[rabbitmq-discuss] rabbitmq-c - "SSL peer cert verification failed"
Alan Antonuk
alan.antonuk at gmail.com
Fri May 30 18:48:34 BST 2014
Looks like you've found the issue. I suspect you need to make sure that the
cert you pass in is signed by the same CA that signs the CAcert.
-Alan
On Fri May 30 2014 at 8:23:46 AM, Dan Berger <dberger at fiveringscapital.com>
wrote:
> When I run amqps_listenq it fails at the amqp_socket_open step, which
> returns AMQP_STATUS_SSL_PEER_VERIFY_FAILED = -0x0202.
>
>
>
> Further digging shows that the call to SSL_get_verify_result is returning
> X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN (
> https://www.openssl.org/docs/apps/verify.html#item_19).
>
>
>
>
>
> *From:* rabbitmq-discuss [mailto:
> rabbitmq-discuss-bounces at lists.rabbitmq.com] *On Behalf Of *Alan Antonuk
> *Sent:* Friday, May 30, 2014 1:00 AM
>
>
> *To:* Discussions about RabbitMQ
> *Subject:* Re: [rabbitmq-discuss] rabbitmq-c - "SSL peer cert
> verification failed"
>
>
>
> Hmm. Do you get any other information when you try running one of the
> amqps_* example programs that can be built with rabbitmq-c?
>
>
>
> -Alan
>
>
>
> On Thu May 29 2014 at 1:41:06 PM, Dan Berger <dberger at fiveringscapital.com>
> wrote:
>
> The .p12 file I started with does require a password (which I provide to
> the java and c# clients). For rabbitmq-c I’ve converted the p12 to pem
> while removing the password and then broken the file down into the 3
> components.
>
>
>
> *From:* rabbitmq-discuss [mailto:
> rabbitmq-discuss-bounces at lists.rabbitmq.com] *On Behalf Of *
> alan.antonuk at gmail.com
> *Sent:* Thursday, May 29, 2014 2:44 PM
> *To:* Discussions about RabbitMQ
> *Subject:* Re: [rabbitmq-discuss] rabbitmq-c - "SSL peer cert
> verification failed"
>
>
>
> Does your private key require a password to decrypt it? (rabbitmq-c
> doesn't provide any hooks to unlock private keys).
>
> -Alan
>
> On Thu May 29 2014 at 8:42:12 AM, Dan Berger <dberger at fiveringscapital.com>
> wrote:
>
> I used openssl to extract the CA cert, the certificate chain and the
> private key into 3 separate file and now I’m running:
>
>
>
> openssl s_client -connect myhost.com:50010 -key test.key -cert
> test.crt -CAfile test.cac -verify 10
>
>
>
> and I get “Verify return code: 0 (ok)” which I think means success. I
> still get the same error when running my app with those 3 files.
>
>
>
> Any other thoughts?
>
>
>
>
>
> On Thursday, May 29, 2014 12:10 AM, Dan alan.antonuk at gmail.com wrote:
>
>
>
> You need to provide both the certificate chain file and the private key
> file (they're not the same file).
>
>
>
> To debug this with the openssl s_client command, you'll need to pass in
> the -verify, -key and -cert flags with appropriate values.
>
>
>
> HTH
>
> -Alan
>
>
>
> On Wed May 28 2014 at 7:45:52 AM, Dan Berger <dberger at fiveringscapital.com>
> wrote:
>
> I’m just starting development on a c++ client app to connect to a vendor’s
> server.
>
>
>
> I’m trying the SimpleAmqpClient library which is built on top of
> rabbitmq-c.
>
>
>
> The provided a self-signed client certificate in .p12 format that I’ve
> converted to .pem. This contains a public and private key and also a CA
> public key.
>
>
>
> I’m now trying to connect while providing the .pem file as the CA cert,
> client cert and client private key.
>
>
>
> While connecting, I get:
>
> 'AmqpClient::AmqpLibraryException'
>
> what(): Error setting client certificate for socket: SSL peer cert
> verification failed
>
>
>
> Digging into rabbitmq-c, I see this is due to the call to
> amqp_ssl_socket_set_key failing.
>
>
>
> Running openssl s_client seems to work fine, so I’m not sure what I’m
> doing wrong. Any ideas?
>
>
>
> -Dan
>
> _______________________________________________
> rabbitmq-discuss mailing list
> rabbitmq-discuss at lists.rabbitmq.com
> https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
>
> _______________________________________________
> rabbitmq-discuss mailing list
> rabbitmq-discuss at lists.rabbitmq.com
> https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
>
> _______________________________________________
> rabbitmq-discuss mailing list
> rabbitmq-discuss at lists.rabbitmq.com
> https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
>
> _______________________________________________
> rabbitmq-discuss mailing list
> rabbitmq-discuss at lists.rabbitmq.com
> https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20140530/cf71972f/attachment.html>
More information about the rabbitmq-discuss
mailing list