'ActiveMQ over SSL: "acceptInvalidBrokerCert=true" not working

I had posted a different question and now I'm editing it because I managed to do what I was achieving at first. Using "How do I use SSL" I set up my ActiveMQ Broker accepting SSL connections and I was trying to implement a client to test the communication. I figured out that I could do this by setting the system properties:

static {
    System.setProperty("javax.net.ssl.keyStore", "/home/amq/SSL/client.ks");
    System.setProperty("javax.net.ssl.keyStorePassword", "password");
    System.setProperty("javax.net.ssl.trustStore", "/home/amq/SSL/client.ts");
}

The problems I was having were in the creation of the keystores/truststores and exporting the broker certificate. When I deleted the .ks and .ts files and re-did everything as explained in "How do I use SSL" it worked.

My new question is: How can I establish a connection without the need of creating a keystore for the client and importing the broker's certificate?

I am looking for a way to accept any certificate that the broker sends me. In this link I found a way setting an URI option:

ssl://localhost:61617?transport.acceptInvalidBrokerCert=true

but it's not working for me. From the moment I append "?transport.acceptInvalidBrokerCert=true" in my URI or URL string the method stops working, and I no longer can establish a connection.

Can anyone provide me with an example of a java or c++ client that connects to an ActiveMQ broker using SSL without importing the broker's certificate, or in other words, accepting any invalid certificate?



Solution 1:[1]

The URI flag you are referencing is only valid for .NET clients using NMS.ActiveMQ the C++ and Java clients don't have this setting. There is a way in the C++ client to do this, you must set a system property as follows before creating the Connection.

System::setProperty("decaf.net.ssl.disablePeerVerification", "true" );

The easiest way to get the ssl certs working without these testing options is to create a root certificate and then create the broker cert with you root certificate and add the root certificate to the client's trust store that way any broker with a cert signed by your root cert will be trusted.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1