'ActiveMQ over SSL: "acceptInvalidBrokerCert=true" not working

I had posted a different question and now I'm editing it because I managed to do what I was achieving at first. Using "How do I use SSL" I set up my ActiveMQ Broker accepting SSL connections and I was trying to implement a client to test the communication. I figured out that I could do this by setting the system properties:

static {
    System.setProperty("javax.net.ssl.keyStore", "/home/amq/SSL/client.ks");
    System.setProperty("javax.net.ssl.keyStorePassword", "password");
    System.setProperty("javax.net.ssl.trustStore", "/home/amq/SSL/client.ts");
}

The problems I was having were in the creation of the keystores/truststores and exporting the broker certificate. When I deleted the .ks and .ts files and re-did everything as explained in "How do I use SSL" it worked.

My new question is: How can I establish a connection without the need of creating a keystore for the client and importing the broker's certificate?

I am looking for a way to accept any certificate that the broker sends me. In this link I found a way setting an URI option:

ssl://localhost:61617?transport.acceptInvalidBrokerCert=true

but it's not working for me. From the moment I append "?transport.acceptInvalidBrokerCert=true" in my URI or URL string the method stops working, and I no longer can establish a connection.

Can anyone provide me with an example of a java or c++ client that connects to an ActiveMQ broker using SSL without importing the broker's certificate, or in other words, accepting any invalid certificate?

ssljmsssl-certificateactivemq


Solution 1:[1]

The URI flag you are referencing is only valid for .NET clients using NMS.ActiveMQ the C++ and Java clients don't have this setting. There is a way in the C++ client to do this, you must set a system property as follows before creating the Connection.

System::setProperty("decaf.net.ssl.disablePeerVerification", "true" );

The easiest way to get the ssl certs working without these testing options is to create a root certificate and then create the broker cert with you root certificate and add the root certificate to the client's trust store that way any broker with a cert signed by your root cert will be trusted.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1

Related Questions

Problem with configuring ssl certificates in asp .net core API

Problem with configuring ssl certificates in asp .net core API

Server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

Turn off or bypass SSL Certificate Verification in Swift iOS

Install SSL certificates in my AWS canary puppeteer script

Getting this error while installing DFX on my mac "curl: (60) SSL certificate problem: certificate has expired"

How to install a custom certificate in Symfony server?

ssl ,urllib3,requests .exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:548)

How to fix javax.net.ssl.SSLHandshakeException even though i have already added the certificate

Renew kubernetes pki after expired

Error: unable to verify the first certificate in nodejs

How does wildcard ssl certificate match domains

How to create a self signed cerficate using command prompt?

SSLHandshakeException in Eclipse Temurin JRE8 Alpine container for self-signed certificate

The request was aborted: Could not create SSL/TLS secure channel when connecting to an old web service