Thank you muchly for the pull request. I wrote a small example. Would you try it out? It's in master.

Thank you. Yes. I will test the example this evening after work.

On Thu, Jun 13, 2013 at 6:57 PM, Michael Bridgen
[email protected]:

Thank you muchly for the pull request. I wrote a small example. Would you
try it out? It's in master.

—
Reply to this email directly or view it on GitHubhttps://github.com//pull/1#issuecomment-19430402
.

Sorry for the delay in response. Yes, everything worked great, thank you.

Great stuff!

By the way, I wrote a guide to using SSL for the docs: http://squaremo.github.io/amqp.node/doc/ssl.html.
I am thinking that a table with "What do you want to achieve?" v "Here are the settings" might be useful, what do you think?

Awesome write up. I think the table for "What you want to achieve" is a
good idea.

I will add one thing to what you wrote. I encountered the [Error:
SELF_SIGNED_CERT_IN_CHAIN] on my client (running on Windows 7). I am
pretty sure I have supplied the correct ca, but I could have made a mistake
as it has been a while since I pulled the ca cert from the server. I used
the tls option "rejectUnauthorized: false", and the connection was made.

In my case, what I want is a secure connection from client to server, with
a fixed IP address, and on the server side I want to verify the client
certificate (i.e. only allow connections from certs that I've issued).
While using this option works in this case, I think it would open up the
clients to a man-in-the-middle attack. Do you agree?

On Tue, Jun 18, 2013 at 8:51 AM, Michael Bridgen
[email protected]:

Great stuff!

By the way, I wrote a guide to using SSL for the docs:
http://squaremo.github.io/amqp.node/doc/ssl.html.
I am thinking that a table with "What do you want to achieve?" v "Here are
the settings" might be useful, what do you think?

—
Reply to this email directly or view it on GitHubhttps://github.com//pull/1#issuecomment-19608890
.

Quite right, you definitely do not want to use rejectUnauthorized: false if you're using certificates at all. I ought to make a note of that in the guide.

With respect to the self-signed cert problem, there's a couple of things I'd check: one is that you are supplying the certificate of the CA that has signed the server certificate (it has tripped me up before, especially when regenerating certificates during trial runs); another is that you can connect, with the same set of files, using s_client. Something like

openssl s_client -connect localhost:5671 -cert client/cert.pem -key client/key.pem \
                        -pass pass:MySecret -CAFile testca/cacert.pem -showcerts

OpenSSL will tell you if there's a problem and show you the certificates in ASCII armour so you can check them against the files.

You are exactly right, I had grabbed the server certificate and not the
signing certificate by mistake.

Now I am just dealing with the Hostname/IP not matching even though I've
added the hostname used in the cert to my hosts file.

Thanks.

On Tue, Jun 18, 2013 at 10:18 AM, Michael Bridgen
[email protected]:

Quite right, you definitely do not want to use rejectUnauthorized: falseif you're using certificates at all. I ought to make a note of that in the
guide.

With respect to the self-signed cert problem, there's a couple of things
I'd check: one is that you are supplying the certificate of the CA that has
signed the server certificate (it has tripped me up before, especially
when regenerating certificates during trial runs); another is that you can
connect, with the same set of files, using s_client. Something like

openssl s_client -connect localhost:5671 -cert client/cert.pem -key client/key.pem
-pass pass:MySecret -CAFile testca/cacert.pem -showcerts

OpenSSL will tell you if there's a problem and show you the certificates
in ASCII armour so you can check them against the files.

—
Reply to this email directly or view it on GitHubhttps://github.com//pull/1#issuecomment-19614035
.

Got it... had to use the right domain name. Thanks.

On Tue, Jun 18, 2013 at 10:25 AM, Edward Kline [email protected] wrote:

You are exactly right, I had grabbed the server certificate and not the
signing certificate by mistake.

Now I am just dealing with the Hostname/IP not matching even though I've
added the hostname used in the cert to my hosts file.

Thanks.

On Tue, Jun 18, 2013 at 10:18 AM, Michael Bridgen <
[email protected]> wrote:

Quite right, you definitely do not want to use rejectUnauthorized:
false if you're using certificates at all. I ought to make a note of
that in the guide.

With respect to the self-signed cert problem, there's a couple of things
I'd check: one is that you are supplying the certificate of the CA that has
signed the server certificate (it has tripped me up before, especially
when regenerating certificates during trial runs); another is that you can
connect, with the same set of files, using s_client. Something like

openssl s_client -connect localhost:5671 -cert client/cert.pem -key client/key.pem
-pass pass:MySecret -CAFile testca/cacert.pem -showcerts

OpenSSL will tell you if there's a problem and show you the certificates
in ASCII armour so you can check them against the files.

—
Reply to this email directly or view it on GitHubhttps://github.com//pull/1#issuecomment-19614035
.