I want to highlight a phrase you quoted from the documentation you
referenced: "The broker is configured to have its own certificate and
private key." I see where you installed the broker's cert (the ourco one),
but i don't see in your description where you installed the private key.
Did that happen?
Tim
On Aug 15, 2016 8:07 AM, "KenHall" <ha...@dnb.com> wrote:
> Hi Tim,
>
> Yes we're using the ourmq.ourco.com address and the certificate common
> name
> is the same.
>
> So my very simplistic piece of java code looks like this:
> System.setProperty("javax.net.debug","ssl");
> ActiveMQSslConnectionFactory connectionFactory = new
> ActiveMQSslConnectionFactory("ssl://ourmq.ourco.com:XXXX");
> connectionFactory.setTrustStore(PATH+"/client.ts");
> connectionFactory.setTrustStorePassword("password");
> Connection connection = connectionFactory.createConnection();
> connection.start();
>
> I have been getting issues which result in an SSL Handshake exception. I
> thought this was related to encryption policy jars and have updated these
> at
> both sides to the higher strength encryption but I still get the same
> errors. So now I get something like this (all I have changed in the output
> is to keep confidentiality). The client is using jdk 1.8 and the broker jdk
> 1.7 but I don't think that should make any difference:
>
> Starting.....
> adding as trusted cert:
> Subject: CN=localhost, OU=broker, O=Unknown, L=Unknown, ST=Unknown,
> C=Unknown
> Issuer: CN=localhost, OU=broker, O=Unknown, L=Unknown, ST=Unknown,
> C=Unknown
> Algorithm: RSA; Serial number: 0x4537c82e
> Valid from Thu Oct 19 19:47:10 BST 2006 until Wed Jan 17 18:47:10 GMT
> 2007
>
> adding as trusted cert:
> Subject: CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com,
> O=DigiCert Inc, C=US
> .......
> Valid from Tue Oct 22 13:00:00 BST 2013 until Sun Oct 22 13:00:00 BST
> 2028
>
> trigger seeding of SecureRandom
> done seeding SecureRandom
> Allow unsafe renegotiation: false
> Allow legacy hello messages: true
> Is initial handshake: true
> Is secure renegotiation: false
> main, setSoTimeout(0) called
> Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
> for TLSv1
> Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
> for
> TLSv1
> Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for
> TLSv1
> Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
> for TLSv1
> Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
> for
> TLSv1
> Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for
> TLSv1
> Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for
> TLSv1
> Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
> for TLSv1.1
> Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
> for
> TLSv1.1
> Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for
> TLSv1.1
> Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
> for TLSv1.1
> Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
> for
> TLSv1.1
> Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for
> TLSv1.1
> Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for
> TLSv1.1
> log4j:WARN No appenders could be found for logger
> (org.apache.activemq.transport.WireFormatNegotiator).
> log4j:WARN Please initialize the log4j system properly.
> log4j:WARN See http://logging.apache.org/log4j/1.2/faq.html#noconfig for
> more info.
> %% No cached client session
> *** ClientHello, TLSv1.2
> RandomCookie: GMT: 1454425573 bytes = { 245, 115, 73, 243, 107, 74, 79,
> 221, 236, 153, 89, 128, 222, 149, 200, 153, 84, 140, 5, 103, 248, 24, 111,
> 201, 66, 162, 15, 234 }
> Session ID: {}
> Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256,
> TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
> TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
> TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA,
> TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
> TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256,
> TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
> TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
> TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
> TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
> TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384,
> TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
> TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
> TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_
> GCM_SHA256,
> TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
> TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
> TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_
> CBC_SHA,
> TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
> TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
> SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
> TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
> Compression Methods: { 0 }
> Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2,
> secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1,
> secp384r1,
> sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1,
> secp160r1,
> secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1,
> sect239k1,
> secp256k1}
> Extension ec_point_formats, formats: [uncompressed]
> Extension signature_algorithms, signature_algorithms: SHA512withECDSA,
> SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA,
> SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA,
> SHA1withDSA, MD5withRSA
> ***
> ActiveMQ Transport: ssl://ourmq.ourco.com/111.222.111.222:9999, WRITE:
> TLSv1.2 Handshake, length = 237
> ActiveMQ Transport: ssl://ourmq.ourco.com/111.222.111.222:9999, READ:
> TLSv1.2 Alert, length = 2
> ActiveMQ Transport: ssl://ourmq.ourco.com/111.222.111.222:9999, RECV
> TLSv1.2
> ALERT: fatal, handshake_failure
> ActiveMQ Transport: ssl://ourmq.ourco.com/111.222.111.222:9999, called
> closeSocket()
> ActiveMQ Transport: ssl://ourmq.ourco.com/111.222.111.222:9999, handling
> exception: javax.net.ssl.SSLHandshakeException: Received fatal alert:
> handshake_failure
> main, handling exception: javax.net.ssl.SSLHandshakeException: Received
> fatal alert: handshake_failure
> ActiveMQ Task-1, called close()
> ActiveMQ Task-1, called closeInternal(true)
> Exception in thread "main" javax.jms.JMSException: Could not connect to
> broker URL: ssl://ourmq.ourco.com:9999. Reason:
> javax.net.ssl.SSLHandshakeException: Received fatal alert:
> handshake_failure
> at
> org.apache.activemq.util.JMSExceptionSupport.create(
> JMSExceptionSupport.java:35)
> at
> org.apache.activemq.ActiveMQConnectionFactory.createActiveMQConnection(
> ActiveMQConnectionFactory.java:293)
> at
> org.apache.activemq.ActiveMQConnectionFactory.createActiveMQConnection(
> ActiveMQConnectionFactory.java:238)
> at
> org.apache.activemq.ActiveMQConnectionFactory.createConnection(
> ActiveMQConnectionFactory.java:184)
> at RunSSLTest.main(RunSSLTest.java:26)
> Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert:
> handshake_failure
> at sun.security.ssl.Alerts.getSSLException(Unknown Source)
> at sun.security.ssl.Alerts.getSSLException(Unknown Source)
> at sun.security.ssl.SSLSocketImpl.recvAlert(Unknown Source)
> at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
> at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown
> Source)
> at sun.security.ssl.SSLSocketImpl.readDataRecord(Unknown Source)
> at sun.security.ssl.AppInputStream.read(Unknown Source)
> at
> org.apache.activemq.transport.tcp.TcpBufferedInputStream.
> fill(TcpBufferedInputStream.java:50)
> at
> org.apache.activemq.transport.tcp.TcpTransport$2.fill(
> TcpTransport.java:604)
> at
> org.apache.activemq.transport.tcp.TcpBufferedInputStream.
> read(TcpBufferedInputStream.java:58)
> at
> org.apache.activemq.transport.tcp.TcpTransport$2.read(
> TcpTransport.java:589)
> at java.io.DataInputStream.readInt(Unknown Source)
> at
> org.apache.activemq.openwire.OpenWireFormat.unmarshal(
> OpenWireFormat.java:275)
> at
> org.apache.activemq.transport.tcp.TcpTransport.readCommand(
> TcpTransport.java:221)
> at
> org.apache.activemq.transport.tcp.TcpTransport.doRun(
> TcpTransport.java:213)
> at
> org.apache.activemq.transport.tcp.TcpTransport.run(TcpTransport.java:196)
> at java.lang.Thread.run(Unknown Source)
>
>
>
>
>
>
> --
> View this message in context: http://activemq.2283324.n4.
> nabble.com/Using-Trusted-Cert-with-ActiveMQ-SSL-tp4715473p4715482.html
> Sent from the ActiveMQ - User mailing list archive at Nabble.com.
>
