[rabbitmq-discuss] Authenticate client using certificate only
Gordon Sim
gsim at redhat.com
Thu Aug 19 10:47:00 BST 2010
On 08/19/2010 09:51 AM, jiri at krutil.com wrote:
> %% AMQPLAIN, as used by Qpid Python test suite. The 0-8 spec actually
> %% defines this as PLAIN, but in 0-9 that definition is gone, instead
> %% referring generically to "SASL security mechanism", i.e. the above.
> -check_login(<<"AMQPLAIN">>, Response) ->
> - LoginTable = rabbit_binary_parser:parse_table(Response),
> - case {lists:keysearch(<<"LOGIN">>, 1, LoginTable),
> - lists:keysearch(<<"PASSWORD">>, 1, LoginTable)} of
> - {{value, {_, longstr, User}},
> - {value, {_, longstr, Pass}}} ->
> - user_pass_login(User, Pass);
> - _ ->
> - %% Is this an information leak?
> - rabbit_misc:protocol_error(
> - access_refused,
> - "AMQPPLAIN auth info ~w is missing LOGIN or PASSWORD field",
> - [LoginTable])
> +check_login(<<"AMQPLAIN">>, Response, Sock) ->
> + case is_record(Sock, ssl_socket) andalso Sock#ssl_socket.cn /= none of
> + true ->
> + certificate_login(Sock);
> + false ->
> + LoginTable = rabbit_binary_parser:parse_table(Response),
> + case {lists:keysearch(<<"LOGIN">>, 1, LoginTable),
> + lists:keysearch(<<"PASSWORD">>, 1, LoginTable)} of
> + {{value, {_, longstr, User}},
> + {value, {_, longstr, Pass}}} ->
> + user_pass_login(User, Pass);
> + _ ->
> + %% Is this an information leak?
> + rabbit_misc:protocol_error(
> + access_refused,
> + "AMQPPLAIN auth info ~w is missing LOGIN or PASSWORD field",
> + [LoginTable])
> + end
> end;
The SASL EXTERNAL mechanism is intended for just such use cases (i.e.
where the underlying transport authenticates itself and no further
exchange is required). So a nice way (though perhaps a slightly more
involved patch) might be to offer that mechanism on SSL connections.
Just a suggestion however.
More information about the rabbitmq-discuss
mailing list