TWiki> EGEE Web>SA1>OAT_EGEE_III>MsgSecurity>MsgSecurityWorklog (2009-07-13, NipunValoor) EditAttachPDF

PROTOCOLS VS CLIENTS........A LINKOLOGY......

STOMP

1.PYTHON CLIENTS

More on Python Client Libraries and Client implementation(Sprinkle,stomper,stomp.py etc………) at

http://stomp.codehaus.org/Python

stomp+ssl

http://activemq.apache.org/stomp.html

http://sourceforge.net/projects/pyopenssl/

Pyopenssl->Python wrapper around a small subset of the OpenSSL library. Includes: X509 Certificates, SSL Context objects, SSL Connection objects using Python sockets as transport layer.

2.PERL CLIENTS

Client libraries and implementations at........

http://stomp.codehaus.org/Perl

OPENWIRE

1.CPP CLIENTS

ActiveMQ-CPP v3.0.1

http://activemq.apache.org/cms/activemq-cpp-301-release.html

23-27 June 09

Configuring JAAS in Fuse Message Broker 5.3.........

Python Clients and Protocol used : Stomp

Simple authentication and Authorization

Documentation at http://fusesource.com/docs/broker/5.3/security/Auth-JAAS.html was followed........

Specifying the login.config file location was done in a slightly different fashion.

In wrapper.conf file add 

wrapper.java.additional.7=-Djava.security.auth.login.config=ACTIVEMQ_HOME%/conf/login.config

It seems to work ok.

JAAS Certificate Authentication

Note:

The clients must be configured with their own certificate. Authentication is actually performed during the SSL/TLS handshake, not directly by the JAAS certificate authentication plug-in.

Followed the documentation at http://fusesource.com/docs/broker/5.3/security/Auth-JAAS-CertAuthentPlugin.html

Obtaining the subject DN was done using the openssl command

openssl x509 -in hostcert.pem -inform PEM -text -noout

keytool -export.... command described in the documentation was producing the folllowing error as the certificate which we added to the keystore was not generated using keytool -genkey .... specifying a alias.

Alias does not exist.

Trying to publish messages, the following resulted........... 

> ./publisher.py /queue/nips
connecting : 127.0.0.1:6162
ERROR
message: Unable to authenticate transport without SSL certificate.

java.lang.SecurityException: Unable to authenticate transport without SSL certificate.
        at org.apache.activemq.security.JaasCertificateAuthenticationBroker.addConnection(JaasCertificateAuthenticationBroker.java:75)
        at org.apache.activemq.broker.BrokerFilter.addConnection(BrokerFilter.java:82)
        at org.apache.activemq.broker.MutableBrokerFilter.addConnection(MutableBrokerFilter.java:89)
        at org.apache.activemq.broker.TransportConnection.processAddConnection(TransportConnection.java:686)
        at org.apache.activemq.broker.jmx.ManagedTransportConnection.processAddConnection(ManagedTransportConnection.java:86)
        at org.apache.activemq.command.ConnectionInfo.visit(ConnectionInfo.java:134)
        at org.apache.activemq.broker.TransportConnection.service(TransportConnection.java:308)
        at org.apache.activemq.broker.TransportConnection$1.onCommand(TransportConnection.java:182)
        at org.apache.activemq.transport.TransportFilter.onCommand(TransportFilter.java:68)
        at org.apache.activemq.transport.InactivityMonitor.onCommand(InactivityMonitor.java:210)
        at org.apache.activemq.transport.stomp.StompTransportFilter.sendToActiveMQ(StompTransportFilter.java:78)
        at org.apache.activemq.transport.stomp.ProtocolConverter.sendToActiveMQ(ProtocolConverter.java:135)
        at org.apache.activemq.transport.stomp.ProtocolConverter.onStompConnect(ProtocolConverter.java:491)
        at org.apache.activemq.transport.stomp.ProtocolConverter.onStompCommand(ProtocolConverter.java:187)
        at org.apache.activemq.transport.stomp.StompTransportFilter.onCommand(StompTransportFilter.java:67)
        at org.apache.activemq.transport.TransportSupport.doConsume(TransportSupport.java:84)
        at org.apache.activemq.transport.tcp.SslTransport.doConsume(SslTransport.java:104)
        at org.apache.activemq.transport.tcp.TcpTransport.doRun(TcpTransport.java:203)
        at org.apache.activemq.transport.tcp.TcpTransport.run(TcpTransport.java:185)
        at java.lang.Thread.run(Thread.java:636)

> ERROR:stomp.ssl:Lost connection
 lost connection None : None
Traceback (most recent call last):
  File "./publisher.py", line 79, in ?
    conn.send('testing! '+str(i),destination=TOPIC, ack='auto')
  File "/home/msg/javacert/basic_example/stomp/stomp.py", line 242, in send
    content_length_headers]), [ 'destination' ])
  File "/home/msg/javacert/basic_example/stomp/stomp.py", line 334, in __send_frame_helper
    self.__send_frame(command, headers, payload)
  File "/home/msg/javacert/basic_example/stomp/stomp.py", line 351, in __send_frame
    raise NotConnectedException()
stomp.exception.NotConnectedException

So we tried to establish a connection using openssl s_client using the host certificates...... 

~ $ openssl s_client -connect vtb-generic-40:6162 -CApath /etc/grid-security/certificates -cert /afs/cern.ch/user/n/nvaloor/.globus/usercert.pem  -key  /afs/cern.ch/user/n/nvaloor/.globus/userkey.pem -state
Enter pass phrase for /afs/cern.ch/user/n/nvaloor/.globus/userkey.pem:
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=2 /DC=ch/DC=cern/CN=CERN Root CA
verify return:1
depth=1 /DC=ch/DC=cern/CN=CERN Trusted Certification Authority
verify return:1
depth=0 /DC=ch/DC=cern/OU=computers/CN=vtb-generic-40.cern.ch
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client certificate A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write certificate verify A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
---
Certificate chain
 0 s:/DC=ch/DC=cern/OU=computers/CN=vtb-generic-40.cern.ch
   i:/DC=ch/DC=cern/CN=CERN Trusted Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGpzCCBY+gAwIBAgIKG5pt1wACAAA4DTANBgkqhkiG9w0BAQUFADBZMRIwEAYK
CZImiZPyLGQBGRYCY2gxFDASBgoJkiaJk/IsZAEZFgRjZXJuMS0wKwYDVQQDEyRD
RVJOIFRydXN0ZWQgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDkwMzI1MDk0
NTIwWhcNMTAwMzI1MDk0NTIwWjBfMRIwEAYKCZImiZPyLGQBGRYCY2gxFDASBgoJ
kiaJk/IsZAEZFgRjZXJuMRIwEAYDVQQLEwljb21wdXRlcnMxHzAdBgNVBAMTFnZ0
Yi1nZW5lcmljLTQwLmNlcm4uY2gwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQDG4S+xoqRZwIIQtLwTWS23nTkhGpHklGWc46ptQqXXmGpM7B/Xf1+atQqq
ZPpjenv7mZW5Oq0BLJHSSmyfvKOzDkvqTT1W1h4e31enLcbJum063whmOJE1mANZ
xgMNE/ospI/Q6k/7hvaXFuynJO9At80BZ3UiaGeMBEbO57Z6h+hqyLN6jtziz4WG
1yfnu+GvOBrjD8SZCEDdpPGmZgRw+sNsRsFBQaqiJ7GY6j6V3CMOpBuE/ZnU8r7K
cBR7oKNb1eagJdyut5VzqMwR7X0iBJ3k+fvWsONO1u/PfIOctmu7nATBDMIn7Tyv
vF7i77nX0BH5x6v3MovtmbFg0wmrAgMBAAGjggNpMIIDZTAdBgNVHQ4EFgQUHpLR
NPNN8oplwPwYEGJs6hEypV8wHwYDVR0jBBgwFoAUmMyS0EYwNoyw7ZgNclGpR0zd
viEwggE0BgNVHR8EggErMIIBJzCCASOgggEfoIIBG4ZHaHR0cDovL2NhLmNlcm4u
Y2gvY2EvY3JsL0NFUk4lMjBUcnVzdGVkJTIwQ2VydGlmaWNhdGlvbiUyMEF1dGhv
cml0eS5jcmyGgc9sZGFwOi8vL0NOPUNFUk4lMjBUcnVzdGVkJTIwQ2VydGlmaWNh
dGlvbiUyMEF1dGhvcml0eSxDTj1jZXJucGtpMDEsQ049Q0RQLENOPVB1YmxpYyUy
MEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9
Y2VybixEQz1jaD9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0
Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnQwggFEBggrBgEFBQcBAQSCATYwggEy
MGgGCCsGAQUFBzAChlxodHRwOi8vY2EuY2Vybi5jaC9jYS9jcmwvY2VybnBraTAx
LmNlcm4uY2hfQ0VSTiUyMFRydXN0ZWQlMjBDZXJ0aWZpY2F0aW9uJTIwQXV0aG9y
aXR5KDIpLmNydDCBxQYIKwYBBQUHMAKGgbhsZGFwOi8vL0NOPUNFUk4lMjBUcnVz
dGVkJTIwQ2VydGlmaWNhdGlvbiUyMEF1dGhvcml0eSxDTj1BSUEsQ049UHVibGlj
JTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixE
Qz1jZXJuLERDPWNoP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0
aWZpY2F0aW9uQXV0aG9yaXR5MAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgWg
MD0GCSsGAQQBgjcVBwQwMC4GJisGAQQBgjcVCIO90AmC7Y0Nhu2LK4He9TeFgNBi
HobSzFCB2fNbAgFkAgEGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAn
BgkrBgEEAYI3FQoEGjAYMAoGCCsGAQUFBwMCMAoGCCsGAQUFBwMBMA0GCSqGSIb3
DQEBBQUAA4IBAQAHXOQhKqCSILA+yAGD8+MqHuvGIjMl4CRwGYMBrShTAyg9Osrv
hFGmiCdzHik+D6EKSgGZFxFuSb6iGLFB7yC2OFplbaupeKTGuE1pgE0jgvZeccrV
lbYymWpRnCuaL5Hfy63bQN1xLZ9FkzhdC747ZfEoxcwWlmCbFVpubKiVGR0X/khs
CD8x2PyLVjo0dfFJiK028+DDYfTm8cLokPSs3oodx+/Plilbqbs1OXNvnHCRiw3O
bla..........bla.............bla...........................
-----END CERTIFICATE-----
subject=/DC=ch/DC=cern/OU=computers/CN=vtb-generic-40.cern.ch
issuer=/DC=ch/DC=cern/CN=CERN Trusted Certification Authority
---
Acceptable client certificate CA names
/C=DE/O=DFN-Verein/OU=DFN-PKI/CN=DFN-Verein User CA Grid - G01
/C=MA/O=MaGrid/CN=MaGrid CA
/DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 1
/DC=bg/DC=acad/CN=BG.ACAD CA
/C=HU/O=KFKI RMKI CA/CN=KFKI RMKI CA
/C=CA/O=Grid/CN=Grid Canada Certificate Authority
/C=TR/O=TRGrid/CN=TR-Grid CA
/DC=EDU/DC=UTEXAS/DC=TACC/O=UT-AUSTIN/CN=TACC Classic CA
/DC=ch/DC=cern/CN=CERN Root CA
/DC=cz/DC=cesnet-ca/CN=CESNET CA
/DC=gov/DC=fnal/O=Fermilab/OU=Certificate Authorities/CN=Kerberized CA
/C=JP/O=National Research Grid Initiative/OU=CGRD/CN=NAREGI CA
/DC=org/DC=ugrid/CN=UGRID CA
/C=CH/O=Switch - Teleinformatikdienste fuer Lehre und Forschung/CN=SWITCH Personal CA
/C=FR/O=CNRS/CN=CNRS2-Projets
/C=SG/O=Netrust Certificate Authority 1/OU=Netrust CA1
/C=PT/O=LIPCA/CN=LIP Certification Authority
/DC=net/DC=ES/OU=Certificate Authorities/CN=NERSC Online CA
/C=PK/O=NCP/CN=PK-GRID-CA
/C=BE/O=BELNET/OU=BEGrid/CN=BEGrid CA/emailAddress=gridca@belnet.be
/C=JP/O=AIST/OU=GRID/CN=Certificate Authority
/C=CH/O=Switch - Teleinformatikdienste fuer Lehre und Forschung/CN=SWITCHslcs CA
/C=UK/O=eScienceRoot/OU=Authority/CN=UK e-Science Root
/C=GR/O=HellasGrid/OU=Certification Authorities/CN=HellasGrid CA 2006
/C=CL/O=REUNACA/CN=REUNA Certification Authority
/C=FR/O=CNRS/CN=GRID2-FR
/DC=HK/DC=HKU/DC=GRID/CN=HKU Grid CA
/C=MK/O=MARGI/CN=MARGI-CA
/DC=ch/DC=cern/CN=CERN Trusted Certification Authority
/C=PL/O=GRID/CN=Polish Grid CA
/C=MX/O=UNAMgrid/OU=UNAM/CN=CA
/C=CY/O=CyGrid/O=HPCL/CN=CyGridCA
/DC=org/DC=balticgrid/CN=Baltic Grid Certification Authority
/DC=TW/DC=ORG/DC=NCHC/CN=NCHC CA
/C=BE/OU=BEGRID/O=BELNET/CN=BEgrid CA
/C=AM/O=ArmeSFo/CN=ArmeSFo CA
/C=CH/O=SwissSign/CN=SwissSign CA (RSA IK May 6 1999 18:00:58)/emailAddress=ca@SwissSign.com
/C=JP/O=KEK/OU=CRC/CN=KEK GRID Certificate Authority
/DC=by/DC=grid/O=uiip.bas-net.by/CN=Belarusian Grid Certification Authority
/DC=MD/DC=MD-Grid/O=RENAM/OU=Certification Authority/CN=MD-Grid CA
/DC=NET/DC=PRAGMA-GRID/CN=PRAGMA-UCSD CA
/C=FR/O=CNRS/CN=CNRS2
/C=RS/O=AEGIS/CN=AEGIS-CA
/DC=CN/DC=Grid/DC=SDG/CN=Scientific Data Grid CA
/C=SK/O=SlovakGrid/CN=SlovakGrid CA
/DC=me/DC=ac/DC=MREN/CN=MREN-CA
/C=CH/O=Switch - Teleinformatikdienste fuer Lehre und Forschung/CN=SWITCHgrid Root CA
/DC=BR/DC=UFF/DC=IC/O=UFF LACGrid CA/CN=UFF Latin American and Caribbean Catch-all Grid CA
/C=GR/O=HellasGrid/OU=Certification Authorities/CN=HellasGrid Root CA 2006
/C=US/O=National Center for Supercomputing Applications/OU=Certificate Authorities/CN=MyProxy
/C=CH/O=Switch - Teleinformatikdienste fuer Lehre und Forschung/CN=SWITCH Server CA
/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA
/O=Grid/O=NorduGrid/CN=NorduGrid Certification Authority
/C=KR/O=KISTI/O=GRID/CN=KISTI Grid Certificate Authority
/C=IT/O=INFN/CN=INFN CA
/CN=SwissSign Bronze CA/emailAddress=bronze@swisssign.com/O=SwissSign/C=CH
/C=SI/O=SiGNET/CN=SiGNET CA
/DC=LV/DC=latgrid/CN=Certification Authority for Latvian Grid
/DC=net/DC=ES/O=ESnet/OU=Certificate Authorities/CN=ESnet Root CA 1
/C=IE/O=Grid-Ireland/CN=Grid-Ireland Certification Authority
/C=DE/O=DFN-Verein/OU=DFN-PKI/CN=DFN-Verein Server CA Grid - G01
/DC=RO/DC=RomanianGRID/O=ROSA/OU=Certification Authority/CN=RomanianGRID CA
/DC=es/DC=irisgrid/CN=IRISGridCA
/C=FR/O=CNRS/CN=CNRS
/C=IR/O=IPM/O=IRAN-GRID/CN=IRAN-GRID CA
/C=HU/O=NIIF/OU=Certificate Authorities/CN=NIIF Root CA
/C=DE/O=GermanGrid/CN=GridKa-CA
/C=AR/O=e-Ciencia/OU=UNLP/L=CeSPI/CN=PKIGrid
/C=AU/O=APACGrid/OU=CA/CN=APACGrid/emailAddress=camanager@vpac.org
/C=AT/O=AustrianGrid/OU=Certification Authority/CN=Certificate Issuer
/C=IL/O=IUCC/CN=IUCC/emailAddress=ca@mail.iucc.ac.il
/C=TW/O=AS/CN=Academia Sinica Grid Computing Certification Authority Mercury
/C=US/O=National Center for Supercomputing Applications/OU=Certificate Authorities/CN=CACL
/DC=CN/DC=Grid/CN=Root Certificate Authority at CNIC
/C=FR/O=CNRS/CN=CNRS-Projets
/C=VE/O=Grid/O=Universidad de Los Andes/OU=CeCalCULA/CN=ULAGrid Certification Authority
/C=RU/O=RDIG/CN=Russian Data-Intensive Grid CA
/C=HR/O=edu/OU=srce/CN=SRCE CA
/C=DE/O=DFN-Verein/OU=DFN-PKI/CN=DFN-Verein PCA Grid - G01
/DC=IN/DC=GARUDAINDIA/CN=Indian Grid Certification Authority
/C=NL/O=NIKHEF/CN=NIKHEF medium-security certification auth
/CN=SwissSign Silver CA/emailAddress=silver@swisssign.com/O=SwissSign/C=CH
/C=CN/O=HEP/CN=gridca-cn/emailAddress=gridca@ihep.ac.cn
/DC=ORG/DC=SEE-GRID/CN=SEE-GRID CA
/DC=EDU/DC=UTEXAS/DC=TACC/O=UT-AUSTIN/CN=TACC Root CA
/CN=SWITCH CA/emailAddress=switch.ca@switch.ch/O=Switch - Teleinformatikdienste fuer Lehre und Forschung/C=CH
/C=TH/O=NECTEC/OU=GOC/CN=NECTEC GOC CA
/C=FR/O=CNRS/CN=GRID-FR
/C=BR/O=ICPEDU/O=UFF BrGrid CA/CN=UFF Brazilian Grid Certification Authority
---
SSL handshake has read 10170 bytes and written 4820 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 4A4A0BB0AD6DBACB7B7489BEECCD0006ADA89CE28D8F0334FD7566BCA0617994
    Session-ID-ctx:
    Master-Key: E14C6BE448C42879DDC01CEE942571A1DD4B89A08DC8EC2D4F93353604480413C24522A6D3FC947231DABC55B38D018D
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1246366640
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
CONNECT

^@
ERROR
message:Unable to authenticate transport without SSL certificate.

java.lang.SecurityException: Unable to authenticate transport without SSL certificate.
        at org.apache.activemq.security.JaasCertificateAuthenticationBroker.addConnection(JaasCertificateAuthenticationBroker.java:75)
        at org.apache.activemq.broker.BrokerFilter.addConnection(BrokerFilter.java:82)
        at org.apache.activemq.broker.MutableBrokerFilter.addConnection(MutableBrokerFilter.java:89)
        at org.apache.activemq.broker.TransportConnection.processAddConnection(TransportConnection.java:686)
        at org.apache.activemq.broker.jmx.ManagedTransportConnection.processAddConnection(ManagedTransportConnection.java:86)
        at org.apache.activemq.command.ConnectionInfo.visit(ConnectionInfo.java:134)
        at org.apache.activemq.broker.TransportConnection.service(TransportConnection.java:308)
        at org.apache.activemq.broker.TransportConnection$1.onCommand(TransportConnection.java:182)
        at org.apache.activemq.transport.TransportFilter.onCommand(TransportFilter.java:68)
        at org.apache.activemq.transport.InactivityMonitor.onCommand(InactivityMonitor.java:210)
        at org.apache.activemq.transport.stomp.StompTransportFilter.sendToActiveMQ(StompTransportFilter.java:78)
        at org.apache.activemq.transport.stomp.ProtocolConverter.sendToActiveMQ(ProtocolConverter.java:135)
        at org.apache.activemq.transport.stomp.ProtocolConverter.onStompConnect(ProtocolConverter.java:491)
        at org.apache.activemq.transport.stomp.ProtocolConverter.onStompCommand(ProtocolConverter.java:187)
        at org.apache.activemq.transport.stomp.StompTransportFilter.onCommand(StompTransportFilter.java:67)
        at org.apache.activemq.transport.TransportSupport.doConsume(TransportSupport.java:84)
        at org.apache.activemq.transport.tcp.SslTransport.doConsume(SslTransport.java:104)
        at org.apache.activemq.transport.tcp.TcpTransport.doRun(TcpTransport.java:203)
        at org.apache.activemq.transport.tcp.TcpTransport.run(TcpTransport.java:185)
        at java.lang.Thread.run(Thread.java:636)

SSL3 alert read:warning:close notify
closed
SSL3 alert write:warning:close notify

So....we tried the same using proxy-certificates......... 


[vtb-generic-40] ~ $ grid-env
[vtb-generic-40] ~ $ voms-proxy-init
Cannot find file or dir: /afs/cern.ch/user/n/nvaloor/.glite/vomses
Enter GRID pass phrase:
Your identity: /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=nvaloor/CN=696451/CN=Nipun Valoor
Creating proxy ..................... Done
Your proxy is valid until Fri Jun  27 03:01:18 2009
[vtb-generic-40] ~ $ openssl s_client -connect vtb-generic-40:6162 -CApath /etc/grid-security/certificates -cert /tmp/x509up_u50660 -key /tmp/x509up_u50660 -state
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=2 /DC=ch/DC=cern/CN=CERN Root CA
verify return:1
depth=1 /DC=ch/DC=cern/CN=CERN Trusted Certification Authority
verify return:1
depth=0 /DC=ch/DC=cern/OU=computers/CN=vtb-generic-40.cern.ch
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client certificate A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write certificate verify A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL3 alert read:fatal:certificate unknown
SSL_connect:failed in SSLv3 read finished A
25237:error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown:s3_pkt.c:1052:SSL alert number 46
25237:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:226:

22 June 09

Build a SafeConnection abstraction built on the one provided by pyopenssl: 
class SafeConnection:
    def __init__(self, *args):
        self._ssl_conn = apply(SSL.Connection, args)
        self._lock = _RLock()

    for f in ('get_context', 'pending', 'send', 'write', 'recv', 'read',
              'renegotiate', 'bind', 'listen', 'connect', 'accept',
              'setblocking', 'fileno', 'shutdown', 'close', 'get_cipher_list',
              'getpeername', 'getsockname', 'getsockopt', 'setsockopt',
              'makefile', 'get_app_data', 'set_app_data', 'state_string',
              'sock_shutdown', 'get_peer_certificate', 'want_read',
              'want_write', 'set_connect_state', 'set_accept_state',
              'connect_ex', 'sendall', 'settimeout', 'do_handshake'):
        exec """def %s(self, *args):
            self._lock.acquire()
            try:
                return apply(self._ssl_conn.%s, args)
            finally:
                self._lock.release()\n""" % (f, f)

Looks better, but it eventually deadlocks... 

09:59:08[basic_example]itgs04$gdb python 
GNU gdb 6.3.50-20050815 (Apple version gdb-768) (Tue Oct  2 04:07:49 UTC 2007)
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-apple-darwin"...Reading symbols for shared libraries .. done

(gdb) run ./publisher.py -b vtb-generic-110 /topic/test.hc
Starting program: /Library/Frameworks/Python.framework/Versions/2.5/bin/python ./publisher.py -b vtb-generic-110 /topic/test.hc
Reading symbols for shared libraries +. done

...
...
connecting : vtb-generic-110:61612
CONNECTED
session: ID:vtb-generic-110.cern.ch-40879-1245422300466-4:35


> ^C
Program received signal SIGINT, Interrupt.
0x929d82ce in semaphore_wait_signal_trap ()
(gdb) info threads
  2 process 3970 thread 0x1003  0x929fbf9a in read$UNIX2003 ()
* 1 process 3970 local thread 0x2d03  0x929d82ce in semaphore_wait_signal_trap ()
(gdb) where
#0  0x929d82ce in semaphore_wait_signal_trap ()
#1  0x92a0a2c6 in _pthread_cond_wait ()
#2  0x92a4f539 in pthread_cond_wait ()
#3  0x004b6029 in PyThread_acquire_lock (lock=0x89e770, waitflag=1) at /home/fb6/loewis/25/Python/thread_pthread.h:452
#4  0x004ba617 in lock_PyThread_acquire_lock (self=0x52130, args=0xb81a90) at /home/fb6/loewis/25/Modules/threadmodule.c:46
#5  0x00485acd in PyEval_EvalFrameEx (f=0x822a70, throwflag=0) at /home/fb6/loewis/25/Python/ceval.c:3612
#6  0x0048771d in PyEval_EvalCodeEx (co=0x93a848, globals=0x939660, locals=0x0, args=0x8a1fb0, argcount=1, kws=0x8a1fb4, kwcount=0, defs=0x95883c, defcount=1, closure=0x0) at /home/fb6/loewis/25/Python/ceval.c:2875
#7  0x00484d9e in PyEval_EvalFrameEx (f=0x8a1e70, throwflag=0) at /home/fb6/loewis/25/Python/ceval.c:3708
#8  0x0048771d in PyEval_EvalCodeEx (co=0xb3dba8, globals=0xb37300, locals=0x0, args=0x8a1e40, argcount=2, kws=0x8a1e48, kwcount=0, defs=0x0, defcount=0, closure=0x0) at /home/fb6/loewis/25/Python/ceval.c:2875
#9  0x00484d9e in PyEval_EvalFrameEx (f=0x8a1cf0, throwflag=0) at /home/fb6/loewis/25/Python/ceval.c:3708
#10 0x0048771d in PyEval_EvalCodeEx (co=0x95ae30, globals=0x95f270, locals=0x0, args=0x8a1cb8, argcount=4, kws=0x8a1cc8, kwcount=0, defs=0xb36744, defcount=2, closure=0x0) at /home/fb6/loewis/25/Python/ceval.c:2875
#11 0x00484d9e in PyEval_EvalFrameEx (f=0x8a1b60, throwflag=0) at /home/fb6/loewis/25/Python/ceval.c:3708
#12 0x00486b86 in PyEval_EvalFrameEx (f=0x8a3060, throwflag=0) at /home/fb6/loewis/25/Python/ceval.c:3698
#13 0x0048771d in PyEval_EvalCodeEx (co=0x95a6e0, globals=0x95f270, locals=0x0, args=0x80c8bc, argcount=2, kws=0x80c8c4, kwcount=2, defs=0xb31d0c, defcount=2, closure=0x0) at /home/fb6/loewis/25/Python/ceval.c:2875
#14 0x00484d9e in PyEval_EvalFrameEx (f=0x80c780, throwflag=0) at /home/fb6/loewis/25/Python/ceval.c:3708
#15 0x0048771d in PyEval_EvalCodeEx (co=0x64d10, globals=0x24d20, locals=0x24d20, args=0x0, argcount=0, kws=0x0, kwcount=0, defs=0x0, defcount=0, closure=0x0) at /home/fb6/loewis/25/Python/ceval.c:2875
#16 0x004878d1 in PyEval_EvalCode (co=0x64d10, globals=0x24d20, locals=0x24d20) at /home/fb6/loewis/25/Python/ceval.c:514
#17 0x004ab031 in PyRun_FileExFlags (fp=0xa03364c0, filename=0xbffff019 "./publisher.py", start=257, globals=0x24d20, locals=0x24d20, closeit=1, flags=0xbfffee0c) at /home/fb6/loewis/25/Python/pythonrun.c:1273
#18 0x004ab3cb in PyRun_SimpleFileExFlags (fp=0xa03364c0, filename=0xbffff019 "./publisher.py", closeit=1, flags=0xbfffee0c) at /home/fb6/loewis/25/Python/pythonrun.c:879
#19 0x004b8bbe in Py_Main (argc=4, argv=0xbfffee90) at /home/fb6/loewis/25/Modules/main.c:532
#20 0x00001f8e in ?? ()
#21 0x00001eb5 in ?? ()
(gdb) thread 2
[Switching to thread 2 (process 3970 thread 0x1003)]
0x929fbf9a in read$UNIX2003 ()
(gdb) where
#0  0x929fbf9a in read$UNIX2003 ()
#1  0x91394326 in sock_read ()
#2  0x9138b3c1 in BIO_read ()
#3  0x95dc34d6 in ssl3_read_n ()
#4  0x95dc3e6d in ssl3_read_bytes ()
#5  0x95dc1efc in ssl3_read_internal ()
#6  0x00bd63ca in ssl_Connection_recv ()
#7  0x003fadac in PyObject_Call (func=0xb8fe68, arg=0xb81a70, kw=0x0) at /home/fb6/loewis/25/Objects/abstract.c:1861
#8  0x0047fe63 in PyEval_CallObjectWithKeywords (func=0xb8fe68, arg=0xb81a70, kw=0x0) at /home/fb6/loewis/25/Python/ceval.c:3481
#9  0x0047b26e in builtin_apply (self=0x0, args=0xb8ff30) at /home/fb6/loewis/25/Python/bltinmodule.c:169
#10 0x00485acd in PyEval_EvalFrameEx (f=0x8a2d10, throwflag=0) at /home/fb6/loewis/25/Python/ceval.c:3612
#11 0x0048771d in PyEval_EvalCodeEx (co=0xb3d410, globals=0xb37300, locals=0x0, args=0x8a2ce4, argcount=2, kws=0x8a2cec, kwcount=0, defs=0x0, defcount=0, closure=0x0) at /home/fb6/loewis/25/Python/ceval.c:2875
#12 0x00484d9e in PyEval_EvalFrameEx (f=0x8a2b80, throwflag=0) at /home/fb6/loewis/25/Python/ceval.c:3708
#13 0x00486b86 in PyEval_EvalFrameEx (f=0x8a1fe0, throwflag=0) at /home/fb6/loewis/25/Python/ceval.c:3698
#14 0x0048771d in PyEval_EvalCodeEx (co=0x963020, globals=0x95f270, locals=0x0, args=0x92aadc, argcount=1, kws=0x0, kwcount=0, defs=0x0, defcount=0, closure=0x0) at /home/fb6/loewis/25/Python/ceval.c:2875
#15 0x0041c103 in function_call (func=0xb3f2b0, arg=0x92aad0, kw=0x0) at /home/fb6/loewis/25/Objects/funcobject.c:517
#16 0x003fadac in PyObject_Call (func=0xb3f2b0, arg=0x92aad0, kw=0x0) at /home/fb6/loewis/25/Objects/abstract.c:1861
#17 0x00402aa7 in instancemethod_call (func=0xb24aa8, arg=0x8030, kw=0x0) at /home/fb6/loewis/25/Objects/classobject.c:2519
#18 0x003fadac in PyObject_Call (func=0xb24aa8, arg=0x8030, kw=0x0) at /home/fb6/loewis/25/Objects/abstract.c:1861
#19 0x0047fe63 in PyEval_CallObjectWithKeywords (func=0xb24aa8, arg=0x8030, kw=0x0) at /home/fb6/loewis/25/Python/ceval.c:3481
#20 0x004bac73 in t_bootstrap (boot_raw=0x89e2e0) at /home/fb6/loewis/25/Modules/threadmodule.c:427
#21 0x92a09155 in _pthread_start ()
#22 0x92a09012 in thread_start ()

Tried normal SSL.Connection object without SafeConnection abstraction on macosx 10.5 with pyOpenSSL 0.9, and it works fine (tested up to 10K messages)

19 June 09

Sending ~> 40 messages causes openssl to corrupy an internal pyrhon lock - python 0.6 problem (REF). Also OpenSSL doesn't seem to be thread-safe (REF). Also, there seems to be problems in the 0.6 version of pyOpenSSL which have been fixed in later versions (latest is 0.9).

Cleaned up the ssl.py layer for STOMP to remove all grid specifics.

18 June 09

Tried to integrate pyOpenSSL into stomp.py. Doesn't seem to work out of the box.

You can turn on ssl debugging in ActiveMQ by passing in -Djavax.net.debug=ssl on the command line (ends up on STDOUT, so in wrapper.log).

Looking at other tools - found openssl s_client details here : http://blog.yimingliu.com/2008/02/04/testing-https-with-openssl/. Doing the following will give you a 'telnet' terminal against the STOMP port: 

> openssl s_client -connect vtb-generic-110:61612 -CApath /etc/grid-security/certificates

More details, showing SSL state: 

openssl s_client -connect vtb-generic-110:61612 -CApath /etc/grid-security/certificates -cert /Users/jamesc/.globus/usercert.pem  -key /Users/jamesc/.globus/userkey.pem -state
Enter pass phrase for /Users/jamesc/.globus/userkey.pem:
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=2 /DC=ch/DC=cern/CN=CERN Root CA
verify return:1
depth=1 /DC=ch/DC=cern/CN=CERN Trusted Certification Authority
verify return:1
depth=0 /DC=ch/DC=cern/OU=computers/CN=vtb-generic-110.cern.ch
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
---
Certificate chain
 0 s:/DC=ch/DC=cern/OU=computers/CN=vtb-generic-110.cern.ch
   i:/DC=ch/DC=cern/CN=CERN Trusted Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
...
...
-----END CERTIFICATE-----
subject=/DC=ch/DC=cern/OU=computers/CN=vtb-generic-110.cern.ch
issuer=/DC=ch/DC=cern/CN=CERN Trusted Certification Authority
---
No client certificate CA names sent
---
SSL handshake has read 2408 bytes and written 282 bytes
---
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : EDH-RSA-DES-CBC3-SHA
    Session-ID: 4A3A60B204AF5BF415D8F75E50F9362D2942C8D5B2F7D495402610DE6984D670
    Session-ID-ctx: 
    Master-Key: EA71D4845913E81671E07C2DC6FFE632B82C41EBED7E1C08472C2C2D14ECC2D1D44C2D282AF06801A5F72E9C5290C5C6
    Key-Arg   : None
    Start Time: 1245339812
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

I also looked at wrapping the normal stomp port with stunnel. stunnel.conf is : 

CApath=/etc/grid-security/certificates
cert=/etc/grid-security/hostcert.pem
client=no
foreground=yes
key=/etc/grid-security/hostkey.pem
debug=7
[stomp]
accept=vtb-generic-110.cern.ch:61611
connect=vtb-generic-110.cern.ch:6163

Connecting with openssl s_client: 

17:45:42[~]itgs04$openssl s_client -connect vtb-generic-110:61611 -CApath /etc/grid-security/certificates -cert /Users/jamesc/.globus/usercert.pem  -key /Users/jamesc/.globus/userkey.pem -state
Enter pass phrase for /Users/jamesc/.globus/userkey.pem:
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=2 /DC=ch/DC=cern/CN=CERN Root CA
verify return:1
depth=1 /DC=ch/DC=cern/CN=CERN Trusted Certification Authority
verify return:1
depth=0 /DC=ch/DC=cern/OU=computers/CN=vtb-generic-110.cern.ch
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
---
Certificate chain
 0 s:/DC=ch/DC=cern/OU=computers/CN=vtb-generic-110.cern.ch
   i:/DC=ch/DC=cern/CN=CERN Trusted Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
...
...
-----END CERTIFICATE-----
subject=/DC=ch/DC=cern/OU=computers/CN=vtb-generic-110.cern.ch
issuer=/DC=ch/DC=cern/CN=CERN Trusted Certification Authority
---
No client certificate CA names sent
---
SSL handshake has read 1870 bytes and written 450 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: FDC4FEF1BBAA9C012DE50AED04D51AF84A57A06CDF006B48E3498301BD2844A1
    Session-ID-ctx: 
    Master-Key: FE4932FA6A0E4DDD600E858687D26DCE4BD0BEC8077EB396A880DAEA1211162310710A4388513D26D8B98ED999F5C126
    Key-Arg   : None
    Start Time: 1245339949
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

and the corresponding server log from stunnel: 

2009.06.18 17:46:00 LOG5[28607:182894108768]: stunnel 4.05 on x86_64-redhat-linux-gnu PTHREAD+LIBWRAP with OpenSSL 0.9.7a Feb 19 2003
2009.06.18 17:46:00 LOG7[28607:182894108768]: Snagged 64 random bytes from /root/.rnd
2009.06.18 17:46:00 LOG7[28607:182894108768]: Wrote 1024 new random bytes to /root/.rnd
2009.06.18 17:46:00 LOG7[28607:182894108768]: RAND_status claims sufficient entropy for the PRNG
2009.06.18 17:46:00 LOG6[28607:182894108768]: PRNG seeded successfully
2009.06.18 17:46:00 LOG7[28607:182894108768]: Certificate: /etc/grid-security/hostcert.pem
2009.06.18 17:46:00 LOG7[28607:182894108768]: Key file: /etc/grid-security/hostkey.pem
2009.06.18 17:46:00 LOG5[28607:182894108768]: FD_SETSIZE=1024, file ulimit=1024 -> 500 clients allowed
2009.06.18 17:46:00 LOG7[28607:182894108768]: FD 3 in non-blocking mode
2009.06.18 17:46:00 LOG7[28607:182894108768]: SO_REUSEADDR option set on accept socket
2009.06.18 17:46:00 LOG7[28607:182894108768]: stomp bound to 128.142.130.183:61611
2009.06.18 17:46:00 LOG7[28607:182894108768]: FD 4 in non-blocking mode
2009.06.18 17:46:00 LOG7[28607:182894108768]: FD 5 in non-blocking mode
2009.06.18 17:46:00 LOG7[28607:182894108768]: Created pid file /var/run/stunnel.pid
2009.06.18 17:46:03 LOG7[28607:182894108768]: stomp accepted FD=6 from 128.141.56.79:62989
2009.06.18 17:46:03 LOG7[28607:182894108768]: FD 6 in non-blocking mode
2009.06.18 17:46:03 LOG7[28607:1073809760]: stomp started
2009.06.18 17:46:03 LOG5[28607:1073809760]: stomp connected from 128.141.56.79:62989
2009.06.18 17:46:03 LOG7[28607:1073809760]: SSL state (accept): before/accept initialization
2009.06.18 17:46:03 LOG7[28607:1073809760]: SSL state (accept): SSLv3 read client hello A
2009.06.18 17:46:03 LOG7[28607:1073809760]: SSL state (accept): SSLv3 write server hello A
2009.06.18 17:46:03 LOG7[28607:1073809760]: SSL state (accept): SSLv3 write certificate A
2009.06.18 17:46:03 LOG7[28607:1073809760]: SSL state (accept): SSLv3 write server done A
2009.06.18 17:46:03 LOG7[28607:1073809760]: SSL state (accept): SSLv3 flush data
2009.06.18 17:46:03 LOG7[28607:1073809760]: waitforsocket: FD=6, DIR=read
2009.06.18 17:46:03 LOG7[28607:1073809760]: waitforsocket: ok
2009.06.18 17:46:03 LOG7[28607:1073809760]: SSL state (accept): SSLv3 read client key exchange A
2009.06.18 17:46:03 LOG7[28607:1073809760]: SSL state (accept): SSLv3 read finished A
2009.06.18 17:46:03 LOG7[28607:1073809760]: SSL state (accept): SSLv3 write change cipher spec A
2009.06.18 17:46:03 LOG7[28607:1073809760]: SSL state (accept): SSLv3 write finished A
2009.06.18 17:46:03 LOG7[28607:1073809760]: SSL state (accept): SSLv3 flush data
2009.06.18 17:46:03 LOG7[28607:1073809760]:    1 items in the session cache
2009.06.18 17:46:03 LOG7[28607:1073809760]:    0 client connects (SSL_connect())
2009.06.18 17:46:03 LOG7[28607:1073809760]:    0 client connects that finished
2009.06.18 17:46:03 LOG7[28607:1073809760]:    0 client renegotiatations requested
2009.06.18 17:46:03 LOG7[28607:1073809760]:    1 server connects (SSL_accept())
2009.06.18 17:46:03 LOG7[28607:1073809760]:    1 server connects that finished
2009.06.18 17:46:03 LOG7[28607:1073809760]:    0 server renegotiatiations requested
2009.06.18 17:46:03 LOG7[28607:1073809760]:    0 session cache hits
2009.06.18 17:46:03 LOG7[28607:1073809760]:    0 session cache misses
2009.06.18 17:46:03 LOG7[28607:1073809760]:    0 session cache timeouts
2009.06.18 17:46:03 LOG6[28607:1073809760]: Negotiated ciphers: AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
2009.06.18 17:46:03 LOG7[28607:1073809760]: FD 7 in non-blocking mode
2009.06.18 17:46:03 LOG7[28607:1073809760]: stomp connecting 128.142.130.183:6163
2009.06.18 17:46:03 LOG7[28607:1073809760]: remote connect #1: EINPROGRESS: retrying
2009.06.18 17:46:03 LOG7[28607:1073809760]: waitforsocket: FD=7, DIR=write
2009.06.18 17:46:03 LOG7[28607:1073809760]: waitforsocket: ok
2009.06.18 17:46:03 LOG7[28607:1073809760]: Remote FD=7 initialized
2009.06.18 17:46:45 LOG7[28607:1073809760]: SSL socket closed on SSL_read
2009.06.18 17:46:45 LOG5[28607:1073809760]: Connection closed: 73 bytes sent to SSL, 11 bytes sent to socket
2009.06.18 17:46:45 LOG7[28607:1073809760]: stomp finished (0 left)
2009.06.18 17:47:43 LOG3[28607:182894108768]: Received signal 2; terminating
2009.06.18 17:47:43 LOG7[28607:182894108768]: removing pid file /var/run/stunnel.pid

Now we look at stomp.py with openssl against stunnel. Client says: 

17:56:45[basic_example]itgs04$./publisher.py -b vtb-generic-110 /topic/test
Enter PEM pass phrase:
connecting : vtb-generic-110:61611
Traceback (most recent call last):
  File "./publisher.py", line 70, in <module>
    conn.connect()    
  File "/Users/jamesc/workspace/grid-monitoring/trunk/msg/msg-admin-utils/src/basic_example/stomp/stomp.py", line 304, in connect
    self.__send_frame_helper('CONNECT', '', self.__merge_headers([self.__connect_headers, headers, keyword_headers]), [ ])
  File "/Users/jamesc/workspace/grid-monitoring/trunk/msg/msg-admin-utils/src/basic_example/stomp/stomp.py", line 368, in __send_frame_helper
    self.__send_frame(command, headers, payload)
  File "/Users/jamesc/workspace/grid-monitoring/trunk/msg/msg-admin-utils/src/basic_example/stomp/stomp.py", line 382, in __send_frame
    self.__socket.sendall(frame)
OpenSSL.SSL.Error: [('SSL routines', 'SSL3_GET_MESSAGE', 'unexpected message')]

Server says: 

[root@vtb-generic-110 ~]# stunnel stunnel.conf 
2009.06.18 17:48:37 LOG5[28615:182894108768]: stunnel 4.05 on x86_64-redhat-linux-gnu PTHREAD+LIBWRAP with OpenSSL 0.9.7a Feb 19 2003
2009.06.18 17:48:37 LOG7[28615:182894108768]: Snagged 64 random bytes from /root/.rnd
2009.06.18 17:48:37 LOG7[28615:182894108768]: Wrote 1024 new random bytes to /root/.rnd
2009.06.18 17:48:37 LOG7[28615:182894108768]: RAND_status claims sufficient entropy for the PRNG
2009.06.18 17:48:37 LOG6[28615:182894108768]: PRNG seeded successfully
2009.06.18 17:48:37 LOG7[28615:182894108768]: Certificate: /etc/grid-security/hostcert.pem
2009.06.18 17:48:37 LOG7[28615:182894108768]: Key file: /etc/grid-security/hostkey.pem
2009.06.18 17:48:37 LOG5[28615:182894108768]: FD_SETSIZE=1024, file ulimit=1024 -> 500 clients allowed
2009.06.18 17:48:37 LOG7[28615:182894108768]: FD 3 in non-blocking mode
2009.06.18 17:48:37 LOG7[28615:182894108768]: SO_REUSEADDR option set on accept socket
2009.06.18 17:48:37 LOG7[28615:182894108768]: stomp bound to 128.142.130.183:61611
2009.06.18 17:48:37 LOG7[28615:182894108768]: FD 4 in non-blocking mode
2009.06.18 17:48:37 LOG7[28615:182894108768]: FD 5 in non-blocking mode
2009.06.18 17:48:37 LOG7[28615:182894108768]: Created pid file /var/run/stunnel.pid

2009.06.18 17:57:15 LOG7[28615:182894108768]: stomp accepted FD=6 from 128.141.56.79:63047
2009.06.18 17:57:15 LOG7[28615:182894108768]: FD 6 in non-blocking mode
2009.06.18 17:57:15 LOG7[28615:1073809760]: stomp started
2009.06.18 17:57:15 LOG5[28615:1073809760]: stomp connected from 128.141.56.79:63047
2009.06.18 17:57:15 LOG7[28615:1073809760]: SSL state (accept): before/accept initialization
2009.06.18 17:57:15 LOG7[28615:1073809760]: waitforsocket: FD=6, DIR=read
2009.06.18 17:57:15 LOG7[28615:1073809760]: waitforsocket: ok
2009.06.18 17:57:15 LOG7[28615:1073809760]: SSL state (accept): SSLv3 read client hello A
2009.06.18 17:57:15 LOG7[28615:1073809760]: SSL state (accept): SSLv3 write server hello A
2009.06.18 17:57:15 LOG7[28615:1073809760]: SSL state (accept): SSLv3 write certificate A
2009.06.18 17:57:15 LOG7[28615:1073809760]: SSL state (accept): SSLv3 write server done A
2009.06.18 17:57:15 LOG7[28615:1073809760]: SSL state (accept): SSLv3 flush data
2009.06.18 17:57:15 LOG7[28615:1073809760]: waitforsocket: FD=6, DIR=read
2009.06.18 17:57:15 LOG7[28615:1073809760]: waitforsocket: ok
2009.06.18 17:57:15 LOG7[28615:1073809760]: SSL alert (read): fatal: unexpected_message
2009.06.18 17:57:15 LOG3[28615:1073809760]: SSL_accept: 140943F2: error:140943F2:SSL routines:SSL3_READ_BYTES:sslv3 alert unexpected message
2009.06.18 17:57:15 LOG7[28615:1073809760]: stomp finished (0 left)
-- JamesCasey - 17 Jun 2009
Edit | Attach | Watch | Print version | History: r6 < r5 < r4 < r3 < r2 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r6 - 2009-07-13 - NipunValoor
 
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    EGEE All webs login

This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright &© by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Ask a support question or Send feedback