[rabbitmq-discuss] Broker accepts self-signed client certificate in verify_peer mode
Emile Joubert
emile at rabbitmq.com
Wed Aug 11 10:38:22 BST 2010
Hi Jiri,
On 11/08/10 07:41, jiri at krutil.com wrote:
[...]
>> The RabbitMQ server is configured to require a client certificate and
>> verify the chain of trust (see rabbitmq.config below). I'm using my
>> own CA that has a self-signed certificate. This is the only trusted
>> root CA certificate I'm using.
>>
>> RabbitMQ correctly accepts client certificates signed by my CA. But it
>> also accepts self-signed client certificates, which I think is
>> incorrect. I believe a self-signed client certificate should be
>> rejected because there is no chain of trust to the root CA certificate.
By default an unknown CA will not cause the connection to fail. The
default verify_fun ignores {bad_cert, unknown_ca} errors. You should
provide your own verify_fun that does not ignore {bad_cert, unknown_ca}.
Regards
Emile
More information about the rabbitmq-discuss
mailing list