[rabbitmq-discuss] Broker accepts self-signed client certificate in verify_peer mode

Mark Steele msteele at beringmedia.com
Wed Aug 11 14:59:07 BST 2010


Care to expand how how one would do this? I've encountered similar issues.

Basically, what I'm looking for is that if the client cert isn't signed by a
CA in the CA file that I'm pointing rabbit to, it should fail (which is what
the default behavior should be). This was also kind of implied in the rabbit
doc, even though it doesn't seem to work as advertised.

See the "Trust the Client's Root CA" section of the Rabbit SSL howto
documentation.

Also, if you do know how to do this, explain it as if you were dealing with
an Erlang novice :)

Cheers,

Mark Steele
Director of development
Bering Media Inc.



On Wed, Aug 11, 2010 at 5:38 AM, Emile Joubert <emile at rabbitmq.com> wrote:

>
> Hi Jiri,
>
> On 11/08/10 07:41, jiri at krutil.com wrote:
>
> [...]
>
> >> The RabbitMQ server is configured to require a client certificate and
> >> verify the chain of trust (see rabbitmq.config below). I'm using my
> >> own CA that has a self-signed certificate. This is the only trusted
> >> root CA certificate I'm using.
> >>
> >> RabbitMQ correctly accepts client certificates signed by my CA. But it
> >> also accepts self-signed client certificates, which I think is
> >> incorrect. I believe a self-signed client certificate should be
> >> rejected because there is no chain of trust to the root CA certificate.
>
> By default an unknown CA will not cause the connection to fail. The
> default verify_fun ignores {bad_cert, unknown_ca} errors. You should
> provide your own verify_fun that does not ignore {bad_cert, unknown_ca}.
>
> Regards
>
> Emile
> _______________________________________________
> rabbitmq-discuss mailing list
> rabbitmq-discuss at lists.rabbitmq.com
> https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20100811/bbbd6654/attachment.htm>


More information about the rabbitmq-discuss mailing list