javax.net.ssl.SSLHandshakeException: null cert chain

[josecelano]

I am trying to run this example but I get this message on ActiveMQ log:

2015-02-06 19:15:01,355 | WARN  | Transport Connection to: tcp://000.000.000.000:50277 failed: javax.net.ssl.SSLHandshakeException: null  cert chain | org.apache.activemq.broker.TransportConnection.Transport

Executing this command fron the client:

openssl s_client -connect 123.123.123.123:61612 -cert client.pem -showcerts

I get this output:

CONNECTED(00000003)
depth=0 /C=US/ST=State/L=City/O=Org/OU=Org Unit/CN=Activemq Server
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/ST=State/L=City/O=Org/OU=Org Unit/CN=Activemq Server
verify return:1

---
Certificate chain
 0 s:/C=US/ST=State/L=City/O=Org/OU=Org Unit/CN=Activemq Server
   i:/C=US/ST=State/L=City/O=Org/OU=Org Unit/CN=Activemq Server
-----BEGIN CERTIFICATE-----
....

I can connect well using stomp without SSL.

[rethab]

Hi Jose, have you followed the steps exactly or did you do something
differently? If so, could you please list the exact steps you took?

Alternatively, can you provide me with a reproducing example?

• Reto

On Fri, Feb 6, 2015, 20:59 Jose Celano [email protected] wrote:

I am trying to run this example but I get this message on ActiveMQ log:

2015-02-06 19:15:01,355 | WARN | Transport Connection to: tcp://000.000.000.000:50277 failed: javax.net.ssl.SSLHandshakeException: null cert chain | org.apache.activemq.broker.TransportConnection.Transport

Executing this command:

openssl s_client -connect 123.123.123.123:61612 -cert client.pem -showcerts

I get this output:

CONNECTED(00000003)
depth=0 /C=US/ST=State/L=City/O=Org/OU=Org Unit/CN=Activemq Server
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/ST=State/L=City/O=Org/OU=Org Unit/CN=Activemq Server

verify return:1

Certificate chain
0 s:/C=US/ST=State/L=City/O=Org/OU=Org Unit/CN=Activemq Server
i:/C=US/ST=State/L=City/O=Org/OU=Org Unit/CN=Activemq Server
-----BEGIN CERTIFICATE-----
....

I can connect well using stomp without SSL.

—
Reply to this email directly or view it on GitHub
#1.

[josecelano]

First I followed the steps exactly but later I did somethings differently becuase it did not work. I think the problem could be I am using a Stomp class that does not allow ssl connections, but I am not sure, still working on that, see:

dejanb/stomp-php#34

[rethab]

Hi Jose, while the standard version of stomp does support ssl, it is rather pointless since it doesn't verify the certificates and there's no way for the client to send a certificate for authentication. If you're following my tutorial, make sure you're using my fork of the stomp library.

[josecelano]

Thanks @rethab, I did not realize that you are using a fork, I was using the original repository. I have notified the problem in the original repository dejanb/stomp-php#34

Now It seems to connect well but I get another error:

Fatal error: Uncaught exception 'FuseSource\Stomp\Exception\StompException' with message 'User name [] or password is invalid. No user for client certificate: CN=Activemq Client, OU=Org Unit Client, O=Org Client, L=City Client, ST=State Client, C=US' in D:\www\test\stomb\FuseSource\Stomp\Frame.php on line 57

I suppose this is a problem with the users.properties config file in ActiveMQ server, is not?

[josecelano]

The new problem is fixed:

users.properties previous file:

php-client=C=US, ST=State Client, L=City Client, O=Org Client, OU=Org Unit Client, CN=Activemq Client

users.properties new file:

php-client=CN=Activemq Client, OU=Org Unit Client, O=Org Client, L=City Client, ST=State Client, C=US

I thought certificate fields order do not matter.

[rethab]

Glat it works now.

I agree the documentation could more clearly stating that you need this fork.

• Reto