[rabbitmq-discuss] AMQP authentication with RabbitMQ

eric eric at grokthis.net
Wed Jul 8 20:19:10 BST 2009


On Wed, 2009-07-08 at 14:55 -0400, Darien Kindlund wrote:
> Thanks for the clarification.  So what you're saying is: "If you need
> to access these environment variables, don't use stunnel and just have
> your client application talk to OpenSSL directly."

There are a few use-cases to consider here.

First, is the use-case where you simply want encryption and don't care
about knowing how it is done.  That is easy, you can just use stunnel
directly on both ends.  This is encryption pure and simple, without any
AAA.

Second, you have a case where you simply want to your consumer or
publisher to know basic details such as the server's DN, the cipher
used, etc.  In that case, the server can use stunnel and then the
client's AMQP library must understand SSL.  This provides, at a minimum,
verification of the server's identity to the clients (otherwise, someone
could install a rogue stunnel proxy and you'd never know!)

Third, there are certainly use-cases where a publisher speaks SSL with a
client-certificate, and the consuming client wants to know where the
message came from, which client published the message.  This is
impossible without modifications to RabbitMQ itself and, more
importantly, as I understand it, the AMQP protocol.

For use-case #3, your best bet is to implement the solution to the
second use-case and then having the contents of your messages signed.
This is how e-mail is done currently, and it works reasonably well.

Before anyone publicly suggests mentions DTLS or SCTP, they only solve
the transport issues and do not solve any AAA issues for Rabbit.

-- 
Regards,
Eric Windisch





More information about the rabbitmq-discuss mailing list