Details
-
Bug
-
Status: Closed
-
Critical
-
Resolution: Cannot Reproduce
-
proton-0.12.0
-
None
-
None
-
Ubuntu 15.10 & RHEL 7
Qpid Dispatch 0.5 & 0.6
Proton-C 0.12 and Proton-J 0.12
Description
Using qpid dispatch, we are unable to enable 2 way SSL with proton-j but able to with proton-c.
To reproduce use the attached config to enable 2 WAY SSL with “authenticate Peer” flag set to TRUE.
Restart the qdrouterd instance to pick up the config changes.
Make the client send a message based on the AMQP-CLIENT library (which uses Proton J).
Client Error Message: from the log file
AMQP framing error
EventImpl
Server Error Message: from the log file
=64, totalFreeToHeap=0, transferBatchSize=64, type=org.apache.qpid.dispatch.allocator, typeName=qd_timer_t, typeSize=56)
Wed Mar 30 12:00:47 2016 AGENT (info) Activating management agent on $management
Wed Mar 30 12:00:47 2016 ROUTER (info) In-Process Address Registered: $management
Wed Mar 30 12:00:47 2016 ROUTER (info) In-Process Address Registered: $management
Wed Mar 30 12:00:47 2016 AGENT (debug) Add entity: FixedAddressEntity(bias=closest, fanout=single, identity=fixedAddress/0, name=fixedAddress/0, prefix=/, type=org.apache.qpid.dispatch.fixedAddress)
Wed Mar 30 12:00:47 2016 ROUTER (info) Configured Address: prefix=/ phase=0 fanout=QD_SCHEMA_FIXEDADDRESS_FANOUT_SINGLE bias=QD_SCHEMA_FIXEDADDRESS_BIAS_CLOSEST
Wed Mar 30 12:00:47 2016 AGENT (debug) Add entity: ListenerEntity(addr=0.0.0.0, authenticatePeer=True, certDb=/home/vsharda/protected/pprootca_cert.pem, certFile=/home/vsharda/protected/generic_cert.pem, identity=listener/0.0.0.0:20009, idleTimeoutSeconds=16, keyFile=/home/vsharda/protected/generic_key.pem, maxFrameSize=65536, name=listener/0.0.0.0:20009, password=pn2.GmdXmkKv.X7fPq.oYDFj8Cs, port=20009, requireEncryption=True, requireSsl=True, role=normal, saslMechanisms=EXTERNAL, stripAnnotations=both, type=org.apache.qpid.dispatch.listener)
Wed Mar 30 12:00:47 2016 CONN_MGR (info) Configured Listener: 0.0.0.0:20009 proto=any role=normal
Wed Mar 30 12:00:47 2016 SERVER (trace) Listening on 0.0.0.0:20009
Wed Mar 30 12:00:47 2016 AGENT (debug) Add entity: ConsoleEntity(identity=console/0, name=console/0, type=org.apache.qpid.dispatch.console, wsport=5673)
Wed Mar 30 12:00:47 2016 SERVER (info) Operational, 4 Threads Running
Wed Mar 30 12:01:06 2016 SERVER (debug) Accepting incoming connection from 10.225.90.106:51196 to 0.0.0.0:20009
Wed Mar 30 12:01:06 2016 SERVER (trace) Configuring SSL on incoming connection from 10.225.90.106:51196 to 0.0.0.0:20009
Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:Server SSL socket created.
Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:SSL/TLS connection detected
Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:process_input_ssl( data size=162 )
Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:Wrote 162 bytes to BIO Layer, 0 left over
Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:Detected read-blocked
Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:process_input_ssl() returning 162
Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:Read 3651 bytes from BIO Layer
Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:process_output_ssl() returning 3651
Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:process_output_ssl() returning 0
Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:process_output_ssl() returning 0
Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:process_output_ssl() returning 0
Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:process_output_ssl() returning 0
Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:process_input_ssl( data size=205 )
Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:Wrote 205 bytes to BIO Layer, 0 left over
Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:ERROR amqp:connection:framing-error SSL Failure: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
Wed Mar 30 12:01:06 2016 SERVER (trace) [1]: <- EOS
Wed Mar 30 12:01:06 2016 SERVER (trace) [1]: -> EOS
Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:SSL socket freed.
For your reference please find the attached client/server code which is written using the proton C where the 2 way SSL worked fine. (send_with_ssl.c & recv_with_ssl.c)