[rabbitmq-discuss] Broker accepts self-signed client certificate in verify_peer mode

Emile Joubert emile at rabbitmq.com
Wed Aug 11 16:15:10 BST 2010


On 11/08/10 14:59, Mark Steele wrote:
> Care to expand how how one would do this? I've encountered similar issues.
> 
> Basically, what I'm looking for is that if the client cert isn't signed
> by a CA in the CA file that I'm pointing rabbit to, it should fail
> (which is what the default behavior should be). This was also kind of
> implied in the rabbit doc, even though it doesn't seem to work as
> advertised.

Hi Mark,

I don't see any way of doing this using configuration options alone.
Unless I'm overlooking a more obvious route, you will need to recompile
the Erlang ssl module or the Rabbit networking module. I would suggest
the latter.

Adding the following tuple to SslOpts in rabbit_networking:boot_ssl/0
works for me using erlang R13B03 and R14A:
{verify_fun, fun(ErrorList) -> length(ErrorList) == 0 end}
With this in place the server will reject a client presenting a
certificate not signed by a recognised CA.

I agree that this should be easier. Please let me know if you have
suggestions.


Regards

Emile


More information about the rabbitmq-discuss mailing list