[rabbitmq-discuss] AMQP authentication with RabbitMQ

Darien Kindlund darien at kindlund.com
Mon Jul 20 21:37:14 BST 2009


>> Couple of basic questions:
>> 1) So, for reference, would we call this AMQPS, AMQP-SSL, or SAMPQ ?
>
> Does it have to have a name?

Well, AMQP over SSL is a little long; plus, I assume IANA will want a
protocol name if you're going to make 5672 (amqp) and 5673 (amqps) in
/etc/services as standards.

>> 2) Are you planning on supporting CRLs and/or OCSP for certificate
>> revocation?
>> 3) Can we specify the cipher strength?
>
> We support whatever the Erlang SSL implementation supports. See
> http://www.erlang.org/doc/man/new_ssl.html for details. That's a moving
> target, and ATM the answers to the above are 'no' and 'yes'.

Okay, gotcha.  #2 wasn't a hard requirement, I was just more
interested to see if it was on anyone's radar.

>> 4) Okay once SSL is supported natively, do you think a future version
>> of RabbitMQ would be able to map particular subjectDNs to existing
>> username/password credentials?  It would be really nice if clients
>> could authenticate with only client certs and nothing else.
>>
>> I'm guessing #4 may actually break the existing AMQP spec, since we're
>> talking about bypassing username/password authentication.  If that's
>> the case, I'm not sure if you typically wait for the spec to get
>> ratified before implementing any experimental features, such as this.
>
> AMQP has some built-in support for negotiating different security
> mechanisms, so your latter concern isn't an issue. Making the necessary
> changes at the server and client end would take some time, but it shouldn't
> be a big job. Perhaps this is something you could have a stab at yourself
> once the new SSL support has landed?

Depends.  I'm not an erlang expert by any means; I'm currently working
on integrating some erlang supervisory code.  Assuming I can grok the
syntax and language, I could take a stab at this later on.  A change
like this would probably also mean digging through the nmesia DB
schema, as the mappings would probably have to reside there (wherever
the username/passwords are stored).

-- Darien




More information about the rabbitmq-discuss mailing list