[rabbitmq-discuss] CRL support

Matthias Radestock matthias at rabbitmq.com
Thu Aug 4 11:02:54 BST 2011


Andrea,

On 02/08/11 12:08, Andrea Rosa wrote:
> I implemented a client and server authentication but if a client send a
> revoked certificate the server accept the connection, I read that the
> CRL is not yet supported by the new_ssl Erlang module, but I need to
> manage also CRLs.
> Do someone else facing with the same problem?
> Have you experienced with some workaround to guarantee that a revoked
> certificate is not accepted by Rabbit?

As suggested in response to your question in erlang-questions, you can 
define your own cert verification function with the verify_fun ssl 
option and have that perform all the checks you need. The erlang ssl 
docs (http://www.erlang.org/doc/man/ssl.html) for verify_fun describe 
how that function should behave.

To hook your verification function into rabbit (nb: this is untested) ...

1) write an erlang module containing (and exporting) that function

2) In the rabbit/ssl_options section of the rabbitmq.config, add an 
entry {verify_fun, {YourModuleName, YourFunctionName}}.


Regards,

Matthias.


More information about the rabbitmq-discuss mailing list