AMQP and SSL

[Remi Plantade]

Hi everyone !

I'm new in the AMQP world and i try since 2 days to connect a rabbitMQ java client to a B2B service with SSL.

The service provider give me a .p12 certificat for the authentification process.

I read on a different topic of this group that i had to convert this p12 certificate on two .pem certificate what i have done to obtain :

• CC0000007011_501_openssl.crt.pem
  
• CC0000007011_501_openssl.key.pem
  

The first in on the form :

-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----

The second :

-----BEGIN PRIVATE KEY-----
[...]
-----END PRIVATE KEY-----

I have obtain the wwweurocontrolint.pem certificat with firefox and i converted it with openssl.

The openssl version i'm using is 1.1.0 (windows binary).

There is the piece of code i use to connect to the service :

ConnectionFactory factory = new ConnectionFactory();

factory.setUri(new URI("amqps://publish.preops.nm.eurocontrol.int"

                + "?cacertfile=wwweurocontrolint.pem"

+ "&certfile=CC0000007011_501_openssl.crt.pem"

+ "&keyfile=CC0000007011_501_openssl.key.pem"

+ "&verify=verify_peer"));
Connection connection = factory.newConnection();

Every time i try to connect the client i see this error :

Exception in thread "main" javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate

All my certificate are in the same directory than my Java main class, so i use a relative notation for the certificates path i don't know if it is good.

Regards.

Rémi.

[Michael Klishin]

You don't have to convert the .p12 certificates (actually, certificate/key pairs) to PEM since

the JVM does not support the PEM format. RabbitMQ (and most open source software) does but not JVM.

See [1] which was revisited yesterday. You need to read the intro parts

and then [2]. If you are not responsible for setting up the server, the PKCS#12 certificate/key files

should be enough.

1. http://www.rabbitmq.com/ssl.html

2. http://www.rabbitmq.com/ssl.html#java-client

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

MK

Staff Software Engineer, Pivotal/RabbitMQ

[Michael Klishin]

Java client does not use URI parameters for specifying certificate and key paths.

Plugins such as Federation and Shovel do but not client libraries and Java has its

own key store that's managed with a separate tool.

Please read the doc guide, it covers that and other concepts and provides a complete code example.

Mailing list threads are useful for tricky issues and troubleshooting information but almost every broad area

has a doc guide and TLS even has two (another one related to troubleshooting [1]).

1. http://www.rabbitmq.com/troubleshooting-ssl.html

On Tue, Sep 4, 2018 at 3:22 PM, Remi Plantade <d0r...@gmail.com> wrote:

--

You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Remi Plantade]

Thank you for your quick response Michael.

I read all the doc you have linked to me and i have follow the guide's intructions to rewrite my code.

There is my rewrited code :

char[] keyPassphrase = "my_p12_pwd".toCharArray();
KeyStore ks = KeyStore.getInstance("PKCS12");
ks.load(new FileInputStream("C:\\Users\\remi_\\workspace_divers\\amqp\\src\\main\\java\\amqp\\CC0000007011_501_openssl.p12"), keyPassphrase);


KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
kmf.init(ks, "my_p12_pwd".toCharArray());


char[] trustPassphrase = "my_keystore_pwd".toCharArray();
KeyStore tks = KeyStore.getInstance("JKS");
tks.load(new FileInputStream("C:\\Users\\remi_\\workspace_divers\\amqp\\src\\main\\java\\amqp\\cacerts"), trustPassphrase);

TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
tmf.init(tks);

SSLContext c = SSLContext.getInstance("TLSv1.2");
c.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);

 
ConnectionFactory factory = new ConnectionFactory();

factory.setHost("publish.preops.nm.eurocontrol.int");
factory.setPort(5671);
factory.useSslProtocol(c);
Connection connection = factory.newConnection();

Now i have a different error :

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found

I have added on the keystore the certificate of eurocontrol by using this command :

 keytool -import -alias eurocontrol -file eurocontrol.pem -keystore cacerts

The eucontrol.pem file was obtained by converting the eurocontrol crt with openssl. This is a text file containing the certificate key on this form :

-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----

I don't understanding what is wrong at this time ....

[Arnaud Cogoluègnes]

The configuration looks correct, so we'll have to further investigate.

You can check the content of the truststore to see if the server
certificate has been correctly added:

keytool -list -v -keystore

C:\Users\remi_\workspace_divers\amqp\src\main\java\amqp\cacerts

You can then check with the information of the original certificate file.

You can also set TLS debugging on the JVM, with the "javax.net.debug"
system property set to "all", e.g. -Djavax.net.debug=all on the
command line, or even programatically. This is verbose but useful.
More info [1].

You can also provide us with the server logs and configuration, if you
have access to them.

[1] https://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/ReadDebug.html

> --
> You received this message because you are subscribed to the Google Groups
> "rabbitmq-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an

> email to rabbitmq-user...@googlegroups.com.
> To post to this group, send email to rabbitm...@googlegroups.com.

[Remi Plantade]

After several tries i found what wasn't good in my configuration, the certificate that i added to my truststore wasn't the good one. 

I finally add the " GlobalSign Root CA" and it seems to work.

I still have an error but i don't know if you can help me, the AMQP version of the server is 1.0.0 and RabbitMQ is only compatible with the 0.9.1. 

I see there is a plugin to manage the 1.0.0 version but it is for the server library ?

The error message :

AMQP protocol version mismatch; we are version 0-9-1, server sent signature 0,1,0,0

[Michael Klishin]

RabbitMQ does support AMQP 1.0 via a plugin. If you are looking to use AMQP 1.0 you will need

a different client, however.

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.

To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.