0

I've got some self signed certificates for using SSL/TLS over ActiveMQ and a couple Java clients. The broker keystore contains the root certificate and the broker truststore contains the public key of the client. The client keystore contains the client public and private key bundled into a PKCS12 file, as required by the keystore, and the client truststore contains the root certificate

Now, this configuration works fine. My issue is that it works fine even when I use mismatching client certificates and keys but retain the same root certificate on the broker and client side. The broker-client connection fails only when I use mismatching root certificates. I'd like to know why this is happening and what the fix is, so that clients using any random key pair whose public key doesn't reside in the broker's truststore are prevented from connecting to the broker.

P.S. : This is on ActiveMQ version 5.13.0 and TLS version 1.2

ShreyasJavahar
  • 91
  • 9

1 Answers1

0

It's in the wiki: https://cwiki.apache.org/confluence/display/ACTIVEMQ/How+do+I+use+SSL

You need to add needClientAuth=true in the server-side transportConnector:

<broker>
  ...
  <transportConnectors>
    <transportConnector name="ssl" uri="ssl://0.0.0.0:61616?needClientAuth=true"/>  
  </<transportConnectors>

Requiring client authentication is not a standard setup. Usually, the SSL transport is setup with only a server certificate, and clients using username/password authentication.

Client authentication does not provide any additional encryption. It's an alternative for username/passwords, but requires higher maintenance: certificate renewals etc.

GeertPt
  • 16,398
  • 2
  • 37
  • 61
  • Thanks, this worked. Could you also please help with this related issue? [ActiveMQ null cert chain](https://stackoverflow.com/questions/62464986/activemq-javax-net-ssl-sslhandshakeexception-null-cert-chain) – ShreyasJavahar Jun 19 '20 at 07:06