[rabbitmq-discuss] AMQP authentication with RabbitMQ
Darien Kindlund
darien at kindlund.com
Wed Jul 8 19:55:11 BST 2009
Hi Eric,
Thanks for the clarification. So what you're saying is: "If you need
to access these environment variables, don't use stunnel and just have
your client application talk to OpenSSL directly."
-- Darien
On Wed, Jul 8, 2009 at 2:26 PM, eric<eric at grokthis.net> wrote:
> On Wed, 2009-07-08 at 13:04 -0400, Darien Kindlund wrote:
>> Hi Laurens,
>>
>> I'm not an OpenSSL nor RabbitMQ expert, but I got the impression that
>> stunnel (which uses OpenSSL) somehow populates certificate information
>> after the connection is established via environment variables. See
>> this URL for more information about the types of environment variables
>> available:
>
> This isn't how stunnel works, it creates simple SSL server and client
> wrappers/proxies. Stunnel doesn't need to know anything about the
> application-layer protocols it encapsulates, doesn't need environmental
> variables, LD_PRELOAD, or any other funny magic. For these reasons,
> stunnel is a pretty good fit for Rabbit, where encryption is needed.
>
> How it works is quite simple, really. It sends and receives clear-text
> on one side (i.e. a local RabbitMQ), and encrypted communications on the
> other (i.e. the internet). This is what allows applications that work
> purely with clear-text such as Rabbit, to communicate securely via
> stunnel.
>
> The server side is relatively simple to set up, because aside from the
> extra process running, it requires no changes to the server daemon
> process. You can simply set up a proxy for the AMQP port and walk away.
>
> The client side, however, will need either SSL support in the client's
> AMQP library, or will need to connect to a local stunnel instance to
> provide a reverse SSL proxy. That is, your client application can speak
> clear-text to the local stunnel, this stunnel will speak SSL to the
> remote stunnel (which, in turn, speaks clear-text to RabbitMQ). Its
> very clear that SSL support in the client's AMQP library is preferable.
>
> --
> Regards,
> Eric Windisch
>
>
More information about the rabbitmq-discuss
mailing list