Today marks the official release of Apache.NMS.ActiveMQ v1.5.1. We put a lot of work into this one fixing bugs that were found since the 1.5.0 release. The MS Distributed Transaction Support should be much more stable in this release.
For anyone on v1.5.0 I'd definitely recommend upgrading, there were a couple of threading issues that have been resolved which should make things more stable.
The v1.5.1 release page is here
14 comments:
I'm trying to get 2-way SSL to work with Apache.NMS on windows and having trouble specifying the client certificate to use. I'm sure the broker is set up because it works fine with a java client following the How to Use SSL guide on the Apache Website. Do you know of a C# client example that uses 2-way SSL certificate authentication?
There aren't any examples since it all really comes down to configuration. You need to ensure that your client cert is in the brokers trust store, and then specify on the SSLTransport uri option the location of the client certificate and its password, or if you have a cert loaded into the windows certificate store then you need to have the right subject name set for the client cert. Browsing the SslTransport.cs code would be instructive.
Is there a definition of the query parameters for the client certificate name and password? Browsing SslTransport.cs was helpful but I'm having a hard time in TcpTransportFactory.cs figuring out what keys the code is looking for to get these values.
Thanks for your time to respond!
It would actually be the values in the SslTransportFactory, all prefixed by transport.[option]
transport.ClientCertSubject
transport.ClientCertFilename
transport.ClientCertPassword
transport.ServerName
transport.KeyStoreLocation
transport.KeyStoreName
transport.AcceptInvalidBrokerCert
Does this look correct?
ssl://host:61443?transport.ClientCertSubject=Client&transport.ClientCertPassword=Password
Well I think you only need the ClientCertPassword if you also set the ClientCertFilename options, otherwise it won't be used for anything. The MS Cert store I believe is unlocked by the user that's currently logged in.
I've been debugging SslTransport this afternoon and have found one of my problem is the certificate subject matching within SelectLocalCertificate. How am I supposed to encode the URI when the certificate subject looks like "CN=Client, OU=L-3 Communications, O=ComCept, L=Rockwall, S=Texas, C=US" Encoding the equal sign as %3D made it past the URI regex bu did not work in the string.compare method.
There's probably some .NET equivalent to the Java URI encode and decode methods for that sort of encoding, perhaps you can play around with it and come up with a patch? If so open a new Jira issue and attach the patch with Apache license grant and we can apply it in SVN.
Modifying this line in the DoCreateTransport method works
transport.ClientCertSubject = HttpUtility.UrlDecode(this.clientCertSubject);
but now I'm getting a handshake error as follows:
*** Certificate chain
***
ActiveMQ Task-7, SEND TLSv1 ALERT: fatal, description = bad_certificate
ActiveMQ Task-7, WRITE: TLSv1 Alert, length = 2
[Raw write]: length = 7
0000: 15 03 01 00 02 02 2A ......*
ActiveMQ Task-7, called closeSocket()
ActiveMQ Task-7, handling exception: javax.net.ssl.SSLHandshakeException: null cert chain
ActiveMQ Transport: ssl:///128.170.184.204:53483, handling exception: javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLHandshakeException: null cert chain
ActiveMQ Task-9, called close()
ActiveMQ Task-9, called closeInternal(true)
ERROR | Could not accept connection : javax.net.ssl.SSLHandshakeException: null cert chain
Looks like the trust chain of the client certificate is empty. How do I send that over?
You need to have the Root certificate and all the intermediate signing certs in the Brokers Trust Store prior to the client sending its certificate over. If you have the Root signing cert in your trust store it should pass.
I don't know how to open a jira issue, but I would be glad to submit the snippet for a change. Do I work through the "become a contributor" guide?
Got here: https://issues.apache.org/jira/browse/AMQNET
Create an account and then you can select create issue under the Issues menu.
I finally got it to work with the fix to the SslTransportFactory.cs patch. The trick was to make sure the client certificate on the C# side was a PKCS12 that has the private key in the CurrentUser key store. I had only installed the .cer file which only has the public key. So the following URI does work with the HttpUtility.UrlDecode fix
var cf = new ConnectionFactory(@"ssl://TX-607.Comcept.L-3Com.com:61443?transport.clientCertSubject=CN%3DCharlie.Ocean.Flyer.CO1");
Hi,
I just followed all the steps(install certs in root, passing the values in URI) but i could not make it work.
When i enable trace i found following :
SecureChannel#24445403 - Client delegate did not provide a certificate; but there are other user-provided certificates".
System.Net Information: 0 : [10352] SecureChannel#24445403 - Left with 0 client certificates to choose from.
My URI as follows: ssl://localhost:61617?transport.serverName=localhost
Can some one help me how to pass the right URI here?
Thanks
Suresh
Post a Comment