Uploaded image for project: 'Qpid Proton'
  1. Qpid Proton
  2. PROTON-1168

2-way Authentication via Certificates Fails in Proton-J

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Critical
    • Resolution: Cannot Reproduce
    • proton-0.12.0
    • None
    • proton-j
    • None
    • Ubuntu 15.10 & RHEL 7
      Qpid Dispatch 0.5 & 0.6
      Proton-C 0.12 and Proton-J 0.12

    Description

      Using qpid dispatch, we are unable to enable 2 way SSL with proton-j but able to with proton-c.

      To reproduce use the attached config to enable 2 WAY SSL with “authenticate Peer” flag set to TRUE.

      Restart the qdrouterd instance to pick up the config changes.

      Make the client send a message based on the AMQP-CLIENT library (which uses Proton J).

      Client Error Message: from the log file
      AMQP framing error
      EventImpl

      {type=TRANSPORT_ERROR, context=TransportImpl [_connectionEndpoint=org.apache.qpid.proton.engine.impl.ConnectionImpl@6ef351a0, org.apache.qpid.proton.engine.impl.TransportImpl@44c213d9]}

      Server Error Message: from the log file
      =64, totalFreeToHeap=0, transferBatchSize=64, type=org.apache.qpid.dispatch.allocator, typeName=qd_timer_t, typeSize=56)
      Wed Mar 30 12:00:47 2016 AGENT (info) Activating management agent on $management
      Wed Mar 30 12:00:47 2016 ROUTER (info) In-Process Address Registered: $management
      Wed Mar 30 12:00:47 2016 ROUTER (info) In-Process Address Registered: $management
      Wed Mar 30 12:00:47 2016 AGENT (debug) Add entity: FixedAddressEntity(bias=closest, fanout=single, identity=fixedAddress/0, name=fixedAddress/0, prefix=/, type=org.apache.qpid.dispatch.fixedAddress)
      Wed Mar 30 12:00:47 2016 ROUTER (info) Configured Address: prefix=/ phase=0 fanout=QD_SCHEMA_FIXEDADDRESS_FANOUT_SINGLE bias=QD_SCHEMA_FIXEDADDRESS_BIAS_CLOSEST
      Wed Mar 30 12:00:47 2016 AGENT (debug) Add entity: ListenerEntity(addr=0.0.0.0, authenticatePeer=True, certDb=/home/vsharda/protected/pprootca_cert.pem, certFile=/home/vsharda/protected/generic_cert.pem, identity=listener/0.0.0.0:20009, idleTimeoutSeconds=16, keyFile=/home/vsharda/protected/generic_key.pem, maxFrameSize=65536, name=listener/0.0.0.0:20009, password=pn2.GmdXmkKv.X7fPq.oYDFj8Cs, port=20009, requireEncryption=True, requireSsl=True, role=normal, saslMechanisms=EXTERNAL, stripAnnotations=both, type=org.apache.qpid.dispatch.listener)
      Wed Mar 30 12:00:47 2016 CONN_MGR (info) Configured Listener: 0.0.0.0:20009 proto=any role=normal
      Wed Mar 30 12:00:47 2016 SERVER (trace) Listening on 0.0.0.0:20009
      Wed Mar 30 12:00:47 2016 AGENT (debug) Add entity: ConsoleEntity(identity=console/0, name=console/0, type=org.apache.qpid.dispatch.console, wsport=5673)
      Wed Mar 30 12:00:47 2016 SERVER (info) Operational, 4 Threads Running
      Wed Mar 30 12:01:06 2016 SERVER (debug) Accepting incoming connection from 10.225.90.106:51196 to 0.0.0.0:20009
      Wed Mar 30 12:01:06 2016 SERVER (trace) Configuring SSL on incoming connection from 10.225.90.106:51196 to 0.0.0.0:20009
      Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:Server SSL socket created.
      Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:SSL/TLS connection detected
      Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:process_input_ssl( data size=162 )
      Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:Wrote 162 bytes to BIO Layer, 0 left over
      Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:Detected read-blocked
      Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:process_input_ssl() returning 162
      Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:Read 3651 bytes from BIO Layer
      Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:process_output_ssl() returning 3651
      Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:process_output_ssl() returning 0
      Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:process_output_ssl() returning 0
      Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:process_output_ssl() returning 0
      Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:process_output_ssl() returning 0
      Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:process_input_ssl( data size=205 )
      Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:Wrote 205 bytes to BIO Layer, 0 left over
      Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:ERROR amqp:connection:framing-error SSL Failure: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
      Wed Mar 30 12:01:06 2016 SERVER (trace) [1]: <- EOS
      Wed Mar 30 12:01:06 2016 SERVER (trace) [1]: -> EOS
      Wed Mar 30 12:01:06 2016 SERVER (trace) [1]:SSL socket freed.

      For your reference please find the attached client/server code which is written using the proton C where the 2 way SSL worked fine. (send_with_ssl.c & recv_with_ssl.c)

      Attachments

        1. my_qdrouterd_B_standalone.conf
          2 kB
          Jack Gibson
        2. PROTON-1168_reactor_ssl.patch
          4 kB
          Robbie Gemmell
        3. recv_with_ssl.c
          4 kB
          Jack Gibson
        4. send_with_ssl.c
          3 kB
          Jack Gibson
        5. ssl_logs1.tar.gz
          203 kB
          Robbie Gemmell

        Activity

          People

            Unassigned Unassigned
            jackgibson Jack Gibson
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: