[rabbitmq-discuss] AMQP authentication with RabbitMQ

Matthias Radestock matthias at lshift.net
Mon Jul 20 21:14:20 BST 2009


Darien,

Darien Kindlund wrote:
> Couple of basic questions:
> 1) So, for reference, would we call this AMQPS, AMQP-SSL, or SAMPQ ?

Does it have to have a name?

> 2) Are you planning on supporting CRLs and/or OCSP for certificate revocation?
> 3) Can we specify the cipher strength?

We support whatever the Erlang SSL implementation supports. See 
http://www.erlang.org/doc/man/new_ssl.html for details. That's a moving 
target, and ATM the answers to the above are 'no' and 'yes'.

> 4) Okay once SSL is supported natively, do you think a future version
> of RabbitMQ would be able to map particular subjectDNs to existing
> username/password credentials?  It would be really nice if clients
> could authenticate with only client certs and nothing else.
> 
> I'm guessing #4 may actually break the existing AMQP spec, since we're
> talking about bypassing username/password authentication.  If that's
> the case, I'm not sure if you typically wait for the spec to get
> ratified before implementing any experimental features, such as this.

AMQP has some built-in support for negotiating different security 
mechanisms, so your latter concern isn't an issue. Making the necessary 
changes at the server and client end would take some time, but it 
shouldn't be a big job. Perhaps this is something you could have a stab 
at yourself once the new SSL support has landed?


Regards,

Matthias.




More information about the rabbitmq-discuss mailing list