE0neNWT+K+aD0n382qnziLEGOusXWNpggpoHVFKZR3Yojxj6Bfk
> >>> 9lUvfUtIqz2zQ2dF0q6A0QVVlIenKzUK+rjHxQAUSb8P9CmCuRXUih3f61ahquQP
> >>> CgSrkNnUV44D/wHfnxNm9QjxlQEGyr0DsTcFAgMBAAGjLzAtMAkGA1UdEwQCMAAw
> >>> CwYDVR0PBAQDAgUgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBBQUA
> >>> A4IBAQDE+cXjx6uNL/Kf/HmE7FeQ238iN7Gfb+I1QHmbRaR0qbTqcFzp7NCJ62uq
> >>> nJ6Anj0+h1IFNMlQrCISSS0fnSj+mXMKDodZzV+cXFjdtoEXyqdDO0zphDMTRd8H
> >>> oI79XSm5IK6vcPR+g2UTkhgrX1xfgeqZ8hmw0L0mMMGHXclwwaAF9HRNomFt32gr
> >>> 1sVhFkhH/5epmgcl+8yI1E7UaQc91bYkUEuQFNu7irgc+/tvcXa4O4+dIfhnzrog
> >>> 8piYUk4dxGME8LknQ213Gow9cgEKzcYadJ4DIr6gChkvAnYpHHHafWj/Ksvxyii6
> >>> 8FxuTfgsrOYwkqEcSXeCGUS25nU9
> >>> -----END CERTIFICATE-----
> >>>   1 s:/CN=Kiprosh7
> >>>     i:/CN=Kiprosh7
> >>> -----BEGIN CERTIFICATE-----
> >>> MIICxjCCAa6gAwIBAgIJANsNRAs/ueOoMA0GCSqGSIb3DQEBBQUAMBMxETAPBgNV
> >>> BAMTCEtpcHJvc2g3MB4XDTExMDgxMDA4MDEzMloXDTEyMDgwOTA4MDEzMlowEzER
> >>> MA8GA1UEAxMIS2lwcm9zaDcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
> >>> AQDorxS4o/H/w7f+VYWkQk3gS7g7gWFd3S4eCVV35a3GEcyP2OS4pUhhZXyB0lN7
> >>> xmUHqeixx7aNRnrc130SQ4kke1fuxtdLjKxu+oeASMLCSkF356m8X5FhuTnPkf2W
> >>> x64i6nk9SOO+jdQo/kMChy0H7psKS5I2M0nb5WLxN/JOACNnxJOhFy8cGw7l32q6
> >>> rEfqLkdnZJR09fiuf0hEbb/UodOt2tXXGN0Pp3X2x4cXnD6E2Va9QSBYIvPAnWEn
> >>> FN2Te+Qwg+AxwHIkCjH9bfQ7fOeuGHAoanSnlqS5rW/T5sKKlkBl95WeJoTFjrCt
> >>> CVDLilsnLrfmZkg3ICQtPbgNAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0P
> >>> BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4IBAQBGtbJQyQ1pWVo+7snqxCOn/KVN++Jo
> >>> 8YEB4/MGKgHyoTWRAa3IXOSPtpunW/6yDziwcLZeO09MATeKCCAJf64LXZr7aM6J
> >>> ZX6hFFNUyqa5w9AaZ4sAe70QwDYPS6dPqcyTab/DVVRGhJAKhUc2lX+UfcBhHYaz
> >>> egKDKyIybHMmcQQm//SO0jo3Ak0565ZAMCdaaO/9RNJpJSxJf+HSVUg4sPLe/sAK
> >>> QlXcdt8XlKsEKBzUHzfRvpbU/8gn1HO5G+CTvEW2kO6nssuKX41g5hMfRqu248TT
> >>> jbGWMkYFMPDY1m2QWPqzLvaETGOWHwqpVWXuMhu7/T5sduDf2n084ok7
> >>> -----END CERTIFICATE-----
> >>> ---
> >>> Server certificate
> >>> subject=/CN=Kiprosh7/O=server
> >>> issuer=/CN=Kiprosh7
> >>> ---
> >>> Acceptable client certificate CA names
> >>> /CN=Kiprosh7
> >>> ---
> >>> SSL handshake has read 1663 bytes and written 2276 bytes
> >>> ---
> >>> New, TLSv1/SSLv3, Cipher is AES256-SHA
> >>> Server public key is 2048 bit
> >>> Secure Renegotiation IS supported
> >>> Compression: NONE
> >>> Expansion: NONE
> >>> SSL-Session:
> >>>      Protocol  : TLSv1
> >>>      Cipher    : AES256-SHA
> >>>      Session-ID:
> >>> 8703D018C270CC932648333F61FE3C986CB336B7C8074ACF3560E415934E26F2
> >>>
> >>>      Session-ID-ctx:
> >>>      Master-Key:
> >>> F5B8C5666355EE6C78910EBB649A65740104537ACEBB28E4A23DF51EA5DE9E6A
> >>> FE3AC2C95B1929985DAFC09CDC6BDEAE
> >>>      Key-Arg   : None
> >>>      PSK identity: None
> >>>      PSK identity hint: None
> >>>      Start Time: 1312972974
> >>>      Timeout   : 300 (sec)
> >>>      Verify return code: 0 (ok)
> >>> ---
> >>>        
> >> Thanks and Regards,
> >> Abhijit
> >>
> >>
> >> On 8/10/2011 4:10 PM, Alexandru Scvorţov wrote:
> >>      
> >>>>> AMQP server protocol negotiation failure: server version
> >>>>> unknown-unknown, client version 0-9
> >>>>>
> >>>>>            
> >>> That means the client connected successfully but closed the connection
> >>> later because it wasn't talking to an AMQP server.
> >>>
> >>> That means that the client and certificates are fine, so the problem is
> >>> configuring the server.
> >>>
> >>> When you try the other command (the openssl s_client) on the server,
> >>> what output do you get?  Could you please post it?
> >>>
> >>> Alex
> >>>
> >>> On Wed, Aug 10, 2011 at 04:00:26PM +0530, Abhijit wrote:
> >>>
> >>>        
> >>>> yes sir
> >>>> no problem i thought so after looking at client cmd lines i did put
> >>>> slash instead of dot, and now am getting this errors:
> >>>>
> >>>>
> >>>>          
> >>>>> AMQP server protocol negotiation failure: server version
> >>>>> unknown-unknown, client version 0-9
> >>>>>
> >>>>>            
> >>>> Can you tell me what are next steps?
> >>>>
> >>>> Thanks and Regards,
> >>>> Abhijit
> >>>>
> >>>>
> >>>> On 8/10/2011 3:57 PM, Alexandru Scvorţov wrote:
> >>>>
> >>>>          
> >>>>>> Am still getting the same error am using the same config file.
> >>>>>>
> >>>>>>
> >>>>>>              
> >>>>> Ok, but are you sure it's actually the file used by the server? (we had
> >>>>> some problems earlier about which file the server was using when started
> >>>>> from the command prompt or as a service)
> >>>>>
> >>>>>
> >>>>>
> >>>>>            
> >>>>>>> openssl s_server -accept 5671 -CAfile testca/cacert.pem -cert
> >>>>>>> server/cert.pem -key server.key.pem -state
> >>>>>>>
> >>>>>>>
> >>>>>>>                
> >>>>> My mistake.  That should be:
> >>>>>      openssl s_server -accept 5671 -CAfile testca/cacert.pem -cert
> >>>>>      server/cert.pem -key server/key.pem -state
> >>>>>
> >>>>> (dot instead of slash in server.key.pem)
> >>>>>
> >>>>> BTW, if they're disposable, could you send the certificates and keys?
> >>>>> We've had problems before with the certificates generated by OpenSSL,
> >>>>> which were usually solved by using a different version.  Maybe this is
> >>>>> happening here.
> >>>>>
> >>>>> Cheers,
> >>>>> Alex
> >>>>>
> >>>>> On Wed, Aug 10, 2011 at 03:46:39PM +0530, Abhijit wrote:
> >>>>>
> >>>>>
> >>>>>            
> >>>>>> hi sir,
> >>>>>>
> >>>>>> Am still getting the same error am using the same config file.
> >>>>>>
> >>>>>> But i was not able to run this command you sent me:
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>              
> >>>>>>> openssl s_server -accept 5671 -CAfile testca/cacert.pem -cert
> >>>>>>> server/cert.pem -key server.key.pem -state
> >>>>>>>
> >>>>>>>
> >>>>>>>                
> >>>>>> was getting an error: unable to load server certificate private key file.
> >>>>>>
> >>>>>> Thanks and Regards,
> >>>>>> Abhijit
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>              
> >>>>
> >>>>          
> >>      
> 


More information about the rabbitmq-discuss mailing list