ActiveMQ disable Diffie-Hellman ciphers to avoid “KeyUsage does not allow digital signatures” errors

Here’s how to do it:

transport.enabledCipherSuites=SSL_RSA_WITH_3DES_EDE_CBC_SHA

Add this parameter to URI in mqtt transportConnector (in your conf/activemq.xml config).

The need for this? I had a set of keys+certificates that were working perfectly fine on RabbitMQ, but on ActiveMQ I was getting “KeyUsage does not allow digital signatures” errors on client when it was validating server’s certificate.

I had no idea why this happened, googling revealed some fragmented info, in general I understood that my server’s certificate had “extension” “key usage” that indicated it didn’t allow (support?) digital signatures.

Screen Shot 2016-05-31 at 11.50.27 PM

It’s all pretty cryptic considering that very same certificate was working perfectly fine in RabbitMQ. Why was it ok to sing things there, but not in ActiveMQ?

And then I found this – http://www.docjar.com/html/api/sun/security/validator/EndEntityChecker.java.html


  113       private final static Collection KU_SERVER_ENCRYPTION =
  114           Arrays.asList("RSA");
  115   
  116       // TLS key exchange algorithms requiring keyAgreement key usage
  117       private final static Collection KU_SERVER_KEY_AGREEMENT =
  118           Arrays.asList("DH_DSS", "DH_RSA", "ECDH_ECDSA", "ECDH_RSA");


  262           if (KU_SERVER_ENCRYPTION.contains(parameter)) {
  263               if (checkKeyUsage(cert, KU_KEY_ENCIPHERMENT) == false) {
  264                   throw new ValidatorException
  265                           ("KeyUsage does not allow key encipherment",
  266                           ValidatorException.T_EE_EXTENSIONS, cert);
  267               }
  268           } else if (KU_SERVER_SIGNATURE.contains(parameter)) {
  269               if (checkKeyUsage(cert, KU_SIGNATURE) == false) {
  270                   throw new ValidatorException
  271                           ("KeyUsage does not allow digital signatures",
  272                           ValidatorException.T_EE_EXTENSIONS, cert);
  273               }
  274           } else if (KU_SERVER_KEY_AGREEMENT.contains(parameter)) {
  275               if (checkKeyUsage(cert, KU_KEY_AGREEMENT) == false) {
  276                   throw new ValidatorException
  277                           ("KeyUsage does not allow key agreement",
  278                           ValidatorException.T_EE_EXTENSIONS, cert);
  279               }
  280           } else {
  281               throw new CertificateException("Unknown authType: " + parameter);
  282           }

Clearly the KU_SERVER_ENCRYPTION part was working for me in RabbitMQ, but KU_SERVER_SIGNATURE was now used and not working in
ActiveMQ.

Now I saw clearly that my certificate wasn’t suitable for Diffie-Hellman ciphers. So the solution would be to disable them.

This blog post showed be how to do that:

http://technoblogic.io/blog/2014/03/17/tls-slash-ssl-dh-cipher-padding-bug-in-activemq/

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s