Establish an SSL-encrypted connection between MassTransit and ActiveMQ #4430
-
Contact DetailsNo response Version8.x On which operating system(s) are you experiencing the issue?Windows Using which broker(s) did you encounter the issue?ActiveMQ What are the steps required to reproduce the issue?This is the code I am using to use active mq:
services.AddMassTransit<TBus>(x =>
{
x.UsingActiveMq((context, cfg) =>
{
cfg.Host(activeMqConfig.Host, activeMqConfig.Port, h =>
{
h.UseSsl();
if (acceptInvalidBrokerCert)
{
KeyValuePair<string, string>[] transportOptions = new[]
{
new KeyValuePair<string, string>("transport.acceptInvalidBrokerCert", "true")
};
h.TransportOptions(transportOptions);
}
});
cfg.ConfigureEndpoints(context);
});
}); What is the expected behavior?To be able to connect ActiveMQ using SSL connection What actually happened?Getting an error: The vendor told me to make sure that my private key is part of the MQ connection to be able to authenticate and get proper connection. Related log output, including any exceptionsMassTransit.ActiveMqConnectionException: Create Connection Faulted: host:port
---> System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception.
---> System.ComponentModel.Win32Exception (0x80090327): An unknown error occurred while processing the certificate.
--- End of inner exception stack trace ---
at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
at System.Net.Security.SslStream.AuthenticateAsClient(SslClientAuthenticationOptions sslClientAuthenticationOptions)
at System.Net.Security.SslStream.AuthenticateAsClient(String targetHost, X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation)
at Apache.NMS.ActiveMQ.Transport.Tcp.SslTransport.CreateSocketStream()
at Apache.NMS.ActiveMQ.Transport.Tcp.TcpTransport.Start()
at Apache.NMS.ActiveMQ.Transport.WireFormatNegotiator.Start()
at Apache.NMS.ActiveMQ.Connection.CheckConnected()
at Apache.NMS.ActiveMQ.Connection.Start()
at MassTransit.ActiveMqTransport.ConnectionContextFactory.CreateConnection(ISupervisor supervisor) in /_/src/Transports/MassTransit.ActiveMqTransport/ActiveMqTransport/ConnectionContextFactory.cs:line 71
--- End of inner exception stack trace --- Link to repository that demonstrates/reproduces the issueNo response |
Beta Was this translation helpful? Give feedback.
Replies: 9 comments 10 replies
-
Hello, I'm little confused, are you trying to use SSL/TLS transport or authenticate on the broker with client certificate? If you are trying to Authenticate you need to provide path to client certificate and add it to TransportOptions dictionary to keys transport.clientCertFilename and transport.clientCertPassword. Or maybe it will be useful to specify SSL/TLS protocol version with transport.SslProtocol = Tls12 |
Beta Was this translation helpful? Give feedback.
-
It's ssl connection, and require authenticate on the broker with client certificate. I added this code,
but i got an error MassTransit.ActiveMqConnectionException: Create Connection Faulted: host:port |
Beta Was this translation helpful? Give feedback.
-
And do you have the CA certificate in the OS certificate Trust store? Or set flag transport.acceptInvalidBrokerCert in your TransportOptions? |
Beta Was this translation helpful? Give feedback.
-
Yes, I have the CA certificate in the key store, I already use it in the system to sign some messages, and it's working as expected. But now I am not able to connect to the ActiveMQ server, and the vendor told me to ensure using the existing certificate which is used for message signing - for the MQ client authentication. I removed transport.acceptInvalidBrokerCert flag and added the other two flags you mentioned, the error changed to: The remote certificate was rejected by the provided RemoteCertificateValidationCallback. |
Beta Was this translation helpful? Give feedback.
-
Below is my connection URI. I have only transport.SslProtocol=Tls12- which you don't have and is connected with secure transport. The rest is same as in your settings
|
Beta Was this translation helpful? Give feedback.
-
@WaelMourad: Can you provide a repro? Very similar settings work in a few projects in our company. C# code will be enough I will use my own certificates. |
Beta Was this translation helpful? Give feedback.
-
OK, a few thinks
|
Beta Was this translation helpful? Give feedback.
-
@McMlok Thank you for your help After reviewing the result of openssl s_client -showcerts -connect brokerHost:brokerPort |
Beta Was this translation helpful? Give feedback.
-
@larjo It is from NMS point of view, but in MT there is an issue in creating broker address MT create something like this
But NMS expect this
it means that client certificate must be configured for each server not for the failover. I hope I will have a time to send PR soon. |
Beta Was this translation helpful? Give feedback.
Hello, I'm little confused, are you trying to use SSL/TLS transport or authenticate on the broker with client certificate?
If you are trying to Authenticate you need to provide path to client certificate and add it to TransportOptions dictionary to keys transport.clientCertFilename and transport.clientCertPassword.
Or maybe it will be useful to specify SSL/TLS protocol version with transport.SslProtocol = Tls12