[rabbitmq-discuss] RabbitMQ & SSL

Tony Garnock-Jones tonyg at lshift.net
Thu Dec 27 14:58:13 GMT 2007


Hi David,

David Pollak wrote:
> A few months ago, you all posted about a development version of RabbitMQ
> with SSL.

Yes. The changes were all in the client. We haven't implemented SSL
support in the server yet - instead, just as a temporary hack, I was
using stunnel4.

(As an aside, SSL support in erlang seems relatively straightforward,
but it was more than the hour I had available. SSL support in Java fit
nicely into the available time, however :-) )

> Is this going to be a reality in the next few weeks?

Yes, we hope to have an official release ready within the next month,
but until then, you could use the Java client code from one of our
unsupported, unofficial snapshots, available at
http://dev.rabbitmq.com/snapshots/rabbitmq/

The most recent one definitely has the SSL changes. (I checked.)

> If not and I use stunnel, will there be an stunnel process forked for
> each TCP/IP connection to the server?

I'm afraid I haven't investigated the details of how stunnel4 works.

Well, I've just had a look :-) and I think stunnel4 can either fork() or
use pthreads, depending on how you build it. I'm not sure which strategy
it was using when I was doing my experiments.

BTW, I had the following entry in my stunnel.conf:

[amqps]
accept = 6035
connect = 5672

I can't remember where I got 6035 from.

> How difficult would it be to have the ConnectionParameters/Connection
> classes to include an SSL flag?

That's almost exactly what we've implemented. Essentially, do the following:

  ConnectionFactory connFactory = (however you build and configure one);
  connFactory.useSslProtocol();

and it should work.

> If it's hard, do you know if the Apache
> Qpid classes work against RabbitMQ (I know they're supposed to, but is
> there any verification)?

The non-SSL QPid client works against RabbitMQ, up to the point where
QPid's implementation of the protocol diverges from the spec, or
RabbitMQ's implementation of the protocol doesn't implement some of the
JMS-specific pieces.

> David (who will let you know about his Rabbit-based project in mid-January)

Very exciting, I'm looking forward to it :-)

Regards,
  Tony
-- 
 [][][] Tony Garnock-Jones     | Mob: +44 (0)7905 974 211
   [][] LShift Ltd             | Tel: +44 (0)20 7729 7060
 []  [] http://www.lshift.net/ | Email: tonyg at lshift.net




More information about the rabbitmq-discuss mailing list