[rabbitmq-discuss] ssl certificate to client lookup

[Nathaniel Haggard]

On Mon, Jun 28, 2010 at 9:56 AM, Matthias Radestock
<matthias at rabbitmq.com> wrote:
> Lionel,
>
> Lionel Cons wrote:
>>
>> Matthew Sackman <matthew at rabbitmq.com> writes:
>>>
>>> On Thu, Jun 24, 2010 at 03:13:20PM -0600, Nathaniel Haggard wrote:
>>>>
>>>> It would be nice if rabbitmq set a header in messages with some
>>>> metadata from the x509 certificate used to establish the ssl
>>>> connection.
>>>
>>> Err, why?
>>
>> FWIW, we currently rely on this functionality: we use X.509 for
>> authetication and we need to track down who sent a given message
>> (think JMSXUserID as per http://activemq.apache.org/jmsxuserid.html).
>
> Couldn't you simply get the sender to sign the message and the recipient to
> verify the signature? That requires the recipients to know the public keys
> of the senders, but I suspect in most systems where recipients care about
> the sender identity that would not be hard to arrange.
>
> Matthias.

For my use case I could do that, but RabbitMQ is already verifying
client certificates.  RabbitMQ is already verifying client
certificates.  See

[
 {rabbit, [
    {ssl_listeners, [{"0.0.0.0",5671}]},
    {ssl_options, [{cacertfile,"/opt/rabbitmq/keys/ca.crt"},
                   {certfile,"/opt/rabbitmq/keys/x.x.x.x.crt"},
                   {keyfile,"/opt/rabbitmq/keys/x.x.x.x.key"},
                   {verify,verify_peer},
                   {fail_if_no_peer_cert,true}]}
  ]}
].

We plan to have thousands of clients connecting to RabbitMQ each with
a different certificate and the same username.  Someone on this list
didn't recommend managing that many users.

Ideally Rabbit would pass along CNAME from a producer and the consumer
would verify CNAME is good.

(Sorry if you got this twice Matthias)