0

I'm getting the below issue from CMSException while calling createSession()

Server Certificate Name doesn't match the URI Host Name value.

I'm using ssl://172.12.12.13:61617. The "Common Name" value is Machine0x and the IP address I used in the URI is listed in the SubjectAlternativeName list in the keystore:

Extensions:
#1: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  IPAddress: 172.12.12.13
]

Why isn't ActiveMQ checking the Subject Alternative Name value?

This similar question was asked but wasn't answered, and I don't have enough experience points to add a non answer comment so had to make a new post.

Justin Bertram
  • 29,372
  • 4
  • 21
  • 43
wsa225
  • 11
  • 3

2 Answers2

0

The ActiveMQ C++ client in unmaintained for years now and is likely not looking at the subject alternate name and only or not correctly matching the values. It's unlikely that anyone will fix this since the client is unmaintained. You might want to look into the Qpid Proton project and make use of one the the native AMQP client libraries there.

If you have Java clients using the ActiveMQ JMS client they can interact with AMQP, STOMP, or MQTT clients as the broker does do translation. See the broker documentation for more information on the wire formats and interop.

Tim Bish
  • 17,475
  • 4
  • 32
  • 42
  • Will AMQP work with open wire? We need to use open wire. I tried modifying the URI a bit to URI="failover:(ssl://172.12.12.13:61617)?jms.alwaysSyncSend=true" and that didn't create a log message on the client side, but on our AtiveMQ server we got a connection started, but inexplicably stopped after we got a message saying "...DEBUG ACTIVEMQ...ManagementContext – Unregistering MBean org.apache.activemq:type=Broker,brokerName=localhost,connector=clientConnectors,connectorName=ssl,connectionViewType=remoteAddress,connectionName=tcp_//172.12.12.1_43037" – wsa225 Mar 17 '22 at 20:07
  • Then the client kept trying to reconnect over and over. I see that "Unregistering MBean is called a few times here at below link, but not sure which instance is causing my issue https://github.com/apache/activemq/blob/main/activemq-broker/src/main/java/org/apache/activemq/broker/jmx/ManagementContext.java – wsa225 Mar 17 '22 at 20:09
  • As I said there isn't an actively maintained C++ openwire client, using this old one means you need to patch the code yourself to handle the certificates you are using. Likely the broker is seeing a connection but then tearing it down once the client connection drops – Tim Bish Mar 17 '22 at 20:34
  • Right but is the C# openwire client still supported or can I use some AMQP compatible thing with open wire? is there a python solution? – wsa225 Mar 17 '22 at 21:42
  • The broker supports conversions from AMQP to Openwire so both types of clients can connect at once if you have the transport connectors configured – Tim Bish Mar 17 '22 at 21:55
  • The NMS project has seen some more recent releases but I can't speak to how well it works these days. – Tim Bish Mar 17 '22 at 21:55
0

Also I got it to work by changing CN to the ip address so yeah it is indeed an issue with checking the SAN.

wsa225
  • 11
  • 3
  • As it’s currently written, your answer is unclear. Please [edit] to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Mar 18 '22 at 13:54