[rabbitmq-discuss] Broker accepts self-signed client certificate in verify_peer mode

jiri at krutil.com jiri at krutil.com
Thu Aug 5 09:21:35 BST 2010


When experimenting with SSL connections to RabbitMQ, I came across a  
very strange thing.

The RabbitMQ server is configured to require a client certificate and  
verify the chain of trust (see rabbitmq.config below). I'm using my  
own CA that has a self-signed certificate. This is the only trusted  
root CA certificate I'm using.

RabbitMQ correctly accepts client certificates signed by my CA. But it  
also accepts self-signed client certificates, which I think is  
incorrect. I believe a self-signed client certificate should be  
rejected because there is no chain of trust to the root CA certificate.

I did not find anything helpful in the RabbitMQ logs. Am I doing  
something wrong?

I'm using RabbitMQ server 1.8.1, Erlang R13B03 and new_ssl 3.10.7.

Contents of rabbitmq.config:
[
     {rabbit, [
         {ssl_listeners, [{"0.0.0.0",5671}]},
         {ssl_options, [
             {cacertfile,"~/ssl/ca/cacert.pem"},
             {certfile,"~/ssl/server/servercert.pem"},
             {keyfile,"~/ssl/server/serverkey.pem"},
             {verify,verify_peer},
             {fail_if_no_peer_cert,true},
             {ssl_imp,new}
         ]}
     ]}
].

Self-signed CA certificate (cacert.pem):
-----BEGIN CERTIFICATE-----
MIICyjCCAbKgAwIBAgIJANP7tyB3tORuMA0GCSqGSIb3DQEBBQUAMBUxEzARBgNV
BAMTCkNhcGFjaXR5Q0EwHhcNMTAwNzI5MTUxMzEzWhcNMTEwNzI5MTUxMzEzWjAV
MRMwEQYDVQQDEwpDYXBhY2l0eUNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAqpg4Zo25u/OK+8dwBaMLoZVZevi/DLnCvLPZ4g88DItIC8L4mLxCo2Mj
z3WHMo703PFNkGOnvqDkfmvVdsKC/TtGb4zQWQ84dseuORUyYUS4uqKVyaQr8ZYO
G67E8NbRgLnO+hJc4jJBR2ooF5IjSUMdfUBJ2GFDFgeE4DyYY0Qk/0jGW030ZbUI
1qTR0ng14boWo6tBULDOGsozRnh6K5oV2A6rxEKMSfHPdsH4cUYUZc94ftiMvABM
e0NMVuiXKUB1uXN9SZXVM9ve0ohQ+g81XAASTxylT11vCq52SqCCMg0uVNO9hFFW
fVMsCgfBkcn7kL/1hrwrZi9jJQ4pCQIDAQABox0wGzAMBgNVHRMEBTADAQH/MAsG
A1UdDwQEAwIBBjANBgkqhkiG9w0BAQUFAAOCAQEAMdZ4L1kOQpkDwcGkGhfPnEsC
C96NnhFR6DjZ2MAjK+5vSfmbqxFTxwHpbYbYasJ8HoRHU8GfcjAexjQOAyFbKkEM
DtKlYiBN2DOlMkpK4YSuRcERonsA9DfVxS/y+6Z1uzXy+Gmmaa4AB+K8UtFng/s+
zQZ1ISc0CTtzRVDp7hUBfdl6vW7fVSVoUF6L92eZxMJah4SvU1MZxoW2GeGfw3ZM
t0CU4PPciGBDT4iCrF/JVblNP2VcPvDnYR37l3WC7tUftmAH6ysuV+b0Xm7FmWGH
wO+h5/taFGSgwj+sZTSrFctRWjX0+Nc3YjuvQJo+0QhM0l/psguVnOErN0Z2lQ==
-----END CERTIFICATE-----

Self-signed client certificate:
-----BEGIN CERTIFICATE-----
MIIDzTCCArWgAwIBAgIJAKYbO0v1Ug8AMA0GCSqGSIb3DQEBBQUAME0xCzAJBgNV
BAYTAkRFMQowCAYDVQQIEwEgMQowCAYDVQQHEwEgMQowCAYDVQQKEwEgMQowCAYD
VQQLEwEgMQ4wDAYDVQQDEwVVc2VyMTAeFw0xMDA4MDQxMjU5NTBaFw0xMTA4MDQx
MjU5NTBaME0xCzAJBgNVBAYTAkRFMQowCAYDVQQIEwEgMQowCAYDVQQHEwEgMQow
CAYDVQQKEwEgMQowCAYDVQQLEwEgMQ4wDAYDVQQDEwVVc2VyMTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBALHxPfWg+M8qSyps48YOpj58iI6NAxXrssDR
xi2oSIn+4mM8SpEMX0LIG8v/N8Xrc61XrK1LvLkyWUrpK1KoTxswcgBaomAzRu6i
RPpEZQ6vSYwS4zPWYr6MaAJpErV/+IuabaPnVGPk5uPk8G6N3AuzjFlD3DmAyzXx
FFCf/cyCfjnAfU77RSrl1/ldXYTiZvgRAqvRRr4sFYwA2jH2Nrb676V3IsNvwT4h
5/6Gy469MF0cTIxd8gvoT0IdbkdgWX3H9DQ7jAGk2UA0+ThI/Gj/OJ04mXjnNQp7
5N6lRQE6cn/cZCCnT24eYD+0FdqBY45sdNRs77iKulDEfJA7pz0CAwEAAaOBrzCB
rDAdBgNVHQ4EFgQUBTMBjdui9J2zb4Ksb3f283IybSYwfQYDVR0jBHYwdIAUBTMB
jdui9J2zb4Ksb3f283IybSahUaRPME0xCzAJBgNVBAYTAkRFMQowCAYDVQQIEwEg
MQowCAYDVQQHEwEgMQowCAYDVQQKEwEgMQowCAYDVQQLEwEgMQ4wDAYDVQQDEwVV
c2VyMYIJAKYbO0v1Ug8AMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEB
AC5tYG0Uzb2ktbir++HM28SjPPORjmuLHE/6nCxzPagbQdrB2auAx4wz9kAass/3
CBqqx42tKtAMmQ2h9BjqBIvOePGuYFGJE5ClXsRKqbCedImXQWha32UAaaFxUzcN
ZkSYVU14+3ex2ud+RtNyIrUEgEmkvZSbZgLPHnBng8hxwA6wB9hjfphlcqvSNhot
Jnx98yBT8ETA3p+heiu2mIUzqSeNCpx7F5rPbBST0n8cFCDOKAoybGUekH6A2Ntk
uTgk3HILrJDWEp9gT53eUQaVnEbFQ5YOyEElfIej0PWwhGPzjLRB32MWQuXDuef5
WXmX4YvXnVSRZmfh4AXRZbo=
-----END CERTIFICATE-----



More information about the rabbitmq-discuss mailing list