Getting error "the client and server cannot communicate, because they do not possess a common algorithm" on .Net Framework 4.0 with TLS 1.2 settings and using Apache.NMS 1.7.1 and Apache.NMS.ActiveMQ 1.7.2 Nuget packages

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Getting error "the client and server cannot communicate, because they do not possess a common algorithm" on .Net Framework 4.0 with TLS 1.2 settings and using Apache.NMS 1.7.1 and Apache.NMS.ActiveMQ 1.7.2 Nuget packages

adongare
Hi team,

Getting error "the client and server cannot communicate, because they do not
possess a common algorithm" on .Net Framework 4.0 with TLS 1.2 settings and
using Apache.NMS 1.7.1 and Apache.NMS.ActiveMQ 1.7.2 Nuget packages.

I am trying to connect ActiveMQ server after migrating my code to TLS 1.2
and getting below error while creating the session. Below line is erroring
out.

this.Session = this.Connection.CreateSession(acknowledgementMode);

Below is my c# code:

protected virtual void CreateSession(AcknowledgementMode
acknowledgementMode)
                {
            ServicePointManager.SecurityProtocol =
(SecurityProtocolType)3072 | SecurityProtocolType.Tls;
           
                        var connectionFactory = new
NMSConnectionFactory(this.BrokerUri);

                        this.Connection =
connectionFactory.CreateConnection();
                        this.Session =
this.Connection.CreateSession(acknowledgementMode);
                        this.Destination =
this.Session.GetDestination(this.DestinationName,
this.DestinationType);
                }

Below is Error stack trace:

System.Security.Authentication.AuthenticationException: A call to SSPI
failed, see inner exception. ---> System.ComponentModel.Win32Exception: The
client and server cannot communicate, because they do not possess a common
algorithm
   --- End of inner exception stack trace ---
   at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken
message, AsyncProtocolRequest asyncRequest, Exception exception)
   at
System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken
message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32
count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst,
Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult
lazyResult)
   at System.Net.Security.SslStream.AuthenticateAsClient(String targetHost,
X509CertificateCollection clientCertificates, SslProtocols
enabledSslProtocols, Boolean checkCertificateRevocation)
   at Apache.NMS.ActiveMQ.Transport.Tcp.SslTransport.CreateSocketStream()

the attached image has TLS 1.2 setting  on my development machine:

<http://activemq.2283324.n4.nabble.com/file/t379703/TLS-settings.png>
I tried many solutions by searcing online but nothing worked. Could you
please help me?



--
Sent from: http://activemq.2283324.n4.nabble.com/ActiveMQ-User-f2341805.html
Reply | Threaded
Open this post in threaded view
|

Re: Getting error "the client and server cannot communicate, because they do not possess a common algorithm" on .Net Framework 4.0 with TLS 1.2 settings and using Apache.NMS 1.7.1 and Apache.NMS.ActiveMQ 1.7.2 Nuget packages

Tim Bain
What matters is the TLS configuration of the ActiveMQ broker. IIS is
irrelevant.

https://activemq.apache.org/how-do-i-use-ssl has some details on how to
configure both the broker and the client.
https://activemq.apache.org/ssl-transport-reference also has information
about some troubleshooting techniques you can use, though they're focused
on Java clients so the client-side tips may not be as relevant to you
(though you can look for a .NET equivalent for each setting).

Tim

On Mon, Nov 4, 2019, 2:35 PM adongare <[hidden email]> wrote:

> Hi team,
>
> Getting error "the client and server cannot communicate, because they do
> not
> possess a common algorithm" on .Net Framework 4.0 with TLS 1.2 settings and
> using Apache.NMS 1.7.1 and Apache.NMS.ActiveMQ 1.7.2 Nuget packages.
>
> I am trying to connect ActiveMQ server after migrating my code to TLS 1.2
> and getting below error while creating the session. Below line is erroring
> out.
>
> this.Session = this.Connection.CreateSession(acknowledgementMode);
>
> Below is my c# code:
>
> protected virtual void CreateSession(AcknowledgementMode
> acknowledgementMode)
>                 {
>             ServicePointManager.SecurityProtocol =
> (SecurityProtocolType)3072 | SecurityProtocolType.Tls;
>
>                         var connectionFactory = new
> NMSConnectionFactory(this.BrokerUri);
>
>                         this.Connection =
> connectionFactory.CreateConnection();
>                         this.Session =
> this.Connection.CreateSession(acknowledgementMode);
>                         this.Destination =
> this.Session.GetDestination(this.DestinationName,
> this.DestinationType);
>                 }
>
> Below is Error stack trace:
>
> System.Security.Authentication.AuthenticationException: A call to SSPI
> failed, see inner exception. ---> System.ComponentModel.Win32Exception: The
> client and server cannot communicate, because they do not possess a common
> algorithm
>    --- End of inner exception stack trace ---
>    at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken
> message, AsyncProtocolRequest asyncRequest, Exception exception)
>    at
> System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken
> message, AsyncProtocolRequest asyncRequest)
>    at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32
> count, AsyncProtocolRequest asyncRequest)
>    at System.Net.Security.SslState.ForceAuthentication(Boolean
> receiveFirst,
> Byte[] buffer, AsyncProtocolRequest asyncRequest)
>    at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult
> lazyResult)
>    at System.Net.Security.SslStream.AuthenticateAsClient(String targetHost,
> X509CertificateCollection clientCertificates, SslProtocols
> enabledSslProtocols, Boolean checkCertificateRevocation)
>    at Apache.NMS.ActiveMQ.Transport.Tcp.SslTransport.CreateSocketStream()
>
> the attached image has TLS 1.2 setting  on my development machine:
>
> <http://activemq.2283324.n4.nabble.com/file/t379703/TLS-settings.png>
> I tried many solutions by searcing online but nothing worked. Could you
> please help me?
>
>
>
> --
> Sent from:
> http://activemq.2283324.n4.nabble.com/ActiveMQ-User-f2341805.html
>
Reply | Threaded
Open this post in threaded view
|

Re: Getting error "the client and server cannot communicate, because they do not possess a common algorithm" on .Net Framework 4.0 with TLS 1.2 settings and using Apache.NMS 1.7.1 and Apache.NMS.ActiveMQ 1.7.2 Nuget packages

adongare
I have gone through these links but it doesn't tell may anything related to
TLS 1.2 settings in my C# code or Active MQ server.
This issue is happening while creating the session.

If I am keeping SHA cipher in the request then it's working fine but without
SHA it is showing the same error.

Would you like to share a piece of code or any property for example which I
can try for troubleshooting?
Do I need to use a different connection factory?

Thank you in advance!




--
Sent from: http://activemq.2283324.n4.nabble.com/ActiveMQ-User-f2341805.html
Reply | Threaded
Open this post in threaded view
|

Re: Getting error "the client and server cannot communicate, because they do not possess a common algorithm" on .Net Framework 4.0 with TLS 1.2 settings and using Apache.NMS 1.7.1 and Apache.NMS.ActiveMQ 1.7.2 Nuget packages

Tim Bain
Near the bottom of the second link there's information about how to turn on
SSL debug on the broker, which the page says will let you "see what goes
wrong and why you get connections closed." If you didn't already try that,
I'd start there.

But ultimately the question is which SSL ciphers your version of the JVM
supports, which ciphers the .NET 4.0 runtime supports, and making that
there's overlap between the two. If you're running an old version of either
one and that old version only supports ciphers that are disabled in the
other runtime, an upgrade may be in order.

Tim

On Tue, Nov 5, 2019, 12:57 PM adongare <[hidden email]> wrote:

> I have gone through these links but it doesn't tell may anything related to
> TLS 1.2 settings in my C# code or Active MQ server.
> This issue is happening while creating the session.
>
> If I am keeping SHA cipher in the request then it's working fine but
> without
> SHA it is showing the same error.
>
> Would you like to share a piece of code or any property for example which I
> can try for troubleshooting?
> Do I need to use a different connection factory?
>
> Thank you in advance!
>
>
>
>
> --
> Sent from:
> http://activemq.2283324.n4.nabble.com/ActiveMQ-User-f2341805.html
>