[rabbitmq-discuss] AMQP authentication with RabbitMQ
Darien Kindlund
darien at kindlund.com
Mon Jul 20 21:37:14 BST 2009
>> Couple of basic questions:
>> 1) So, for reference, would we call this AMQPS, AMQP-SSL, or SAMPQ ?
>
> Does it have to have a name?
Well, AMQP over SSL is a little long; plus, I assume IANA will want a
protocol name if you're going to make 5672 (amqp) and 5673 (amqps) in
/etc/services as standards.
>> 2) Are you planning on supporting CRLs and/or OCSP for certificate
>> revocation?
>> 3) Can we specify the cipher strength?
>
> We support whatever the Erlang SSL implementation supports. See
> http://www.erlang.org/doc/man/new_ssl.html for details. That's a moving
> target, and ATM the answers to the above are 'no' and 'yes'.
Okay, gotcha. #2 wasn't a hard requirement, I was just more
interested to see if it was on anyone's radar.
>> 4) Okay once SSL is supported natively, do you think a future version
>> of RabbitMQ would be able to map particular subjectDNs to existing
>> username/password credentials? It would be really nice if clients
>> could authenticate with only client certs and nothing else.
>>
>> I'm guessing #4 may actually break the existing AMQP spec, since we're
>> talking about bypassing username/password authentication. If that's
>> the case, I'm not sure if you typically wait for the spec to get
>> ratified before implementing any experimental features, such as this.
>
> AMQP has some built-in support for negotiating different security
> mechanisms, so your latter concern isn't an issue. Making the necessary
> changes at the server and client end would take some time, but it shouldn't
> be a big job. Perhaps this is something you could have a stab at yourself
> once the new SSL support has landed?
Depends. I'm not an erlang expert by any means; I'm currently working
on integrating some erlang supervisory code. Assuming I can grok the
syntax and language, I could take a stab at this later on. A change
like this would probably also mean digging through the nmesia DB
schema, as the mappings would probably have to reside there (wherever
the username/passwords are stored).
-- Darien
More information about the rabbitmq-discuss
mailing list