[rabbitmq-discuss] Broker accepts self-signed client certificate in verify_peer mode

Mark Steele msteele at beringmedia.com
Wed Aug 11 16:59:00 BST 2010


It's great that you've sent a solution, but it's not very pretty. As it is,
I would consider SSL functionality broken and would put a big warning on the
SSL howto page.

I'll probably make a custom ebuild for gentoo with a patch, however most
folks are using binary packages and will probably have issue with this
solution.

Care to post a unified diff?

Thanks,

Mark Steele
Director of development
Bering Media Inc.



On Wed, Aug 11, 2010 at 11:15 AM, Emile Joubert <emile at rabbitmq.com> wrote:

> On 11/08/10 14:59, Mark Steele wrote:
> > Care to expand how how one would do this? I've encountered similar
> issues.
> >
> > Basically, what I'm looking for is that if the client cert isn't signed
> > by a CA in the CA file that I'm pointing rabbit to, it should fail
> > (which is what the default behavior should be). This was also kind of
> > implied in the rabbit doc, even though it doesn't seem to work as
> > advertised.
>
> Hi Mark,
>
> I don't see any way of doing this using configuration options alone.
> Unless I'm overlooking a more obvious route, you will need to recompile
> the Erlang ssl module or the Rabbit networking module. I would suggest
> the latter.
>
> Adding the following tuple to SslOpts in rabbit_networking:boot_ssl/0
> works for me using erlang R13B03 and R14A:
> {verify_fun, fun(ErrorList) -> length(ErrorList) == 0 end}
> With this in place the server will reject a client presenting a
> certificate not signed by a recognised CA.
>
> I agree that this should be easier. Please let me know if you have
> suggestions.
>
>
> Regards
>
> Emile
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20100811/fc3daba6/attachment.htm>


More information about the rabbitmq-discuss mailing list