rabbitmq-c - "SSL peer cert verification failed"

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

rabbitmq-c - "SSL peer cert verification failed"

Dan Berger

I’m just starting development on a c++ client app to connect to a vendor’s server.

 

I’m trying the SimpleAmqpClient library which is built on top of rabbitmq-c.

 

The provided a self-signed client certificate in .p12 format that I’ve converted to .pem. This contains a public and private key and also a CA public key.

 

I’m now trying to connect while providing the .pem file as the CA cert, client cert and client private key.

 

While connecting, I get:

'AmqpClient::AmqpLibraryException'

  what():  Error setting client certificate for socket: SSL peer cert verification failed

 

Digging into rabbitmq-c, I see this is due to the call to amqp_ssl_socket_set_key failing.

 

Running openssl s_client seems to work fine, so I’m not sure what I’m doing wrong. Any ideas?

 

-Dan


_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
Reply | Threaded
Open this post in threaded view
|

rabbitmq-c - "SSL peer cert verification failed"

alan.antonuk
You need to provide both the certificate chain file and the private key file (they're not the same file).

To debug this with the openssl s_client command, you'll need to pass in the -verify, -key and -cert flags with appropriate values.

HTH
-Alan

On Wed May 28 2014 at 7:45:52 AM, Dan Berger <[hidden email]> wrote:

I’m just starting development on a c++ client app to connect to a vendor’s server.

 

I’m trying the SimpleAmqpClient library which is built on top of rabbitmq-c.

 

The provided a self-signed client certificate in .p12 format that I’ve converted to .pem. This contains a public and private key and also a CA public key.

 

I’m now trying to connect while providing the .pem file as the CA cert, client cert and client private key.

 

While connecting, I get:

'AmqpClient::AmqpLibraryException'

  what():  Error setting client certificate for socket: SSL peer cert verification failed

 

Digging into rabbitmq-c, I see this is due to the call to amqp_ssl_socket_set_key failing.

 

Running openssl s_client seems to work fine, so I’m not sure what I’m doing wrong. Any ideas?

 

-Dan

_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss

_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
Reply | Threaded
Open this post in threaded view
|

Re: rabbitmq-c - "SSL peer cert verification failed"

Dan Berger

I used openssl to extract the CA cert, the certificate chain and the private key into 3 separate file and now I’m running:

 

   openssl s_client -connect myhost.com:50010 -key test.key -cert test.crt -CAfile test.cac -verify 10

 

and I get “Verify return code: 0 (ok)” which I think means success. I still get the same error when running my app with those 3 files.

 

Any other thoughts?

 

 

On Thursday, May 29, 2014 12:10 AM, Dan [hidden email] wrote:

 

You need to provide both the certificate chain file and the private key file (they're not the same file).

 

To debug this with the openssl s_client command, you'll need to pass in the -verify, -key and -cert flags with appropriate values.

 

HTH

-Alan

 

On Wed May 28 2014 at 7:45:52 AM, Dan Berger <[hidden email]> wrote:

I’m just starting development on a c++ client app to connect to a vendor’s server.

 

I’m trying the SimpleAmqpClient library which is built on top of rabbitmq-c.

 

The provided a self-signed client certificate in .p12 format that I’ve converted to .pem. This contains a public and private key and also a CA public key.

 

I’m now trying to connect while providing the .pem file as the CA cert, client cert and client private key.

 

While connecting, I get:

'AmqpClient::AmqpLibraryException'

  what():  Error setting client certificate for socket: SSL peer cert verification failed

 

Digging into rabbitmq-c, I see this is due to the call to amqp_ssl_socket_set_key failing.

 

Running openssl s_client seems to work fine, so I’m not sure what I’m doing wrong. Any ideas?

 

-Dan

_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss


_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
Reply | Threaded
Open this post in threaded view
|

Re: rabbitmq-c - "SSL peer cert verification failed"

alan.antonuk
Does your private key require a password to decrypt it? (rabbitmq-c doesn't provide any hooks to unlock private keys).

-Alan
On Thu May 29 2014 at 8:42:12 AM, Dan Berger <[hidden email]> wrote:

I used openssl to extract the CA cert, the certificate chain and the private key into 3 separate file and now I’m running:

 

   openssl s_client -connect myhost.com:50010 -key test.key -cert test.crt -CAfile test.cac -verify 10

 

and I get “Verify return code: 0 (ok)” which I think means success. I still get the same error when running my app with those 3 files.

 

Any other thoughts?

 

 

On Thursday, May 29, 2014 12:10 AM, Dan [hidden email] wrote:

 

You need to provide both the certificate chain file and the private key file (they're not the same file).

 

To debug this with the openssl s_client command, you'll need to pass in the -verify, -key and -cert flags with appropriate values.

 

HTH

-Alan

 

On Wed May 28 2014 at 7:45:52 AM, Dan Berger <[hidden email]> wrote:

I’m just starting development on a c++ client app to connect to a vendor’s server.

 

I’m trying the SimpleAmqpClient library which is built on top of rabbitmq-c.

 

The provided a self-signed client certificate in .p12 format that I’ve converted to .pem. This contains a public and private key and also a CA public key.

 

I’m now trying to connect while providing the .pem file as the CA cert, client cert and client private key.

 

While connecting, I get:

'AmqpClient::AmqpLibraryException'

  what():  Error setting client certificate for socket: SSL peer cert verification failed

 

Digging into rabbitmq-c, I see this is due to the call to amqp_ssl_socket_set_key failing.

 

Running openssl s_client seems to work fine, so I’m not sure what I’m doing wrong. Any ideas?

 

-Dan

_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss

_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss

_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
Reply | Threaded
Open this post in threaded view
|

Re: rabbitmq-c - "SSL peer cert verification failed"

Dan Berger

The .p12 file I started with does require a password (which I provide to the java and c# clients). For rabbitmq-c I’ve converted the p12 to pem while removing the password and then broken the file down into the 3 components.

 

From: rabbitmq-discuss [mailto:[hidden email]] On Behalf Of [hidden email]
Sent: Thursday, May 29, 2014 2:44 PM
To: Discussions about RabbitMQ
Subject: Re: [rabbitmq-discuss] rabbitmq-c - "SSL peer cert verification failed"

 

Does your private key require a password to decrypt it? (rabbitmq-c doesn't provide any hooks to unlock private keys).

-Alan

On Thu May 29 2014 at 8:42:12 AM, Dan Berger <[hidden email]> wrote:

I used openssl to extract the CA cert, the certificate chain and the private key into 3 separate file and now I’m running:

 

   openssl s_client -connect myhost.com:50010 -key test.key -cert test.crt -CAfile test.cac -verify 10

 

and I get “Verify return code: 0 (ok)” which I think means success. I still get the same error when running my app with those 3 files.

 

Any other thoughts?

 

 

On Thursday, May 29, 2014 12:10 AM, Dan [hidden email] wrote:

 

You need to provide both the certificate chain file and the private key file (they're not the same file).

 

To debug this with the openssl s_client command, you'll need to pass in the -verify, -key and -cert flags with appropriate values.

 

HTH

-Alan

 

On Wed May 28 2014 at 7:45:52 AM, Dan Berger <[hidden email]> wrote:

I’m just starting development on a c++ client app to connect to a vendor’s server.

 

I’m trying the SimpleAmqpClient library which is built on top of rabbitmq-c.

 

The provided a self-signed client certificate in .p12 format that I’ve converted to .pem. This contains a public and private key and also a CA public key.

 

I’m now trying to connect while providing the .pem file as the CA cert, client cert and client private key.

 

While connecting, I get:

'AmqpClient::AmqpLibraryException'

  what():  Error setting client certificate for socket: SSL peer cert verification failed

 

Digging into rabbitmq-c, I see this is due to the call to amqp_ssl_socket_set_key failing.

 

Running openssl s_client seems to work fine, so I’m not sure what I’m doing wrong. Any ideas?

 

-Dan

_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss

_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss


_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
Reply | Threaded
Open this post in threaded view
|

Re: rabbitmq-c - "SSL peer cert verification failed"

alan.antonuk
Hmm.  Do you get any other information when you try running one of the amqps_* example programs that can be built with rabbitmq-c?

-Alan

On Thu May 29 2014 at 1:41:06 PM, Dan Berger <[hidden email]> wrote:

The .p12 file I started with does require a password (which I provide to the java and c# clients). For rabbitmq-c I’ve converted the p12 to pem while removing the password and then broken the file down into the 3 components.

 

From: rabbitmq-discuss [mailto:[hidden email]] On Behalf Of [hidden email]
Sent: Thursday, May 29, 2014 2:44 PM
To: Discussions about RabbitMQ
Subject: Re: [rabbitmq-discuss] rabbitmq-c - "SSL peer cert verification failed"

 

Does your private key require a password to decrypt it? (rabbitmq-c doesn't provide any hooks to unlock private keys).

-Alan

On Thu May 29 2014 at 8:42:12 AM, Dan Berger <[hidden email]> wrote:

I used openssl to extract the CA cert, the certificate chain and the private key into 3 separate file and now I’m running:

 

   openssl s_client -connect myhost.com:50010 -key test.key -cert test.crt -CAfile test.cac -verify 10

 

and I get “Verify return code: 0 (ok)” which I think means success. I still get the same error when running my app with those 3 files.

 

Any other thoughts?

 

 

On Thursday, May 29, 2014 12:10 AM, Dan [hidden email] wrote:

 

You need to provide both the certificate chain file and the private key file (they're not the same file).

 

To debug this with the openssl s_client command, you'll need to pass in the -verify, -key and -cert flags with appropriate values.

 

HTH

-Alan

 

On Wed May 28 2014 at 7:45:52 AM, Dan Berger <[hidden email]> wrote:

I’m just starting development on a c++ client app to connect to a vendor’s server.

 

I’m trying the SimpleAmqpClient library which is built on top of rabbitmq-c.

 

The provided a self-signed client certificate in .p12 format that I’ve converted to .pem. This contains a public and private key and also a CA public key.

 

I’m now trying to connect while providing the .pem file as the CA cert, client cert and client private key.

 

While connecting, I get:

'AmqpClient::AmqpLibraryException'

  what():  Error setting client certificate for socket: SSL peer cert verification failed

 

Digging into rabbitmq-c, I see this is due to the call to amqp_ssl_socket_set_key failing.

 

Running openssl s_client seems to work fine, so I’m not sure what I’m doing wrong. Any ideas?

 

-Dan

_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss

_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss

_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss

_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
Reply | Threaded
Open this post in threaded view
|

Re: rabbitmq-c - "SSL peer cert verification failed"

Dan Berger

When I run amqps_listenq it fails at the amqp_socket_open step, which returns AMQP_STATUS_SSL_PEER_VERIFY_FAILED = -0x0202.

 

Further digging shows that the call to SSL_get_verify_result is returning X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN (https://www.openssl.org/docs/apps/verify.html#item_19).

 

 

From: rabbitmq-discuss [mailto:[hidden email]] On Behalf Of Alan Antonuk
Sent: Friday, May 30, 2014 1:00 AM
To: Discussions about RabbitMQ
Subject: Re: [rabbitmq-discuss] rabbitmq-c - "SSL peer cert verification failed"

 

Hmm.  Do you get any other information when you try running one of the amqps_* example programs that can be built with rabbitmq-c?

 

-Alan

 

On Thu May 29 2014 at 1:41:06 PM, Dan Berger <[hidden email]> wrote:

The .p12 file I started with does require a password (which I provide to the java and c# clients). For rabbitmq-c I’ve converted the p12 to pem while removing the password and then broken the file down into the 3 components.

 

From: rabbitmq-discuss [mailto:[hidden email]] On Behalf Of [hidden email]
Sent: Thursday, May 29, 2014 2:44 PM
To: Discussions about RabbitMQ
Subject: Re: [rabbitmq-discuss] rabbitmq-c - "SSL peer cert verification failed"

 

Does your private key require a password to decrypt it? (rabbitmq-c doesn't provide any hooks to unlock private keys).

-Alan

On Thu May 29 2014 at 8:42:12 AM, Dan Berger <[hidden email]> wrote:

I used openssl to extract the CA cert, the certificate chain and the private key into 3 separate file and now I’m running:

 

   openssl s_client -connect myhost.com:50010 -key test.key -cert test.crt -CAfile test.cac -verify 10

 

and I get “Verify return code: 0 (ok)” which I think means success. I still get the same error when running my app with those 3 files.

 

Any other thoughts?

 

 

On Thursday, May 29, 2014 12:10 AM, Dan [hidden email] wrote:

 

You need to provide both the certificate chain file and the private key file (they're not the same file).

 

To debug this with the openssl s_client command, you'll need to pass in the -verify, -key and -cert flags with appropriate values.

 

HTH

-Alan

 

On Wed May 28 2014 at 7:45:52 AM, Dan Berger <[hidden email]> wrote:

I’m just starting development on a c++ client app to connect to a vendor’s server.

 

I’m trying the SimpleAmqpClient library which is built on top of rabbitmq-c.

 

The provided a self-signed client certificate in .p12 format that I’ve converted to .pem. This contains a public and private key and also a CA public key.

 

I’m now trying to connect while providing the .pem file as the CA cert, client cert and client private key.

 

While connecting, I get:

'AmqpClient::AmqpLibraryException'

  what():  Error setting client certificate for socket: SSL peer cert verification failed

 

Digging into rabbitmq-c, I see this is due to the call to amqp_ssl_socket_set_key failing.

 

Running openssl s_client seems to work fine, so I’m not sure what I’m doing wrong. Any ideas?

 

-Dan

_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss

_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss

_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss


_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
Reply | Threaded
Open this post in threaded view
|

Re: rabbitmq-c - "SSL peer cert verification failed"

alan.antonuk
Looks like you've found the issue. I suspect you need to make sure that the cert you pass in is signed by the same CA that signs the CAcert.

-Alan
On Fri May 30 2014 at 8:23:46 AM, Dan Berger <[hidden email]> wrote:

When I run amqps_listenq it fails at the amqp_socket_open step, which returns AMQP_STATUS_SSL_PEER_VERIFY_FAILED = -0x0202.

 

Further digging shows that the call to SSL_get_verify_result is returning X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN (https://www.openssl.org/docs/apps/verify.html#item_19).

 

 

From: rabbitmq-discuss [mailto:[hidden email]] On Behalf Of Alan Antonuk
Sent: Friday, May 30, 2014 1:00 AM


To: Discussions about RabbitMQ
Subject: Re: [rabbitmq-discuss] rabbitmq-c - "SSL peer cert verification failed"

 

Hmm.  Do you get any other information when you try running one of the amqps_* example programs that can be built with rabbitmq-c?

 

-Alan

 

On Thu May 29 2014 at 1:41:06 PM, Dan Berger <[hidden email]> wrote:

The .p12 file I started with does require a password (which I provide to the java and c# clients). For rabbitmq-c I’ve converted the p12 to pem while removing the password and then broken the file down into the 3 components.

 

From: rabbitmq-discuss [mailto:[hidden email]] On Behalf Of [hidden email]
Sent: Thursday, May 29, 2014 2:44 PM
To: Discussions about RabbitMQ
Subject: Re: [rabbitmq-discuss] rabbitmq-c - "SSL peer cert verification failed"

 

Does your private key require a password to decrypt it? (rabbitmq-c doesn't provide any hooks to unlock private keys).

-Alan

On Thu May 29 2014 at 8:42:12 AM, Dan Berger <[hidden email]> wrote:

I used openssl to extract the CA cert, the certificate chain and the private key into 3 separate file and now I’m running:

 

   openssl s_client -connect myhost.com:50010 -key test.key -cert test.crt -CAfile test.cac -verify 10

 

and I get “Verify return code: 0 (ok)” which I think means success. I still get the same error when running my app with those 3 files.

 

Any other thoughts?

 

 

On Thursday, May 29, 2014 12:10 AM, Dan [hidden email] wrote:

 

You need to provide both the certificate chain file and the private key file (they're not the same file).

 

To debug this with the openssl s_client command, you'll need to pass in the -verify, -key and -cert flags with appropriate values.

 

HTH

-Alan

 

On Wed May 28 2014 at 7:45:52 AM, Dan Berger <[hidden email]> wrote:

I’m just starting development on a c++ client app to connect to a vendor’s server.

 

I’m trying the SimpleAmqpClient library which is built on top of rabbitmq-c.

 

The provided a self-signed client certificate in .p12 format that I’ve converted to .pem. This contains a public and private key and also a CA public key.

 

I’m now trying to connect while providing the .pem file as the CA cert, client cert and client private key.

 

While connecting, I get:

'AmqpClient::AmqpLibraryException'

  what():  Error setting client certificate for socket: SSL peer cert verification failed

 

Digging into rabbitmq-c, I see this is due to the call to amqp_ssl_socket_set_key failing.

 

Running openssl s_client seems to work fine, so I’m not sure what I’m doing wrong. Any ideas?

 

-Dan

_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss

_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss

_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss

_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss

_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss