'ActiveMQ over SSL: "acceptInvalidBrokerCert=true" not working
I had posted a different question and now I'm editing it because I managed to do what I was achieving at first. Using "How do I use SSL" I set up my ActiveMQ Broker accepting SSL connections and I was trying to implement a client to test the communication. I figured out that I could do this by setting the system properties:
static {
System.setProperty("javax.net.ssl.keyStore", "/home/amq/SSL/client.ks");
System.setProperty("javax.net.ssl.keyStorePassword", "password");
System.setProperty("javax.net.ssl.trustStore", "/home/amq/SSL/client.ts");
}
The problems I was having were in the creation of the keystores/truststores and exporting the broker certificate. When I deleted the .ks and .ts files and re-did everything as explained in "How do I use SSL" it worked.
My new question is: How can I establish a connection without the need of creating a keystore for the client and importing the broker's certificate?
I am looking for a way to accept any certificate that the broker sends me. In this link I found a way setting an URI option:
ssl://localhost:61617?transport.acceptInvalidBrokerCert=true
but it's not working for me. From the moment I append "?transport.acceptInvalidBrokerCert=true" in my URI or URL string the method stops working, and I no longer can establish a connection.
Can anyone provide me with an example of a java or c++ client that connects to an ActiveMQ broker using SSL without importing the broker's certificate, or in other words, accepting any invalid certificate?
Solution 1:[1]
The URI flag you are referencing is only valid for .NET clients using NMS.ActiveMQ the C++ and Java clients don't have this setting. There is a way in the C++ client to do this, you must set a system property as follows before creating the Connection.
System::setProperty("decaf.net.ssl.disablePeerVerification", "true" );
The easiest way to get the ssl certs working without these testing options is to create a root certificate and then create the broker cert with you root certificate and add the root certificate to the client's trust store that way any broker with a cert signed by your root cert will be trusted.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
Solution | Source |
---|---|
Solution 1 |